* Mon Oct 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-219

- Dontaudit leaked file descriptors for thumb. BZ(1383071) - Fix typo in cobbler SELinux module - Merge pull request #165 from rhatdan/container - Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156) - Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t - Rename svirt_lxc_net_t to container_t - Rename docker.pp to container.pp, causes change in interface name - Allow httpd_t domain to list inotify filesystem. - Fix couple AVC to start roundup properly - Allow dovecot_t send signull to dovecot_deliver_t - Add sys_ptrace capability to pegasus domain - Allow firewalld to stream connect to NetworkManager. BZ(1380954) - rename docker intefaces to container - Merge pull request #164 from rhatdan/docker-base - Rename docker.pp to container.pp, causes change in interface name - Allow gvfs to read /dev/nvme* devices BZ(1380951)
2016-10-10 17:16:44 +02:00 · 2016-10-10 17:16:44 +02:00 · 8610886f2e
parent afa546b7e3
commit 8610886f2e
4 changed files with 502 additions and 422 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -10185,7 +10185,7 @@ index 6a1e4d1..26e5558 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..9e9400f 100644
+index cf04cb5..990ecf3 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -10373,7 +10373,7 @@ index cf04cb5..9e9400f 100644
 +')
 +
 +optional_policy(`
-+    docker_filetrans_named_content(named_filetrans_domain)
+    container_filetrans_named_content(named_filetrans_domain)
 +')
 +
 +optional_policy(`
@ -10717,7 +10717,7 @@ index cf04cb5..9e9400f 100644
 +')
 +
 +optional_policy(`
-+    docker_spc_stream_connect(domain)
+    container_spc_stream_connect(domain)
 +')
 +
 +optional_policy(`
@ -25403,7 +25403,7 @@ index 234a940..a92415a 100644
 ########################################
 ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 0fef1fc..59d8b87 100644
+index 0fef1fc..c3b8b13 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@ -25509,8 +25509,8 @@ index 0fef1fc..59d8b87 100644
 optional_policy(`
 -	git_role(staff_r, staff_t)
-+    docker_stream_connect(staff_t)
+    container_stream_connect(staff_t)
-+    docker_exec(staff_t)
+    container_runtime_exec(staff_t)
 +')
 +
 +optional_policy(`
@ -25802,7 +25802,7 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..d389826 100644
+index 2522ca6..47b6d44 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,92 @@ policy_module(sysadm, 2.6.1)
@ -25898,7 +25898,7 @@ index 2522ca6..d389826 100644
 +')
 +
 +optional_policy(`
-+	docker_stream_connect(sysadm_t)
+	container_stream_connect(sysadm_t)
 +')
 +
 +optional_policy(`
@ -27237,7 +27237,7 @@ index 0000000..15b42ae
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..79f40da
+index 0000000..60c3f9d
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,358 @@
@ -27436,7 +27436,7 @@ index 0000000..79f40da
 +')
 +
 +optional_policy(`
-+	docker_entrypoint(unconfined_t)
+	container_runtime_entrypoint(unconfined_t)
 +')
 +
 +optional_policy(`
@ -31791,7 +31791,7 @@ index 6bf0ecc..e6be63a 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..010654c 100644
+index 8b40377..b4908dd 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -32301,7 +32301,7 @@ index 8b40377..010654c 100644
 corenet_all_recvfrom_netlabel(xdm_t)
 corenet_tcp_sendrecv_generic_if(xdm_t)
 corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +559,50 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
@ -32346,6 +32346,7 @@ index 8b40377..010654c 100644
 dev_setattr_power_mgmt_dev(xdm_t)
 +dev_getattr_null_dev(xdm_t)
 +dev_setattr_null_dev(xdm_t)
 +dev_read_nvme(xdm_t)
 domain_use_interactive_fds(xdm_t)
 # Do not audit denied probes of /proc.
@ -32355,7 +32356,7 @@ index 8b40377..010654c 100644
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -431,9 +612,30 @@ files_list_mnt(xdm_t)
+@@ -431,9 +613,30 @@ files_list_mnt(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -32386,7 +32387,7 @@ index 8b40377..010654c 100644
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +644,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +645,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -32437,7 +32438,7 @@ index 8b40377..010654c 100644
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +692,163 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +693,163 @@ userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -32607,7 +32608,7 @@ index 8b40377..010654c 100644
 tunable_policy(`xdm_sysadm_login',`
 	userdom_xsession_spec_domtrans_all_users(xdm_t)
 	# FIXME:
-@@ -502,12 +861,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +862,31 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
@ -32639,7 +32640,7 @@ index 8b40377..010654c 100644
 ')
 optional_policy(`
-@@ -518,8 +896,36 @@ optional_policy(`
+@@ -518,8 +897,36 @@ optional_policy(`
 	dbus_system_bus_client(xdm_t)
 	dbus_connect_system_bus(xdm_t)
@ -32677,7 +32678,7 @@ index 8b40377..010654c 100644
 	')
 ')
-@@ -530,6 +936,20 @@ optional_policy(`
+@@ -530,6 +937,20 @@ optional_policy(`
 ')
 optional_policy(`
@ -32698,7 +32699,7 @@ index 8b40377..010654c 100644
 	hostname_exec(xdm_t)
 ')
-@@ -547,28 +967,78 @@ optional_policy(`
+@@ -547,28 +968,78 @@ optional_policy(`
 ')
 optional_policy(`
@ -32786,7 +32787,7 @@ index 8b40377..010654c 100644
 ')
 optional_policy(`
-@@ -580,6 +1050,14 @@ optional_policy(`
+@@ -580,6 +1051,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -32801,7 +32802,7 @@ index 8b40377..010654c 100644
 	xfs_stream_connect(xdm_t)
 ')
-@@ -594,7 +1072,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1073,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
 type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -32810,7 +32811,7 @@ index 8b40377..010654c 100644
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1082,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1083,11 @@ allow xserver_t input_xevent_t:x_event send;
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
@ -32823,7 +32824,7 @@ index 8b40377..010654c 100644
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1099,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1100,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -32839,7 +32840,7 @@ index 8b40377..010654c 100644
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1115,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1116,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
 filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -32850,7 +32851,7 @@ index 8b40377..010654c 100644
 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1130,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1131,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@ -32892,7 +32893,7 @@ index 8b40377..010654c 100644
 corenet_all_recvfrom_netlabel(xserver_t)
 corenet_tcp_sendrecv_generic_if(xserver_t)
 corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1181,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1182,28 @@ dev_rw_apm_bios(xserver_t)
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -32924,7 +32925,7 @@ index 8b40377..010654c 100644
 # brought on by rhgb
 files_search_mnt(xserver_t)
-@@ -705,6 +1214,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1215,14 @@ fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -32939,7 +32940,7 @@ index 8b40377..010654c 100644
 mls_xwin_read_to_clearance(xserver_t)
 selinux_validate_context(xserver_t)
-@@ -718,20 +1235,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1236,18 @@ init_getpgid(xserver_t)
 term_setattr_unallocated_ttys(xserver_t)
 term_use_unallocated_ttys(xserver_t)
@ -32963,7 +32964,7 @@ index 8b40377..010654c 100644
 userdom_search_user_home_dirs(xserver_t)
 userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1254,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1255,6 @@ userdom_setattr_user_ttys(xserver_t)
 userdom_read_user_tmp_files(xserver_t)
 userdom_rw_user_tmpfs_files(xserver_t)
@ -32972,7 +32973,7 @@ index 8b40377..010654c 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1298,54 @@ optional_policy(`
+@@ -785,17 +1299,54 @@ optional_policy(`
 ')
 optional_policy(`
@ -33029,7 +33030,7 @@ index 8b40377..010654c 100644
 ')
 optional_policy(`
-@@ -803,6 +1353,10 @@ optional_policy(`
+@@ -803,6 +1354,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -33040,7 +33041,7 @@ index 8b40377..010654c 100644
 	xfs_stream_connect(xserver_t)
 ')
-@@ -818,18 +1372,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1373,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -33065,7 +33066,7 @@ index 8b40377..010654c 100644
 can_exec(xserver_t, xkb_var_lib_t)
 # VNC v4 module in X server
-@@ -842,26 +1395,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1396,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -33100,7 +33101,7 @@ index 8b40377..010654c 100644
 ')
 optional_policy(`
-@@ -912,7 +1460,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1461,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -33109,7 +33110,7 @@ index 8b40377..010654c 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1514,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1515,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -33141,7 +33142,7 @@ index 8b40377..010654c 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1560,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1561,148 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
@ -42422,7 +42423,7 @@ index 58bc27f..9e86fce 100644
 +
 +
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c4..a6a1d12 100644
+index 79048c4..262c9ec 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -42658,7 +42659,7 @@ index 79048c4..a6a1d12 100644
 ')
 optional_policy(`
-+    docker_rw_sem(lvm_t)
+    container_rw_sem(lvm_t)
 +')
 +
 +optional_policy(`
@ -49099,7 +49100,7 @@ index 0000000..16cd1ac
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..f2c6d14
+index 0000000..bd6672d
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,971 @@
@ -49446,8 +49447,8 @@ index 0000000..f2c6d14
 +')
 +
 +optional_policy(`
-+	docker_read_share_files(systemd_machined_t)
+	container_read_share_files(systemd_machined_t)
-+	docker_spc_read_state(systemd_machined_t)
+	container_spc_read_state(systemd_machined_t)
 +')
 +
 +optional_policy(`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 218%{?dist}
+Release: 219%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,24 @@ exit 0
 %endif
 %changelog
 * Mon Oct 10 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-219
 - Dontaudit leaked file descriptors for thumb. BZ(1383071)
 - Fix typo in cobbler SELinux module
 - Merge pull request #165 from rhatdan/container
 - Allow cockpit_ws_t to manage cockpit_lib_t dirs and files. BZ(1375156)
 - Allow cobblerd_t to delete dirs labeled as tftpdir_rw_t
 - Rename svirt_lxc_net_t to container_t
 - Rename docker.pp to container.pp, causes change in interface name
 - Allow httpd_t domain to list inotify filesystem.
 - Fix couple AVC to start roundup properly
 - Allow dovecot_t send signull to dovecot_deliver_t
 - Add sys_ptrace capability to pegasus domain
 - Allow firewalld to stream connect to NetworkManager. BZ(1380954)
 - rename docker intefaces to container
 - Merge pull request #164 from rhatdan/docker-base
 - Rename docker.pp to container.pp, causes change in interface name
 - Allow gvfs to read /dev/nvme* devices BZ(1380951)
 * Wed Oct 05 2016 Colin Walters <walters@redhat.com> - 3.13.1-218
 - Revert addition of systemd service for factory reset, since it is
  basically worse than what we had before.  BZ(1290659)