* Mon Aug 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-73

- Allow ssytemd_logind_t to list tmpfs directories
- Allow lvm_t to create undefined sockets
- Allow passwd_t to read/write stream sockets
- Allow docker lots more access.
- Fix label for ports
- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service.
- Label tcp port 4194 as kubernetes port.
- Additional access required for passenger_t
- sandbox domains should be allowed to use libraries which require execmod
- Allow qpid to read passwd files BZ (#1130086)
- Remove cockpit port, it is now going to use websm port
- Add getattr to the list of access to dontaudit on unix_stream_sockets
- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
This commit is contained in:
Lukas Vrabec 2014-08-18 17:43:18 +02:00
parent 3399c51143
commit 9229b61067
3 changed files with 423 additions and 146 deletions

View File

@ -2667,7 +2667,7 @@ index 99e3903..fa68362 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1..1a53101 100644
index 1d732f1..4aef39e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@ -2896,11 +2896,12 @@ index 1d732f1..1a53101 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
@@ -352,6 +383,14 @@ userdom_read_user_tmp_files(passwd_t)
@@ -352,6 +383,15 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
+userdom_stream_connect(passwd_t)
+userdom_rw_stream(passwd_t)
+
+optional_policy(`
+ gnome_exec_keyringd(passwd_t)
@ -2911,7 +2912,7 @@ index 1d732f1..1a53101 100644
optional_policy(`
nscd_run(passwd_t, passwd_roles)
@@ -401,9 +440,10 @@ dev_read_urand(sysadm_passwd_t)
@@ -401,9 +441,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@ -2924,7 +2925,7 @@ index 1d732f1..1a53101 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
@@ -416,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t)
@@ -416,7 +457,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@ -2932,7 +2933,7 @@ index 1d732f1..1a53101 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
@@ -426,12 +465,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
@@ -426,12 +466,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@ -2945,7 +2946,7 @@ index 1d732f1..1a53101 100644
userdom_use_unpriv_users_fds(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
@@ -446,7 +482,8 @@ optional_policy(`
@@ -446,7 +483,8 @@ optional_policy(`
# Useradd local policy
#
@ -2955,7 +2956,7 @@ index 1d732f1..1a53101 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
@@ -461,6 +498,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
@@ -461,6 +499,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@ -2966,7 +2967,7 @@ index 1d732f1..1a53101 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
@@ -468,29 +509,28 @@ corecmd_exec_shell(useradd_t)
@@ -468,29 +510,28 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@ -3006,7 +3007,7 @@ index 1d732f1..1a53101 100644
auth_run_chk_passwd(useradd_t, useradd_roles)
auth_rw_lastlog(useradd_t)
@@ -498,6 +538,7 @@ auth_rw_faillog(useradd_t)
@@ -498,6 +539,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@ -3014,7 +3015,7 @@ index 1d732f1..1a53101 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
@@ -508,33 +549,32 @@ init_rw_utmp(useradd_t)
@@ -508,33 +550,32 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@ -3059,7 +3060,7 @@ index 1d732f1..1a53101 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
@@ -549,10 +589,19 @@ optional_policy(`
@@ -549,10 +590,19 @@ optional_policy(`
')
optional_policy(`
@ -3079,7 +3080,7 @@ index 1d732f1..1a53101 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
@@ -562,3 +611,12 @@ optional_policy(`
@@ -562,3 +612,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@ -5460,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b191055..a19d634 100644
index b191055..9ae3918 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5534,7 +5535,7 @@ index b191055..a19d634 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
@@ -84,55 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@ -5553,7 +5554,6 @@ index b191055..a19d634 100644
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
+network_port(cockpit, udp,1001,s0)
+network_port(collectd, udp,25826,s0)
network_port(chronyd, udp,323,s0)
network_port(clamd, tcp,3310,s0)
@ -5612,7 +5612,7 @@ index b191055..a19d634 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
@@ -140,45 +177,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
@@ -140,45 +176,53 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@ -5651,6 +5651,7 @@ index b191055..a19d634 100644
+network_port(kerberos_admin, tcp,749,s0)
+network_port(kerberos_password, tcp,464,s0, udp,464,s0)
+network_port(keystone, tcp, 35357,s0, udp, 35357,s0)
+network_port(kubernetes, tcp, 10250,s0, tcp, 4001,s0, tcp, 4194,s0)
+network_port(rlogin, tcp,543,s0, tcp,2105,s0)
+network_port(rtsclient, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
@ -17457,7 +17458,7 @@ index 7be4ddf..71e675a 100644
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d88..fb8a1f1 100644
index e100d88..5a45858 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@ -17621,7 +17622,32 @@ index e100d88..fb8a1f1 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
## </summary>
@@ -1477,6 +1565,24 @@ interface(`kernel_dontaudit_list_all_proc',`
@@ -1458,6 +1546,24 @@ interface(`kernel_list_all_proc',`
########################################
## <summary>
+## Allow attempts to mounton all proc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_all_proc',`
+ gen_require(`
+ attribute proc_type;
+ ')
+
+ allow $1 proc_type:dir mounton;
+')
+
+########################################
+## <summary>
## Do not audit attempts to list all proc directories.
## </summary>
## <param name="domain">
@@ -1477,6 +1583,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@ -17646,7 +17672,7 @@ index e100d88..fb8a1f1 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -1672,7 +1778,7 @@ interface(`kernel_read_net_sysctls',`
@@ -1672,7 +1796,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@ -17655,7 +17681,7 @@ index e100d88..fb8a1f1 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
@@ -1693,7 +1799,7 @@ interface(`kernel_rw_net_sysctls',`
@@ -1693,7 +1817,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@ -17664,7 +17690,7 @@ index e100d88..fb8a1f1 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
@@ -1715,7 +1821,6 @@ interface(`kernel_read_unix_sysctls',`
@@ -1715,7 +1839,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@ -17672,7 +17698,7 @@ index e100d88..fb8a1f1 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
@@ -1750,16 +1855,9 @@ interface(`kernel_rw_unix_sysctls',`
@@ -1750,16 +1873,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -17690,7 +17716,7 @@ index e100d88..fb8a1f1 100644
')
########################################
@@ -1771,16 +1869,9 @@ interface(`kernel_read_hotplug_sysctls',`
@@ -1771,16 +1887,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -17708,7 +17734,7 @@ index e100d88..fb8a1f1 100644
')
########################################
@@ -1792,16 +1883,9 @@ interface(`kernel_rw_hotplug_sysctls',`
@@ -1792,16 +1901,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -17726,7 +17752,7 @@ index e100d88..fb8a1f1 100644
')
########################################
@@ -1813,16 +1897,9 @@ interface(`kernel_read_modprobe_sysctls',`
@@ -1813,16 +1915,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -17744,16 +17770,37 @@ index e100d88..fb8a1f1 100644
')
########################################
@@ -2085,7 +2162,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
@@ -2085,9 +2180,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
- dontaudit $1 sysctl_type:file getattr;
+ dontaudit $1 sysctl_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Allow attempts to mounton all sysctl directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_all_sysctls',`
+ gen_require(`
+ attribute sysctl_type;
+ ')
+
+ allow $1 sysctl_type:dir mounton;
')
+
########################################
@@ -2282,6 +2359,25 @@ interface(`kernel_list_unlabeled',`
## <summary>
## Allow caller to read all sysctls.
@@ -2282,6 +2396,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@ -17779,7 +17826,7 @@ index e100d88..fb8a1f1 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
@@ -2306,7 +2402,7 @@ interface(`kernel_read_unlabeled_state',`
@@ -2306,7 +2439,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@ -17788,7 +17835,7 @@ index e100d88..fb8a1f1 100644
## </summary>
## </param>
#
@@ -2488,6 +2584,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
@@ -2488,6 +2621,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@ -17813,7 +17860,7 @@ index e100d88..fb8a1f1 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
@@ -2525,6 +2639,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
@@ -2525,6 +2676,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@ -17838,7 +17885,7 @@ index e100d88..fb8a1f1 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
@@ -2667,6 +2799,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
@@ -2667,6 +2836,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@ -17863,7 +17910,7 @@ index e100d88..fb8a1f1 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
@@ -2694,6 +2844,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
@@ -2694,6 +2881,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@ -17889,7 +17936,7 @@ index e100d88..fb8a1f1 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
@@ -2803,6 +2972,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
@@ -2803,6 +3009,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@ -17923,10 +17970,11 @@ index e100d88..fb8a1f1 100644
########################################
## <summary>
@@ -2958,6 +3154,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
@@ -2958,7 +3191,25 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
-## Unconfined access to kernel module resources.
+## Relabel to unlabeled context .
+## </summary>
+## <param name="domain">
@ -17945,10 +17993,11 @@ index e100d88..fb8a1f1 100644
+
+########################################
+## <summary>
## Unconfined access to kernel module resources.
+## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
@@ -2972,5 +3186,565 @@ interface(`kernel_unconfined',`
## <summary>
@@ -2972,5 +3223,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@ -34282,10 +34331,10 @@ index 312cd04..3c62b4c 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 73a1c4e..ef41ebe 100644
index 73a1c4e..af8050d 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,22 +1,35 @@
@@ -1,22 +1,39 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@ -34293,13 +34342,17 @@ index 73a1c4e..ef41ebe 100644
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/lib/systemd/system/arptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
+
+/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
@ -36767,7 +36820,7 @@ index 58bc27f..f5ae583 100644
+')
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c4..f505f63 100644
index 79048c4..a7040f1 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@ -36851,7 +36904,7 @@ index 79048c4..f505f63 100644
ccs_stream_connect(clvmd_t)
')
@@ -170,6 +181,7 @@ dontaudit lvm_t self:capability sys_tty_config;
@@ -170,15 +181,22 @@ dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@ -36859,7 +36912,10 @@ index 79048c4..f505f63 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
@@ -179,6 +191,11 @@ allow lvm_t self:sem create_sem_perms;
+allow lvm_t self:socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow lvm_t self:sem create_sem_perms;
allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
@ -36871,7 +36927,7 @@ index 79048c4..f505f63 100644
manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
@@ -191,10 +208,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
@@ -191,10 +209,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
@ -36884,7 +36940,7 @@ index 79048c4..f505f63 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
@@ -202,8 +221,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
@@ -202,8 +222,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@ -36896,7 +36952,7 @@ index 79048c4..f505f63 100644
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
@@ -220,6 +241,7 @@ kernel_read_kernel_sysctls(lvm_t)
@@ -220,6 +242,7 @@ kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@ -36904,7 +36960,7 @@ index 79048c4..f505f63 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
@@ -230,11 +252,13 @@ dev_delete_generic_dirs(lvm_t)
@@ -230,11 +253,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@ -36919,7 +36975,7 @@ index 79048c4..f505f63 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
@@ -246,6 +270,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
@@ -246,6 +271,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@ -36927,7 +36983,7 @@ index 79048c4..f505f63 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
@@ -255,17 +280,21 @@ files_read_etc_files(lvm_t)
@@ -255,17 +281,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@ -36950,7 +37006,7 @@ index 79048c4..f505f63 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
@@ -285,7 +314,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
@@ -285,7 +315,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@ -36959,7 +37015,7 @@ index 79048c4..f505f63 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
@@ -293,15 +322,22 @@ init_use_script_ptys(lvm_t)
@@ -293,15 +323,22 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@ -36983,7 +37039,7 @@ index 79048c4..f505f63 100644
ifdef(`distro_redhat',`
# this is from the initrd:
@@ -313,6 +349,11 @@ ifdef(`distro_redhat',`
@@ -313,6 +350,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@ -36995,7 +37051,7 @@ index 79048c4..f505f63 100644
bootloader_rw_tmp_files(lvm_t)
')
@@ -333,14 +374,34 @@ optional_policy(`
@@ -333,14 +375,34 @@ optional_policy(`
')
optional_policy(`
@ -42685,10 +42741,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..e2c527a
index 0000000..08a4e91
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,685 @@
@@ -0,0 +1,686 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -42787,6 +42843,7 @@ index 0000000..e2c527a
+
+fs_mount_tmpfs(systemd_logind_t)
+fs_unmount_tmpfs(systemd_logind_t)
+fs_list_tmpfs(systemd_logind_t)
+fs_manage_fusefs_dirs(systemd_logind_t)
+fs_manage_fusefs_files(systemd_logind_t)
+
@ -44765,7 +44822,7 @@ index db75976..8f5380f 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..d193211 100644
index 9dc60c6..72d01d2 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -48054,7 +48111,7 @@ index 9dc60c6..d193211 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -3435,4 +4477,1666 @@ interface(`userdom_dbus_send_all_users',`
@@ -3435,4 +4477,1684 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@ -48586,7 +48643,7 @@ index 9dc60c6..d193211 100644
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## userdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
@ -48604,6 +48661,24 @@ index 9dc60c6..d193211 100644
+
+########################################
+## <summary>
+## Read and write userdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_stream',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain datagram socket.
+## </summary>

View File

@ -3618,7 +3618,7 @@ index 7caefc3..7e70f67 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
index f6eb485..9eba5f5 100644
index f6eb485..499800e 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@ -4085,7 +4085,13 @@ index f6eb485..9eba5f5 100644
## </summary>
## <param name="domain">
## <summary>
@@ -372,8 +413,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
@@ -367,13 +408,13 @@ interface(`apache_dontaudit_rw_stream_sockets',`
type httpd_t;
')
- dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
')
########################################
## <summary>
@ -4241,11 +4247,10 @@ index f6eb485..9eba5f5 100644
apache_domtrans_helper($1)
- roleattribute $2 httpd_helper_roles;
+ role $2 types httpd_helper_t;
')
########################################
## <summary>
-## Read httpd log files.
+')
+
+########################################
+## <summary>
+## dontaudit attempts to read
+## apache log files.
+## </summary>
@ -4263,10 +4268,11 @@ index f6eb485..9eba5f5 100644
+
+ dontaudit $1 httpd_log_t:file read_file_perms;
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Read httpd log files.
+## Allow the specified domain to read
+## apache log files.
## </summary>
@ -4546,12 +4552,32 @@ index f6eb485..9eba5f5 100644
')
-########################################
+######################################
+## <summary>
+## Allow the specified domain to read
+## apache system content rw files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_files',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
## <summary>
-## Create, read, write, and delete
-## httpd system rw content.
+## Allow the specified domain to read
+## apache system content rw files.
+## apache system content rw dirs.
## </summary>
## <param name="domain">
## <summary>
@ -4561,32 +4587,12 @@ index f6eb485..9eba5f5 100644
+## <rolecap/>
#
-interface(`apache_manage_sys_rw_content',`
+interface(`apache_read_sys_content_rw_files',`
+interface(`apache_read_sys_content_rw_dirs',`
gen_require(`
type httpd_sys_rw_content_t;
')
- apache_search_sys_content($1)
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to read
+## apache system content rw dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_read_sys_content_rw_dirs',`
+ gen_require(`
+ type httpd_sys_rw_content_t;
+ ')
+
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+')
+
@ -4679,6 +4685,15 @@ index f6eb485..9eba5f5 100644
## </summary>
## <param name="domain">
## <summary>
@@ -916,7 +1122,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',`
type httpd_sys_script_t;
')
- dontaudit $1 httpd_sys_script_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write };
')
########################################
@@ -941,7 +1147,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
@ -4972,7 +4987,7 @@ index f6eb485..9eba5f5 100644
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { getattr read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
@ -13804,10 +13819,10 @@ index 0000000..573dcae
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
index 0000000..cc6201d
index 0000000..4c9b3b1
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,89 @@
@@ -0,0 +1,85 @@
+policy_module(cockpit, 1.0.0)
+
+########################################
@ -13845,11 +13860,7 @@ index 0000000..cc6201d
+dev_read_urand(cockpit_ws_t) # for authkey
+dev_read_rand(cockpit_ws_t) # for libssh
+
+# cockpit-ws can read from the cockpit port
+# TODO: disable this until we have it in our f20 selinux-policy-targeted
+# corenet_tcp_bind_cockpit_port(cockpit_ws_t)
+#allow cockpit_ws_t init_t:tcp_socket accept;
+corenet_tcp_bind_all_reserved_ports(cockpit_ws_t)
+corenet_tcp_bind_websm_port(cockpit_ws_t)
+
+# cockpit-ws can connect to other hosts via ssh
+corenet_tcp_connect_ssh_port(cockpit_ws_t)
@ -24559,10 +24570,10 @@ index 0000000..76eb32e
+')
diff --git a/docker.te b/docker.te
new file mode 100644
index 0000000..dfb6b04
index 0000000..ef1b924
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,278 @@
@@ -0,0 +1,280 @@
+policy_module(docker, 1.0.0)
+
+########################################
@ -24672,7 +24683,7 @@ index 0000000..dfb6b04
+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
+
+allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(docker_t, docker_devpts_t)
+
+kernel_read_system_state(docker_t)
@ -24755,6 +24766,8 @@ index 0000000..dfb6b04
+kernel_get_sysvipc_info(docker_t)
+kernel_request_load_module(docker_t)
+kernel_mounton_messages(docker_t)
+kernel_mounton_all_proc(docker_t)
+kernel_mounton_all_sysctls(docker_t)
+
+dev_getattr_all(docker_t)
+dev_getattr_sysfs_fs(docker_t)
@ -39659,6 +39672,152 @@ index c5548c5..1356fcb 100644
-miscfiles_read_localization(ktalkd_t)
+userdom_use_user_ptys(ktalkd_t)
+userdom_use_user_ttys(ktalkd_t)
diff --git a/kubernetes.fc b/kubernetes.fc
new file mode 100644
index 0000000..9d05b4a
--- /dev/null
+++ b/kubernetes.fc
@@ -0,0 +1,15 @@
+/usr/lib/systemd/system/kubelet.* -- gen_context(system_u:object_r:kube_kubelet_unit_file_t,s0)
+/usr/lib/systemd/system/kube-apiserver.* -- gen_context(system_u:object_r:kube_apiserver_unit_file_t,s0)
+/usr/lib/systemd/system/kube-controller-manager.* -- gen_context(system_u:object_r:kube_controller_unit_file_t,s0)
+/usr/lib/systemd/system/kube-proxy.* -- gen_context(system_u:object_r:kube_proxy_unit_file_t,s0)
+/usr/lib/systemd/system/etcd.* -- gen_context(system_u:object_r:kube_etcd_unit_file_t,s0)
+
+/usr/bin/kubelet -- gen_context(system_u:object_r:kube_kubelet_exec_t,s0)
+/usr/bin/kube-apiserver -- gen_context(system_u:object_r:kube_apiserver_exec_t,s0)
+/usr/bin/kube-controller-manager -- gen_context(system_u:object_r:kube_controller_exec_t,s0)
+/usr/bin/kube-proxy -- gen_context(system_u:object_r:kube_proxy_exec_t,s0)
+/usr/bin/kubecfg -- gen_context(system_u:object_r:kube_kubecfg_exec_t,s0)
+/usr/bin/etcd -- gen_context(system_u:object_r:kube_etcd_exec_t,s0)
+
+/var/lib/etcd(/.*)? gen_context(system_u:object_r:kube_etcd_var_lib_t,s0)
+
diff --git a/kubernetes.if b/kubernetes.if
new file mode 100644
index 0000000..e9d90b0
--- /dev/null
+++ b/kubernetes.if
@@ -0,0 +1,43 @@
+## <summary>kube</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## kube init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`kube_domain_template',`
+ gen_require(`
+ attribute kube_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type kube_$1_t, kube_domain;
+ type kube_$1_exec_t;
+ init_daemon_domain(kube_$1_t, kube_$1_exec_t)
+
+ type kube_$1_unit_file_t;
+ systemd_unit_file(kube_$1_unit_file_t)
+
+ ##############################
+ #
+ # kube_domain domain policy
+
+ kernel_read_unix_sysctls(kube_domain)
+ kernel_read_net_sysctls(kube_domain)
+
+ auth_read_passwd(kube_domain)
+
+ corenet_tcp_bind_generic_node(kube_domain)
+ corenet_tcp_connect_http_cache_port(kube_domain)
+ corenet_tcp_connect_kubernetes_port(kube_domain)
+')
diff --git a/kubernetes.te b/kubernetes.te
new file mode 100644
index 0000000..7bfbbff
--- /dev/null
+++ b/kubernetes.te
@@ -0,0 +1,70 @@
+policy_module(kubernetes, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute kube_domain;
+
+kube_domain_template(kubelet)
+kube_domain_template(apiserver)
+kube_domain_template(controller)
+kube_domain_template(proxy)
+kube_domain_template(kubecfg)
+kube_domain_template(etcd)
+
+type kube_etcd_var_lib_t;
+files_type(kube_etcd_var_lib_t)
+
+########################################
+#
+# kubelet local policy
+#
+
+allow kube_kubelet_t self:capability net_admin;
+allow kube_kubelet_t self:tcp_socket { accept listen create_socket_perms };
+
+corenet_tcp_bind_kubernetes_port(kube_kubelet_t)
+
+########################################
+#
+# kube_controller local policy
+#
+
+allow kube_controller_t self:tcp_socket create_socket_perms;
+
+########################################
+#
+# kube_apiserver local policy
+#
+
+allow kube_apiserver_t self:tcp_socket { accept listen create_socket_perms };
+
+corenet_tcp_bind_http_cache_port(kube_apiserver_t)
+
+########################################
+#
+# kube_proxy local policy
+#
+
+allow kube_proxy_t self:capability net_admin;
+allow kube_proxy_t self:tcp_socket create_socket_perms;
+
+########################################
+#
+# kube_ectd local policy
+#
+
+allow kube_etcd_t self:tcp_socket { accept listen create_socket_perms };
+allow kube_etcd_t self:unix_dgram_socket create_socket_perms;
+
+fs_getattr_xattr_fs(kube_etcd_t)
+
+manage_files_pattern(kube_etcd_t, kube_etcd_var_lib_t, kube_etcd_var_lib_t)
+files_var_lib_filetrans(kube_etcd_t, kube_etcd_var_lib_t, file )
+
+corenet_tcp_bind_kubernetes_port(kube_etcd_t)
+corenet_tcp_bind_afs3_callback_port(kube_etcd_t)
+
+logging_send_syslog_msg(kube_etcd_t)
diff --git a/kudzu.if b/kudzu.if
index 5297064..6ba8108 100644
--- a/kudzu.if
@ -49187,7 +49346,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
index ff1d68c..45bdd6f 100644
index ff1d68c..58ba0ce 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@ -49414,7 +49573,7 @@ index ff1d68c..45bdd6f 100644
')
optional_policy(`
@@ -258,10 +282,16 @@ optional_policy(`
@@ -258,10 +282,17 @@ optional_policy(`
')
optional_policy(`
@ -49428,10 +49587,11 @@ index ff1d68c..45bdd6f 100644
+')
+
+optional_policy(`
+ nagios_append_spool(system_mail_t)
nagios_read_tmp_files(system_mail_t)
')
@@ -272,6 +302,19 @@ optional_policy(`
@@ -272,6 +303,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@ -49451,7 +49611,7 @@ index ff1d68c..45bdd6f 100644
')
optional_policy(`
@@ -287,42 +330,36 @@ optional_policy(`
@@ -287,42 +331,36 @@ optional_policy(`
')
optional_policy(`
@ -49504,7 +49664,7 @@ index ff1d68c..45bdd6f 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,44 +368,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -331,44 +369,48 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@ -49574,7 +49734,7 @@ index ff1d68c..45bdd6f 100644
')
optional_policy(`
@@ -381,24 +422,49 @@ optional_policy(`
@@ -381,24 +423,49 @@ optional_policy(`
########################################
#
@ -51910,7 +52070,7 @@ index d78dfc3..02f18ac 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
index 0641e97..d7d9a79 100644
index 0641e97..cad402c 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
@ -52015,12 +52175,31 @@ index 0641e97..d7d9a79 100644
## </summary>
## <param name="domain">
## <summary>
@@ -132,13 +125,14 @@ interface(`nagios_search_spool',`
@@ -132,13 +125,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t;
')
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
+## Append nagios spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_append_spool',`
+ gen_require(`
+ type nagios_spool_t;
+ ')
+
+ allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1)
')
@ -52032,17 +52211,18 @@ index 0641e97..d7d9a79 100644
## </summary>
## <param name="domain">
## <summary>
@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',`
@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
- files_search_tmp($1)
allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Execute nrpe with a domain transition.
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
@ -52059,17 +52239,16 @@ index 0641e97..d7d9a79 100644
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
')
########################################
## <summary>
-## Execute nrpe with a domain transition.
+')
+
+########################################
+## <summary>
+## Execute the nagios NRPE with
+## a domain transition.
## </summary>
## <param name="domain">
## <summary>
@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',`
@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
@ -52086,7 +52265,7 @@ index 0641e97..d7d9a79 100644
## </summary>
## <param name="domain">
## <summary>
@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',`
@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',`
## </param>
## <param name="role">
## <summary>
@ -54376,10 +54555,10 @@ index 0000000..d6de5b6
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
index 0000000..28936b4
index 0000000..ce897e2
--- /dev/null
+++ b/nova.if
@@ -0,0 +1,57 @@
@@ -0,0 +1,59 @@
+## <summary>openstack-nova</summary>
+
+######################################
@ -54429,7 +54608,9 @@ index 0000000..28936b4
+
+ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
+ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
+ manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
+ fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
+ can_exec(nova_$1_t, nova_$1_tmp_t)
+
+ kernel_read_system_state(nova_$1_t)
@ -61732,7 +61913,7 @@ index bf59ef7..2d8335f 100644
+')
+
diff --git a/passenger.te b/passenger.te
index 08ec33b..24ce7e8 100644
index 08ec33b..e478148 100644
--- a/passenger.te
+++ b/passenger.te
@@ -14,6 +14,9 @@ role system_r types passenger_t;
@ -61745,7 +61926,7 @@ index 08ec33b..24ce7e8 100644
type passenger_var_lib_t;
files_type(passenger_var_lib_t)
@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t)
@@ -22,22 +25,25 @@ files_pid_file(passenger_var_run_t)
########################################
#
@ -61755,7 +61936,8 @@ index 08ec33b..24ce7e8 100644
allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
-allow passenger_t self:process { setpgid setsched sigkill signal };
+allow passenger_t self:process { setpgid setsched sigkill signal signull };
+allow passenger_t self:capability2 block_suspend;
+allow passenger_t self:process { setpgid setsched getsession signal_perms };
allow passenger_t self:fifo_file rw_fifo_file_perms;
-allow passenger_t self:unix_stream_socket { accept connectto listen };
+allow passenger_t self:tcp_socket listen;
@ -61777,7 +61959,7 @@ index 08ec33b..24ce7e8 100644
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
@@ -45,7 +50,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
@@ -45,7 +51,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
@ -61790,7 +61972,7 @@ index 08ec33b..24ce7e8 100644
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
@@ -53,13 +62,10 @@ kernel_read_network_state(passenger_t)
@@ -53,13 +63,10 @@ kernel_read_network_state(passenger_t)
kernel_read_net_sysctls(passenger_t)
corenet_all_recvfrom_netlabel(passenger_t)
@ -61805,7 +61987,7 @@ index 08ec33b..24ce7e8 100644
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
@@ -68,8 +74,6 @@ dev_read_urand(passenger_t)
@@ -68,8 +75,6 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
@ -61814,7 +61996,7 @@ index 08ec33b..24ce7e8 100644
auth_use_nsswitch(passenger_t)
logging_send_syslog_msg(passenger_t)
@@ -94,14 +98,21 @@ optional_policy(`
@@ -94,14 +99,21 @@ optional_policy(`
')
optional_policy(`
@ -74611,7 +74793,7 @@ index fe2adf8..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
index 83eb09e..b48c931 100644
index 83eb09e..fc17eee 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@ -74624,7 +74806,7 @@ index 83eb09e..b48c931 100644
type qpidd_tmpfs_t;
files_tmpfs_file(qpidd_tmpfs_t)
@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms;
@@ -33,41 +36,54 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket { accept listen };
allow qpidd_t self:unix_stream_socket { accept listen };
@ -74651,6 +74833,8 @@ index 83eb09e..b48c931 100644
kernel_read_system_state(qpidd_t)
-corenet_all_recvfrom_unlabeled(qpidd_t)
+auth_read_passwd(qpidd_t)
+
corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t)
@ -87896,10 +88080,10 @@ index 0000000..03bdcef
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
index 0000000..499e739
index 0000000..a3319b0
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,500 @@
@@ -0,0 +1,501 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@ -88054,6 +88238,7 @@ index 0000000..499e739
+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
+allow sandbox_x_domain sandbox_file_t:file execmod;
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
@ -101276,7 +101461,7 @@ index a4f20bc..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
index facdee8..d179539 100644
index facdee8..c43ef2e 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@ -102325,7 +102510,7 @@ index facdee8..d179539 100644
## </summary>
## <param name="domain">
## <summary>
@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
@@ -860,74 +695,266 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@ -102474,6 +102659,7 @@ index facdee8..d179539 100644
+ manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ allow $1 svirt_sandbox_file_t:dir_file_class_set { relabelfrom relabelto };
+')
+
+#######################################
@ -102613,7 +102799,7 @@ index facdee8..d179539 100644
## </summary>
## <param name="domain">
## <summary>
@@ -935,19 +961,17 @@ interface(`virt_read_log',`
@@ -935,19 +962,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@ -102637,7 +102823,7 @@ index facdee8..d179539 100644
## </summary>
## <param name="domain">
## <summary>
@@ -955,20 +979,17 @@ interface(`virt_append_log',`
@@ -955,20 +980,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@ -102662,7 +102848,7 @@ index facdee8..d179539 100644
## </summary>
## <param name="domain">
## <summary>
@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
@@ -976,18 +998,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@ -102685,7 +102871,7 @@ index facdee8..d179539 100644
## </summary>
## <param name="domain">
## <summary>
@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
@@ -995,36 +1016,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@ -102762,7 +102948,7 @@ index facdee8..d179539 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
@@ -1032,20 +1074,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@ -102798,7 +102984,7 @@ index facdee8..d179539 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',`
@@ -1053,37 +1103,133 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@ -102946,7 +103132,7 @@ index facdee8..d179539 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',`
@@ -1091,36 +1237,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@ -103020,7 +103206,7 @@ index facdee8..d179539 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1136,50 +1299,53 @@ interface(`virt_manage_images',`
@@ -1136,50 +1300,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 72%{?dist}
Release: 73%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -602,7 +602,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-72
* Mon Aug 18 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-73
- Allow ssytemd_logind_t to list tmpfs directories
- Allow lvm_t to create undefined sockets
- Allow passwd_t to read/write stream sockets
- Allow docker lots more access.
- Fix label for ports
- Add support for arptables-{restore,save} and also labeling for /usr/lib/systemd/system/arptables.service.
- Label tcp port 4194 as kubernetes port.
- Additional access required for passenger_t
- sandbox domains should be allowed to use libraries which require execmod
- Allow qpid to read passwd files BZ (#1130086)
- Remove cockpit port, it is now going to use websm port
- Add getattr to the list of access to dontaudit on unix_stream_sockets
- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
* Tue Aug 12 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-72
- docker needs to be able to look at everything in /dev
- Allow all processes to send themselves signals
- Allow sysadm_t to create netlink_tcpdiag socket