rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Feb 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-113

Browse Source 
- Xserver needs to be transitioned to from confined users
- Added logging_syslogd_pid_filetrans
- xdm_t now talks to hostnamed
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
- Additional fix for labeleling /dev/log correctly.
- cups chats with network manager
- Allow parent domains to read/write fifo files in mozilla plugin
- Allow spc_t to transition to svirt domains
- Cleanup spc_t
- docker needs more control over spc_t
- pcp domains are executed out of cron
This commit is contained in:
Lukas Vrabec 2015-02-23 16:11:23 +01:00
parent 83d645c1b0
commit 946068cde6
3 changed files with 432 additions and 227 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

507
policy-rawhide-base.patch
View File

File diff suppressed because it is too large Load Diff

135
policy-rawhide-contrib.patch
View File

@ -19713,7 +19713,7 @@ index 3023be7..0317731 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
index c91813c..dbd69b1 100644
index c91813c..325c5e3 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@ -20058,7 +20058,18 @@ index c91813c..dbd69b1 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
@@ -334,7 +385,11 @@ optional_policy(`
@@ -316,6 +367,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_chat(cupsd_t)
+')
+
+optional_policy(`
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
samba_stream_connect_nmbd(cupsd_t)
@@ -334,7 +389,11 @@ optional_policy(`
')
optional_policy(`
@ -20071,7 +20082,7 @@ index c91813c..dbd69b1 100644
')
########################################
@@ -342,12 +397,11 @@ optional_policy(`
@@ -342,12 +401,11 @@ optional_policy(`
# Configuration daemon local policy
#
@ -20087,7 +20098,7 @@ index c91813c..dbd69b1 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
@@ -372,18 +426,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
@@ -372,18 +430,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@ -20108,7 +20119,7 @@ index c91813c..dbd69b1 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
@@ -392,20 +444,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
@@ -392,20 +448,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@ -20129,7 +20140,7 @@ index c91813c..dbd69b1 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
@@ -417,11 +461,6 @@ auth_use_nsswitch(cupsd_config_t)
@@ -417,11 +465,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@ -20141,7 +20152,7 @@ index c91813c..dbd69b1 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
@@ -449,9 +488,12 @@ optional_policy(`
@@ -449,9 +492,12 @@ optional_policy(`
')
optional_policy(`
@ -20155,7 +20166,7 @@ index c91813c..dbd69b1 100644
')
optional_policy(`
@@ -487,10 +529,6 @@ optional_policy(`
@@ -487,10 +533,6 @@ optional_policy(`
# Lpd local policy
#
@ -20166,7 +20177,7 @@ index c91813c..dbd69b1 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
@@ -508,15 +546,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
@@ -508,15 +550,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@ -20184,7 +20195,7 @@ index c91813c..dbd69b1 100644
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
@@ -537,9 +575,6 @@ auth_use_nsswitch(cupsd_lpd_t)
@@ -537,9 +579,6 @@ auth_use_nsswitch(cupsd_lpd_t)
logging_send_syslog_msg(cupsd_lpd_t)
@ -20194,7 +20205,7 @@ index c91813c..dbd69b1 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
@@ -550,7 +585,6 @@ optional_policy(`
@@ -550,7 +589,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@ -20202,7 +20213,7 @@ index c91813c..dbd69b1 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
@@ -566,148 +600,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
@@ -566,148 +604,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@ -20324,17 +20335,15 @@ index c91813c..dbd69b1 100644
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
-userdom_dontaudit_search_user_home_dirs(hplip_t)
-userdom_dontaudit_search_user_home_content(hplip_t)
+userdom_home_manager(cups_pdf_t)
optional_policy(`
-
-optional_policy(`
- dbus_system_bus_client(hplip_t)
-
- optional_policy(`
- userdom_dbus_send_all_users(hplip_t)
- ')
+ gnome_read_config(cups_pdf_t)
')
-')
-
-optional_policy(`
- lpd_read_config(hplip_t)
- lpd_manage_spool(hplip_t)
@ -20343,18 +20352,20 @@ index c91813c..dbd69b1 100644
-optional_policy(`
- seutil_sigchld_newrole(hplip_t)
-')
-
-optional_policy(`
+userdom_home_manager(cups_pdf_t)
optional_policy(`
- snmp_read_snmp_var_lib_files(hplip_t)
-')
-
+ gnome_read_config(cups_pdf_t)
')
-optional_policy(`
- udev_read_db(hplip_t)
-')
########################################
#
@@ -735,7 +644,6 @@ kernel_read_kernel_sysctls(ptal_t)
@@ -735,7 +648,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@ -20362,7 +20373,7 @@ index c91813c..dbd69b1 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
@@ -745,13 +653,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
@@ -745,13 +657,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@ -20376,7 +20387,7 @@ index c91813c..dbd69b1 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
@@ -759,8 +665,6 @@ fs_search_auto_mountpoints(ptal_t)
@@ -759,8 +669,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@ -20385,7 +20396,7 @@ index c91813c..dbd69b1 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
@@ -773,3 +677,4 @@ optional_policy(`
@@ -773,3 +681,4 @@ optional_policy(`
optional_policy(`
udev_read_db(ptal_t)
')
@ -24884,10 +24895,10 @@ index 0000000..a4aa484
+
diff --git a/docker.if b/docker.if
new file mode 100644
index 0000000..c8e5981
index 0000000..1542da8
--- /dev/null
+++ b/docker.if
@@ -0,0 +1,372 @@
@@ -0,0 +1,392 @@
+
+## <summary>The open-source application container engine.</summary>
+
@ -25211,6 +25222,26 @@ index 0000000..c8e5981
+ stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
+')
+
+########################################
+## <summary>
+## Connect to SPC containers over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`docker_spc_stream_connect',`
+ gen_require(`
+ type spc_t, spc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ files_write_all_pid_sockets($1)
+ allow $1 spc_t:unix_stream_socket connectto;
+')
+
+
+########################################
+## <summary>
@ -25262,10 +25293,10 @@ index 0000000..c8e5981
+
diff --git a/docker.te b/docker.te
new file mode 100644
index 0000000..2bfade6
index 0000000..df9e6ce
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,309 @@
@@ -0,0 +1,318 @@
+policy_module(docker, 1.0.0)
+
+########################################
@ -25289,6 +25320,7 @@ index 0000000..2bfade6
+
+type spc_t;
+domain_type(spc_t)
+role system_r types spc_t;
+
+type docker_var_lib_t;
+files_type(docker_var_lib_t)
@ -25565,16 +25597,24 @@ index 0000000..2bfade6
+#
+# spc local policy
+#
+domain_entry_file(spc_t, docker_share_t)
+domain_entry_file(spc_t, docker_var_lib_t)
+role system_r types spc_t;
+allow docker_t spc_t:process setsched;
+
+domain_entry_file(spc_t, docker_share_t)
+domain_entry_file(spc_t, docker_var_lib_t)
+domtrans_pattern(docker_t, docker_share_t, spc_t)
+domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
+allow docker_t spc_t:process { setsched signal_perms };
+ps_process_pattern(docker_t, spc_t)
+
+optional_policy(`
+ unconfined_domain(spc_t)
+ unconfined_domain_noaudit(spc_t)
+')
+
+optional_policy(`
+ virt_transition_svirt_sandbox(spc_t, system_r)
+')
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
@ -47977,7 +48017,7 @@ index 6ffaba2..549fb8c 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
index 6194b80..9dbe23d 100644
index 6194b80..e27c53d 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@ -48263,7 +48303,7 @@ index 6194b80..9dbe23d 100644
## </summary>
## <param name="domain">
## <summary>
@@ -265,140 +173,156 @@ interface(`mozilla_exec_user_plugin_home_files',`
@@ -265,140 +173,157 @@ interface(`mozilla_exec_user_plugin_home_files',`
## </param>
#
interface(`mozilla_execmod_user_home_files',`
@ -48365,6 +48405,7 @@ index 6194b80..9dbe23d 100644
+ allow mozilla_plugin_t $1:sem create_sem_perms;
+ allow $1 mozilla_plugin_t:sem rw_sem_perms;
+ allow $1 mozilla_plugin_t:shm rw_shm_perms;
+ allow $1 mozilla_plugin_t:fifo_file rw_fifo_file_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ ps_process_pattern(mozilla_plugin_t, $1)
@ -48480,7 +48521,7 @@ index 6194b80..9dbe23d 100644
')
########################################
@@ -424,8 +348,7 @@ interface(`mozilla_dbus_chat',`
@@ -424,8 +349,7 @@ interface(`mozilla_dbus_chat',`
########################################
## <summary>
@ -48490,7 +48531,7 @@ index 6194b80..9dbe23d 100644
## </summary>
## <param name="domain">
## <summary>
@@ -433,57 +356,162 @@ interface(`mozilla_dbus_chat',`
@@ -433,57 +357,162 @@ interface(`mozilla_dbus_chat',`
## </summary>
## </param>
#
@ -48671,7 +48712,7 @@ index 6194b80..9dbe23d 100644
## </summary>
## <param name="domain">
## <summary>
@@ -491,18 +519,18 @@ interface(`mozilla_manage_plugin_rw_files',`
@@ -491,18 +520,18 @@ interface(`mozilla_manage_plugin_rw_files',`
## </summary>
## </param>
#
@ -48695,7 +48736,7 @@ index 6194b80..9dbe23d 100644
## </summary>
## <param name="domain">
## <summary>
@@ -510,19 +538,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
@@ -510,19 +539,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
## </summary>
## </param>
#
@ -48720,7 +48761,7 @@ index 6194b80..9dbe23d 100644
## </summary>
## <param name="domain">
## <summary>
@@ -530,45 +557,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
@@ -530,45 +558,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@ -64542,10 +64583,10 @@ index 0000000..9b8cb6b
+/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0)
diff --git a/pcp.if b/pcp.if
new file mode 100644
index 0000000..af1ca01
index 0000000..b33d6ca
--- /dev/null
+++ b/pcp.if
@@ -0,0 +1,140 @@
@@ -0,0 +1,141 @@
+## <summary>The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
+
+######################################
@ -64567,6 +64608,7 @@ index 0000000..af1ca01
+ type pcp_$1_t, pcp_domain;
+ type pcp_$1_exec_t;
+ init_daemon_domain(pcp_$1_t, pcp_$1_exec_t)
+ cron_system_entry(pcp_$1_t, pcp_$1_exec_t)
+
+ type pcp_$1_initrc_exec_t;
+ init_script_file(pcp_$1_initrc_exec_t)
@ -106640,7 +106682,7 @@ index facdee8..f6b8a09 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
index f03dcf5..2c0de22 100644
index f03dcf5..a1f667e 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,241 @@
@ -108140,7 +108182,7 @@ index f03dcf5..2c0de22 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1171,320 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1171,321 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -108378,6 +108420,7 @@ index f03dcf5..2c0de22 100644
+ docker_read_share_files(svirt_sandbox_domain)
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ docker_use_ptys(svirt_sandbox_domain)
+ docker_spc_stream_connect(svirt_sandbox_domain)
+')
+
+optional_policy(`
@ -108602,7 +108645,7 @@ index f03dcf5..2c0de22 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1497,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1498,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -108617,7 +108660,7 @@ index f03dcf5..2c0de22 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,9 +1515,8 @@ optional_policy(`
@@ -1192,9 +1516,8 @@ optional_policy(`
########################################
#
@ -108628,7 +108671,7 @@ index f03dcf5..2c0de22 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1207,5 +1529,238 @@ kernel_read_network_state(virt_bridgehelper_t)
@@ -1207,5 +1530,238 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)

15
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 112%{?dist}
Release: 113%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -605,6 +605,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Feb 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-113
- Xserver needs to be transitioned to from confined users
- Added logging_syslogd_pid_filetrans
- xdm_t now talks to hostnamed
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
- Additional fix for labeleling /dev/log correctly.
- cups chats with network manager
- Allow parent domains to read/write fifo files in mozilla plugin
- Allow spc_t to transition to svirt domains
- Cleanup spc_t
- docker needs more control over spc_t
- pcp domains are executed out of cron
* Mon Feb 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-112
- Allow audisp to connect to system DBUS for service.
- Label /dev/log correctly.