rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Fri Jun 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261

Browse Source 
- Allow boinc_t nsswitch
- Dontaudit firewalld to write to lib_t dirs
- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
- Allow thumb_t domain to allow create dgram sockets
- Disable mysqld_safe_t secure mode environment cleansing
- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode
- Allow dirsrv domain setrlimit
- Dontaudit staff_t user read admin_home_t files.
- Add interface lvm_manage_metadata
- Add permission open to files_read_inherited_tmp_files() interface
This commit is contained in:
Lukas Vrabec 2017-06-23 17:16:37 +02:00
parent c8dc4505f7
commit 959229d1e3
4 changed files with 92 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
container-selinux.tgz
View File

Binary file not shown.

67
policy-rawhide-base.patch
View File

@ -11114,7 +11114,7 @@ index b876c48..2e591a5 100644
+
+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f962f76..b64717f 100644
index f962f76..4785fe8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -13574,7 +13574,7 @@ index f962f76..b64717f 100644
+ attribute tmpfile;
+ ')
+
+ allow $1 tmpfile:file { append read_inherited_file_perms };
+ allow $1 tmpfile:file { append open read_inherited_file_perms };
+')
+
+########################################
@ -23945,7 +23945,7 @@ index 234a940..a92415a 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0fef1fc..c3c0f6d 100644
index 0fef1fc..25e60c8 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,73 @@ policy_module(staff, 2.4.0)
@ -24152,7 +24152,7 @@ index 0fef1fc..c3c0f6d 100644
')
optional_policy(`
@@ -35,15 +213,31 @@ optional_policy(`
@@ -35,20 +213,74 @@ optional_policy(`
')
optional_policy(`
@ -24186,10 +24186,12 @@ index 0fef1fc..c3c0f6d 100644
')
optional_policy(`
@@ -52,11 +246,61 @@ optional_policy(`
')
optional_policy(`
sysadm_role_change(staff_r)
userdom_dontaudit_use_user_terminals(staff_t)
+ userdom_dontaudit_read_admin_home_files(staff_t)
+')
+
+optional_policy(`
+ systemd_read_unit_files(staff_t)
+ systemd_exec_systemctl(staff_t)
+')
@ -24224,10 +24226,10 @@ index 0fef1fc..c3c0f6d 100644
+ virt_getattr_exec(staff_t)
+ virt_search_images(staff_t)
+ virt_stream_connect(staff_t)
+')
+
+optional_policy(`
vlock_run(staff_t, staff_r)
')
optional_policy(`
@@ -56,7 +288,20 @@ optional_policy(`
')
optional_policy(`
@ -24249,7 +24251,7 @@ index 0fef1fc..c3c0f6d 100644
')
ifndef(`distro_redhat',`
@@ -65,10 +309,6 @@ ifndef(`distro_redhat',`
@@ -65,10 +310,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -24260,7 +24262,7 @@ index 0fef1fc..c3c0f6d 100644
cdrecord_role(staff_r, staff_t)
')
@@ -78,10 +318,6 @@ ifndef(`distro_redhat',`
@@ -78,10 +319,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@ -24271,7 +24273,7 @@ index 0fef1fc..c3c0f6d 100644
')
optional_policy(`
@@ -101,10 +337,6 @@ ifndef(`distro_redhat',`
@@ -101,10 +338,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -24282,7 +24284,7 @@ index 0fef1fc..c3c0f6d 100644
java_role(staff_r, staff_t)
')
@@ -125,10 +357,6 @@ ifndef(`distro_redhat',`
@@ -125,10 +358,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -24293,7 +24295,7 @@ index 0fef1fc..c3c0f6d 100644
pyzor_role(staff_r, staff_t)
')
@@ -141,10 +369,6 @@ ifndef(`distro_redhat',`
@@ -141,10 +370,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -24304,7 +24306,7 @@ index 0fef1fc..c3c0f6d 100644
spamassassin_role(staff_r, staff_t)
')
@@ -176,3 +400,24 @@ ifndef(`distro_redhat',`
@@ -176,3 +401,24 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@ -40906,7 +40908,7 @@ index 6b91740..7724116 100644
+
+/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 58bc27f..9e86fce 100644
index 58bc27f..842ce28 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -1,5 +1,41 @@
@ -40951,7 +40953,7 @@ index 58bc27f..9e86fce 100644
########################################
## <summary>
## Execute lvm programs in the lvm domain.
@@ -86,6 +122,50 @@ interface(`lvm_read_config',`
@@ -86,6 +122,71 @@ interface(`lvm_read_config',`
########################################
## <summary>
@ -40998,11 +41000,32 @@ index 58bc27f..9e86fce 100644
+')
+
+########################################
+## <summary>
+## Manage LVM metadata files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_manage_metadata',`
+ gen_require(`
+ type lvm_metadata_t;
+ ')
+
+ allow $1 lvm_metadata_t:dir list_dir_perms;
+ manage_dirs_pattern($1, lvm_metadata_t, lvm_metadata_t)
+ manage_files_pattern($1, lvm_metadata_t, lvm_metadata_t)
+')
+
+########################################
+## <summary>
## Manage LVM configuration files.
## </summary>
## <param name="domain">
@@ -105,6 +185,25 @@ interface(`lvm_manage_config',`
@@ -105,6 +206,25 @@ interface(`lvm_manage_config',`
manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
')
@ -41028,7 +41051,7 @@ index 58bc27f..9e86fce 100644
######################################
## <summary>
## Execute a domain transition to run clvmd.
@@ -123,3 +222,175 @@ interface(`lvm_domtrans_clvmd',`
@@ -123,3 +243,175 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')

55
policy-rawhide-contrib.patch
View File

@ -10917,7 +10917,7 @@ index 02fefaa..308616e 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
index 687d4c4..bce6267 100644
index 687d4c4..ff57137 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,4 +1,4 @@
@ -11112,7 +11112,7 @@ index 687d4c4..bce6267 100644
-files_read_usr_files(boinc_t)
-fs_getattr_all_fs(boinc_t)
+auth_read_passwd(boinc_t)
+auth_use_nsswitch(boinc_t)
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
@ -25555,7 +25555,7 @@ index 0000000..b3784d8
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
index 0000000..fa74f85
index 0000000..6cca2dd
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,204 @@
@ -25611,7 +25611,7 @@ index 0000000..fa74f85
+#
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
+allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
@ -29362,7 +29362,7 @@ index c62c567..a74f123 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
index 98072a3..0235724 100644
index 98072a3..e6904e2 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@ -29413,7 +29413,7 @@ index 98072a3..0235724 100644
corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t)
@@ -63,20 +79,26 @@ dev_search_sysfs(firewalld_t)
@@ -63,20 +79,27 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@ -29430,6 +29430,7 @@ index 98072a3..0235724 100644
-miscfiles_read_localization(firewalld_t)
+libs_exec_ldconfig(firewalld_t)
+libs_dontaudit_write_lib_dirs(firewalld_t)
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
@ -29447,7 +29448,7 @@ index 98072a3..0235724 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -91,10 +113,15 @@ optional_policy(`
@@ -91,10 +114,15 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(firewalld_t)
@ -51463,7 +51464,7 @@ index b1ac8b5..24782b3 100644
+ ')
+')
diff --git a/modemmanager.te b/modemmanager.te
index d15eb5b..2055876 100644
index d15eb5b..ad481ce 100644
--- a/modemmanager.te
+++ b/modemmanager.te
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@ -51486,16 +51487,17 @@ index d15eb5b..2055876 100644
kernel_read_system_state(modemmanager_t)
-dev_read_sysfs(modemmanager_t)
-dev_rw_modem(modemmanager_t)
+auth_read_passwd(modemmanager_t)
+
+corecmd_exec_bin(modemmanager_t)
+
dev_read_sysfs(modemmanager_t)
+dev_read_urand(modemmanager_t)
dev_rw_modem(modemmanager_t)
-files_read_etc_files(modemmanager_t)
-
+corecmd_exec_bin(modemmanager_t)
+
+dev_rw_sysfs(modemmanager_t)
+dev_read_urand(modemmanager_t)
+dev_rw_modem(modemmanager_t)
term_use_generic_ptys(modemmanager_t)
term_use_unallocated_ttys(modemmanager_t)
+term_use_usb_ttys(modemmanager_t)
@ -57508,7 +57510,7 @@ index 687af38..5381f1b 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
index 7584bbe..1443a3a 100644
index 7584bbe..318ee4d 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@ -57707,7 +57709,7 @@ index 7584bbe..1443a3a 100644
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
-allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t mysqld_t:process { rlimitinh };
+allow mysqld_safe_t mysqld_t:process { rlimitinh noatsecure };
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
@ -107947,10 +107949,10 @@ index 0000000..a6e216c
+
diff --git a/targetd.te b/targetd.te
new file mode 100644
index 0000000..0315421
index 0000000..4cc8557
--- /dev/null
+++ b/targetd.te
@@ -0,0 +1,81 @@
@@ -0,0 +1,91 @@
+policy_module(targetd, 1.0.0)
+
+########################################
@ -107995,6 +107997,7 @@ index 0000000..0315421
+kernel_get_sysvipc_info(targetd_t)
+kernel_read_system_state(targetd_t)
+kernel_read_network_state(targetd_t)
+kernel_load_module(targetd_t)
+
+rpc_read_exports(targetd_t)
+
@ -108023,12 +108026,21 @@ index 0000000..0315421
+optional_policy(`
+ lvm_read_config(targetd_t)
+ lvm_write_metadata(targetd_t)
+ lvm_manage_metadata(targetd_t)
+ lvm_manage_lock(targetd_t)
+ lvm_rw_pipes(targetd_t)
+ lvm_stream_connect(targetd_t)
+')
+
+optional_policy(`
+ modutils_read_module_config(targetd_t)
+')
+
+optional_policy(`
+ rpc_manage_nfs_state_data(targetd_t)
+')
+
+optional_policy(`
+ udev_read_pid_files(targetd_t)
+')
+
@ -110135,10 +110147,10 @@ index 0000000..9524b50
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
index 0000000..ab916b7
index 0000000..d366c8b
--- /dev/null
+++ b/thumb.te
@@ -0,0 +1,167 @@
@@ -0,0 +1,168 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@ -110177,6 +110189,7 @@ index 0000000..ab916b7
+
+allow thumb_t self:fifo_file manage_fifo_file_perms;
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
+allow thumb_t self:unix_dgram_socket create_socket_perms;
+allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
+allow thumb_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow thumb_t self:udp_socket create_socket_perms;

14
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 260%{?dist}
Release: 261%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -690,6 +690,18 @@ exit 0
%endif
%changelog
* Fri Jun 23 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-261
- Allow boinc_t nsswitch
- Dontaudit firewalld to write to lib_t dirs
- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
- Allow thumb_t domain to allow create dgram sockets
- Disable mysqld_safe_t secure mode environment cleansing
- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode
- Allow dirsrv domain setrlimit
- Dontaudit staff_t user read admin_home_t files.
- Add interface lvm_manage_metadata
- Add permission open to files_read_inherited_tmp_files() interface
* Mon Jun 19 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-260
- Allow sssd_t to read realmd lib files.
- Fix init interface file. init_var_run_t is type not attribute