- Add gluster fixes

- Remove ability to transition to unconfined_t from confined domains - Additional allow rules to get libvirt-lxc containers working with docker
2014-01-09 15:11:05 +01:00 · 2014-01-09 15:11:05 +01:00 · 9b85087129
commit 9b85087129
parent c0bc504789
3 changed files with 528 additions and 305 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5400,7 +5400,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..4dec289 100644
+index b191055..fd1a0d0 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5598,7 +5598,7 @@ index b191055..4dec289 100644
 network_port(matahari, tcp,49000,s0, udp,49000,s0)
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
 -network_port(milter) # no defined portcon
-+network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon
+network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 +network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
 network_port(monopd, tcp,1234,s0)
@ -12850,7 +12850,7 @@ index f962f76..35cd90c 100644
 +	allow $1 etc_t:service status;
 ')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1a03abd..92d1a8f 100644
+index 1a03abd..0335af9 100644
 --- a/policy/modules/kernel/files.te
 +++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
@ -13030,9 +13030,12 @@ index 1a03abd..92d1a8f 100644
 
 ########################################
 #
-@@ -226,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -224,12 +261,13 @@ fs_associate_tmpfs(tmpfsfile)
+ #
+ 
 # Create/access any file in a labeled filesystem;
- allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+-allow files_unconfined_type file_type:{ file chr_file } ~execmod;
+allow files_unconfined_type file_type:{ file chr_file } ~{ execmod entrypoint };
 allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
 +allow files_unconfined_type file_type:service *;
 
@ -17998,7 +18001,7 @@ index ff92430..36740ea 100644
 ## <summary>
 ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..de53b7b 100644
+index 2522ca6..9da6c17 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.6.1)
@ -18409,7 +18412,7 @@ index 2522ca6..de53b7b 100644
 ')
 
 optional_policy(`
-@@ -356,19 +478,15 @@ optional_policy(`
+@@ -356,19 +478,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18422,16 +18425,15 @@ index 2522ca6..de53b7b 100644
 
 optional_policy(`
 -	uml_role(sysadm_r, sysadm_t)
-+	unconfined_domtrans(sysadm_t)
- ')
- 
- optional_policy(`
+-')
+-
+-optional_policy(`
 -	unconfined_domtrans(sysadm_t)
 +	udev_run(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`
-@@ -380,10 +498,6 @@ optional_policy(`
+@@ -380,10 +494,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18442,7 +18444,7 @@ index 2522ca6..de53b7b 100644
 	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
 	usermanage_run_groupadd(sysadm_t, sysadm_r)
 	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +505,9 @@ optional_policy(`
+@@ -391,6 +501,9 @@ optional_policy(`
 
 optional_policy(`
 	virt_stream_connect(sysadm_t)
@ -18452,7 +18454,7 @@ index 2522ca6..de53b7b 100644
 ')
 
 optional_policy(`
-@@ -398,31 +515,34 @@ optional_policy(`
+@@ -398,31 +511,34 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -18493,7 +18495,7 @@ index 2522ca6..de53b7b 100644
 		auth_role(sysadm_r, sysadm_t)
 	')
 
-@@ -435,10 +555,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +551,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -18504,7 +18506,7 @@ index 2522ca6..de53b7b 100644
 		dbus_role_template(sysadm, sysadm_r, sysadm_t)
 
 		optional_policy(`
-@@ -459,15 +575,75 @@ ifndef(`distro_redhat',`
+@@ -459,15 +571,75 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -19263,7 +19265,7 @@ index 0000000..cf6582f
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..539c163
+index 0000000..993b768
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,328 @@
@ -19306,7 +19308,7 @@ index 0000000..539c163
 +userdom_unpriv_type(unconfined_t)
 +
 +type unconfined_exec_t;
-+init_system_domain(unconfined_t, unconfined_exec_t)
+application_domain(unconfined_t, unconfined_exec_t)
 +role unconfined_r types unconfined_t;
 +role_transition system_r unconfined_exec_t unconfined_r;
 +allow system_r unconfined_r;
@ -21883,7 +21885,7 @@ index 8274418..830bb6f 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..5a7e2a4 100644
+index 6bf0ecc..115c533 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@ -22618,10 +22620,30 @@ index 6bf0ecc..5a7e2a4 100644
 ')
 
 ########################################
-@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1230,84 @@ interface(`xserver_read_xkb_libs',`
 
 ########################################
 ## <summary>
+##	Manage X keyboard extension libraries.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_xkb_libs',`
+	gen_require(`
+		type xkb_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 xkb_var_lib_t:dir list_dir_perms;
+	manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+')
+
+########################################
+## <summary>
 +##	dontaudit access checks X keyboard extension libraries.
 +## </summary>
 +## <param name="domain">
@ -22683,7 +22705,7 @@ index 6bf0ecc..5a7e2a4 100644
 ##	Read xdm temporary files.
 ## </summary>
 ## <param name="domain">
-@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1321,7 @@ interface(`xserver_read_xdm_tmp_files',`
 		type xdm_tmp_t;
 	')
 
@ -22692,7 +22714,7 @@ index 6bf0ecc..5a7e2a4 100644
 	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
 
-@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1383,42 @@ interface(`xserver_manage_xdm_tmp_files',`
 
 ########################################
 ## <summary>
@ -22735,7 +22757,7 @@ index 6bf0ecc..5a7e2a4 100644
 ##	Do not audit attempts to get the attributes of
 ##	xdm temporary named sockets.
 ## </summary>
-@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1433,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 		type xdm_tmp_t;
 	')
 
@ -22744,7 +22766,7 @@ index 6bf0ecc..5a7e2a4 100644
 ')
 
 ########################################
-@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1451,10 @@ interface(`xserver_domtrans',`
 		type xserver_t, xserver_exec_t;
 	')
 
@ -22756,7 +22778,7 @@ index 6bf0ecc..5a7e2a4 100644
 ')
 
 ########################################
-@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1552,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
 
 ########################################
 ## <summary>
@ -22782,7 +22804,7 @@ index 6bf0ecc..5a7e2a4 100644
 ##	Connect to the X server over a unix domain
 ##	stream socket.
 ## </summary>
-@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1587,26 @@ interface(`xserver_stream_connect',`
 
 	files_search_tmp($1)
 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -22809,7 +22831,7 @@ index 6bf0ecc..5a7e2a4 100644
 ')
 
 ########################################
-@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1632,7 @@ interface(`xserver_read_tmp_files',`
 ## <summary>
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain permission to read the
@ -22818,7 +22840,7 @@ index 6bf0ecc..5a7e2a4 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1261,13 +1622,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1642,27 @@ interface(`xserver_read_tmp_files',`
 #
 interface(`xserver_manage_core_devices',`
 	gen_require(`
@ -22847,7 +22869,7 @@ index 6bf0ecc..5a7e2a4 100644
 ')
 
 ########################################
-@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,624 @@ interface(`xserver_manage_core_devices',`
 #
 interface(`xserver_unconfined',`
 	gen_require(`
@ -23475,7 +23497,7 @@ index 6bf0ecc..5a7e2a4 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..4a84226 100644
+index 8b40377..326b206 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@ -24615,7 +24637,7 @@ index 8b40377..4a84226 100644
 ifndef(`distro_redhat',`
 	allow xserver_t self:process { execmem execheap execstack };
 	domain_mmap_low_uncond(xserver_t)
-@@ -785,16 +1264,44 @@ optional_policy(`
+@@ -785,17 +1264,44 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24657,11 +24679,12 @@ index 8b40377..4a84226 100644
 
 optional_policy(`
 -	unconfined_domain_noaudit(xserver_t)
+-	unconfined_domtrans(xserver_t)
 +	unconfined_domain(xserver_t)
- 	unconfined_domtrans(xserver_t)
 ')
 
-@@ -803,6 +1310,10 @@ optional_policy(`
+ optional_policy(`
+@@ -803,6 +1309,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -24672,7 +24695,7 @@ index 8b40377..4a84226 100644
 	xfs_stream_connect(xserver_t)
 ')
 
-@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 
 # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
 # handle of a file inside the dir!!!
@ -24686,7 +24709,7 @@ index 8b40377..4a84226 100644
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
 # Run xkbcomp.
@ -24695,7 +24718,7 @@ index 8b40377..4a84226 100644
 can_exec(xserver_t, xkb_var_lib_t)
 
 # VNC v4 module in X server
-@@ -842,26 +1353,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1352,21 @@ init_use_fds(xserver_t)
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -24730,7 +24753,7 @@ index 8b40377..4a84226 100644
 ')
 
 optional_policy(`
-@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
 allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
 # operations allowed on my windows
 allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -24739,7 +24762,7 @@ index 8b40377..4a84226 100644
 # operations allowed on all windows
 allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
 
-@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write };
 # can mess with the screensaver
 allow x_domain xserver_t:x_screen { getattr saver_getattr };
 
@ -24771,7 +24794,7 @@ index 8b40377..4a84226 100644
 tunable_policy(`! xserver_object_manager',`
 	# should be xserver_unconfined(x_domain),
 	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',`
 	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
 ')
 
@ -31944,7 +31967,7 @@ index 4e94884..ae63d78 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..b4f9029 100644
+index 59b04c1..7b0ef85 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -31965,7 +31988,7 @@ index 59b04c1..b4f9029 100644
 +## Allow syslogd the ability to read/write terminals
 +## </p>
 +## </desc>
-+gen_tunable(logging_syslogd_use_tty, false)
+gen_tunable(logging_syslogd_use_tty, true)
 
 attribute logfile;
 
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -576,6 +576,11 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Jan 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-12
+- Add gluster fixes
+- Remove ability to transition to unconfined_t from confined domains
+- Additional allow rules to get libvirt-lxc containers working with docker
+
 * Mon Jan 6 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-11
 - passwd to create gnome-keyring passwd socket
 - systemd_systemctl needs sys_admin capability