* Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176

- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba. - Merge pull request #105 from rhatdan/NO_NEW_PRIV - Fix new rkt policy - Remove some redundant rules. - Fix cosmetic issues in interface file. - Merge pull request #100 from rhatdan/rawhide-contrib - Add interface fs_setattr_cifs_dirs(). - Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE - Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) -Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase. This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files, file_contexts is parsed in selabel_open(). Resolves: rhbz#1314372
2016-03-03 16:00:03 +01:00 · 2016-03-03 16:00:03 +01:00 · 9fc76d9ab8
parent dd88f3a1a7
commit 9fc76d9ab8
4 changed files with 405 additions and 300 deletions
--- a/docker-selinux.tgz
+++ b/docker-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -106682,10 +106682,10 @@ index 97cd155..49321a5 100644
 
 fs_search_auto_mountpoints(timidity_t)
 diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f..9b0ab2b 100644
+index 585a77f..948bc5b 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
-@@ -5,9 +5,25 @@ policy_module(tmpreaper, 1.7.1)
+@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1)
 # Declarations
 #
 
@ -106697,6 +106697,15 @@ index 585a77f..9b0ab2b 100644
 +## </desc>
 +gen_tunable(tmpreaper_use_nfs, false)
 +
+
+## <desc>
+##	<p>
+##	Determine whether tmpreaper can use
+##	cifs file systems.
+##	</p>
+## </desc>
+gen_tunable(tmpreaper_use_cifs, false)
+
 +## <desc>
 +## <p>
 +## Determine whether tmpreaper can use samba_share files
@ -106711,7 +106720,7 @@ index 585a77f..9b0ab2b 100644
 
 ########################################
 #
-@@ -19,6 +35,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
+@@ -19,6 +44,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
 
 kernel_list_unlabeled(tmpreaper_t)
 kernel_read_system_state(tmpreaper_t)
@ -106719,7 +106728,7 @@ index 585a77f..9b0ab2b 100644
 
 dev_read_urand(tmpreaper_t)
 
-@@ -27,15 +44,19 @@ corecmd_exec_shell(tmpreaper_t)
+@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t)
 
 fs_getattr_xattr_fs(tmpreaper_t)
 fs_list_all(tmpreaper_t)
@ -106743,7 +106752,7 @@ index 585a77f..9b0ab2b 100644
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
 
-@@ -45,7 +66,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
+@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
 
 logging_send_syslog_msg(tmpreaper_t)
 
@ -106751,7 +106760,7 @@ index 585a77f..9b0ab2b 100644
 miscfiles_delete_man_pages(tmpreaper_t)
 
 ifdef(`distro_debian',`
-@@ -53,10 +73,23 @@ ifdef(`distro_debian',`
+@@ -53,10 +82,33 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_redhat',`
@ -106772,11 +106781,21 @@ index 585a77f..9b0ab2b 100644
 +	optional_policy(`
 +        tunable_policy(`tmpreaper_use_samba',`
 +            samba_setattr_samba_share_dirs(tmpreaper_t)
+    ')
+')
+
+tunable_policy(`tmpreaper_use_cifs',`
+	fs_setattr_cifs_dirs(tmpreaper_t)
+')
+
+	optional_policy(`
+        tunable_policy(`tmpreaper_use_samba',`
+            samba_setattr_samba_share_dirs(tmpreaper_t)
 +    ')
 ')
 
 optional_policy(`
-@@ -64,6 +97,7 @@ optional_policy(`
+@@ -64,6 +116,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -106784,7 +106803,7 @@ index 585a77f..9b0ab2b 100644
 	apache_list_cache(tmpreaper_t)
 	apache_delete_cache_dirs(tmpreaper_t)
 	apache_delete_cache_files(tmpreaper_t)
-@@ -79,7 +113,19 @@ optional_policy(`
+@@ -79,7 +132,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -106805,7 +106824,7 @@ index 585a77f..9b0ab2b 100644
 ')
 
 optional_policy(`
-@@ -89,3 +135,8 @@ optional_policy(`
+@@ -89,3 +154,8 @@ optional_policy(`
 optional_policy(`
 	rpm_manage_cache(tmpreaper_t)
 ')
@ -109388,7 +109407,7 @@ index a4f20bc..58f9c69 100644
 +/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index facdee8..65b5a0d 100644
+index facdee8..52ece13 100644
 --- a/virt.if
 +++ b/virt.if
@@ -1,318 +1,226 @@
@ -110210,7 +110229,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -673,54 +534,454 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +534,472 @@ interface(`virt_home_filetrans',`
 ##	</summary>
 ## </param>
 #
@ -110580,6 +110599,24 @@ index facdee8..65b5a0d 100644
 +	can_exec($1, svirt_sandbox_file_t)
 +')
 +
+########################################
+## <summary>
+##	Allow any svirt_sandbox_file_t to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_sandbox_entrypoint',`
+	gen_require(`
+		type svirt_sandbox_file_t;
+	')
+	allow $1 svirt_sandbox_file_t:file entrypoint;
+')
+
 +#######################################
 +## <summary>
 +##	Read Sandbox Files
@ -110690,7 +110727,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -728,52 +989,80 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +1007,80 @@ interface(`virt_manage_generic_virt_home_content',`
 ##	</summary>
 ## </param>
 #
@ -110791,7 +110828,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -781,19 +1070,17 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +1088,17 @@ interface(`virt_home_filetrans_virt_home',`
 ##	</summary>
 ## </param>
 #
@ -110815,7 +110852,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -801,18 +1088,17 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +1106,17 @@ interface(`virt_read_pid_files',`
 ##	</summary>
 ## </param>
 #
@ -110838,7 +110875,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -820,18 +1106,17 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +1124,17 @@ interface(`virt_manage_pid_files',`
 ##	</summary>
 ## </param>
 #
@ -110861,7 +110898,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -839,20 +1124,17 @@ interface(`virt_search_lib',`
+@@ -839,20 +1142,17 @@ interface(`virt_search_lib',`
 ##	</summary>
 ## </param>
 #
@ -110886,7 +110923,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -860,74 +1142,123 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +1160,123 @@ interface(`virt_read_lib_files',`
 ##	</summary>
 ## </param>
 #
@ -111034,7 +111071,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -935,117 +1266,134 @@ interface(`virt_read_log',`
+@@ -935,117 +1284,134 @@ interface(`virt_read_log',`
 ##	</summary>
 ## </param>
 #
@ -111221,7 +111258,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1053,15 +1401,17 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,15 +1419,17 @@ interface(`virt_rw_all_image_chr_files',`
 ##	</summary>
 ## </param>
 #
@ -111244,7 +111281,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1069,21 +1419,17 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1437,17 @@ interface(`virt_manage_svirt_cache',`
 ##	</summary>
 ## </param>
 #
@ -111270,7 +111307,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1091,36 +1437,36 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1455,36 @@ interface(`virt_manage_virt_cache',`
 ##	</summary>
 ## </param>
 #
@ -111327,7 +111364,7 @@ index facdee8..65b5a0d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1136,50 +1482,76 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1500,76 @@ interface(`virt_manage_images',`
 #
 interface(`virt_admin',`
 	gen_require(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 175%{?dist}
+Release: 176%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -670,6 +670,21 @@ exit 0
 %endif

 %changelog
+* Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
+- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
+- Merge pull request #105 from rhatdan/NO_NEW_PRIV
+- Fix new rkt policy
+- Remove some redundant rules.
+- Fix cosmetic issues in interface file.
+- Merge pull request #100 from rhatdan/rawhide-contrib
+- Add interface fs_setattr_cifs_dirs().
+- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE
+- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS)
+-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase.
+ This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files,
+ file_contexts is parsed in selabel_open().
+Resolves: rhbz#1314372
+
 * Fri Feb 26 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-175
 - Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file)
 - Add policy for rkt services