From a38ffbf4258019c56f4d52e0b21f6a72327715dc Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mon, 3 Nov 2014 15:03:44 +0100 Subject: [PATCH] * Mon Nov 03 2014 Lukas Vrabec 3.13.1-90 - Add support for /dev/nvme controllerdevice nodes created by nvme driver. - Add 15672 as amqp_port_t - Allow wine domains to read user homedir content - Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc - Allow winbind to read usermodehelper - Allow telepathy domains to execute shells and bin_t - Allow gpgdomains to create netlink_kobject_uevent_sockets - Allow abrt to read software raid state. BZ (1157770) - Fix rhcs_signull_haproxy() interface. - Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. - Allow snapperd to dbus chat with system cron jobs. - Allow nslcd to read /dev/urandom. - Allow dovecot to create user's home directory when they log into IMAP. - Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835) --- policy-rawhide-base.patch | 53 +++-- policy-rawhide-contrib.patch | 420 +++++++++++++++++++++-------------- selinux-policy.spec | 18 +- 3 files changed, 311 insertions(+), 180 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 612563b9..fcb5143e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5930,7 +5930,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..50bfabf 100644 +index b31c054..872ff1b 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -5981,7 +5981,16 @@ index b31c054..50bfabf 100644 /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) -@@ -106,6 +113,7 @@ +@@ -80,6 +87,8 @@ + /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) + /dev/null -c gen_context(system_u:object_r:null_device_t,s0) + /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/nvme.* -c gen_context(system_u:object_r:nvme_device_t,s0) ++/dev/nvme.* -b gen_context(system_u:object_r:nvme_device_t,s0) + /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) + /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) + /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +@@ -106,6 +115,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -5989,7 +5998,7 @@ index b31c054..50bfabf 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +126,11 @@ +@@ -118,6 +128,11 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -6001,7 +6010,7 @@ index b31c054..50bfabf 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +142,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +144,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6016,7 +6025,7 @@ index b31c054..50bfabf 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,6 +187,8 @@ ifdef(`distro_suse', ` +@@ -172,6 +189,8 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6025,7 +6034,7 @@ index b31c054..50bfabf 100644 /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -198,12 +215,27 @@ ifdef(`distro_debian',` +@@ -198,12 +217,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -8586,7 +8595,7 @@ index 76f285e..d36451a 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..f52e603 100644 +index 0b1a871..f260e6f 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -8667,7 +8676,20 @@ index 0b1a871..f52e603 100644 # A more general type for mouse devices. # type mouse_device_t; -@@ -227,6 +244,10 @@ files_mountpoint(sysfs_t) +@@ -183,6 +200,12 @@ type nvram_device_t; + dev_node(nvram_device_t) + + # ++# Type for controller device nodes ++# ++type nvme_device_t; ++dev_node(nvme_device_t) ++ ++# + # Type for /dev/pmu + # + type power_device_t; +@@ -227,6 +250,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -8678,7 +8700,7 @@ index 0b1a871..f52e603 100644 # # Type for /dev/tpm # -@@ -266,6 +287,15 @@ dev_node(usbmon_device_t) +@@ -266,6 +293,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -8694,7 +8716,7 @@ index 0b1a871..f52e603 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +304,7 @@ dev_node(v4l_device_t) +@@ -274,6 +310,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -8702,7 +8724,7 @@ index 0b1a871..f52e603 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +350,6 @@ files_associate_tmp(device_node) +@@ -319,5 +356,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -29277,7 +29299,7 @@ index bc0ffc8..7198bd9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..f142c45 100644 +index 79a45f6..b88e8a2 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -30744,7 +30766,7 @@ index 79a45f6..f142c45 100644 + type init_t; + ') + -+ allow $1 init_t:service { start stop reload status }; ++ allow $1 init_t:service manage_service_perms; +') + +######################################## @@ -41157,10 +41179,10 @@ index 0000000..d2a8fc7 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..5b904b0 +index 0000000..a75ffd3 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,699 @@ +@@ -0,0 +1,700 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -41812,6 +41834,7 @@ index 0000000..5b904b0 +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; + +kernel_dgram_send(systemd_sysctl_t) ++kernel_request_load_module(systemd_sysctl_t) +kernel_rw_all_sysctls(systemd_sysctl_t) +kernel_write_security_state(systemd_sysctl_t) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 96967715..53800e9c 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -538,7 +538,7 @@ index 058d908..2f6c3a9 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..95bf222 100644 +index eb50f07..b18f881 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -686,7 +686,7 @@ index eb50f07..95bf222 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -125,48 +135,54 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -125,48 +135,55 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -715,6 +715,7 @@ index eb50f07..95bf222 100644 kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) +kernel_read_network_state(abrt_t) ++kernel_read_software_raid_state(abrt_t) kernel_request_load_module(abrt_t) +kernel_rw_usermodehelper_state(abrt_t) kernel_rw_kernel_sysctl(abrt_t) @@ -748,7 +749,7 @@ index eb50f07..95bf222 100644 domain_getattr_all_domains(abrt_t) domain_read_all_domains_state(abrt_t) -@@ -176,29 +192,43 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +193,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -795,7 +796,7 @@ index eb50f07..95bf222 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +236,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +237,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -812,7 +813,7 @@ index eb50f07..95bf222 100644 ') optional_policy(` -@@ -222,6 +248,20 @@ optional_policy(` +@@ -222,6 +249,20 @@ optional_policy(` ') optional_policy(` @@ -833,7 +834,7 @@ index eb50f07..95bf222 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +274,11 @@ optional_policy(` +@@ -234,6 +275,11 @@ optional_policy(` ') optional_policy(` @@ -845,7 +846,7 @@ index eb50f07..95bf222 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +288,7 @@ optional_policy(` +@@ -243,6 +289,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -853,7 +854,7 @@ index eb50f07..95bf222 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +299,17 @@ optional_policy(` +@@ -253,9 +300,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -872,7 +873,7 @@ index eb50f07..95bf222 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +320,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +321,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -887,7 +888,7 @@ index eb50f07..95bf222 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +339,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +340,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -895,7 +896,7 @@ index eb50f07..95bf222 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +348,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +349,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -916,7 +917,7 @@ index eb50f07..95bf222 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +369,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +370,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -943,7 +944,7 @@ index eb50f07..95bf222 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +405,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +406,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -957,7 +958,7 @@ index eb50f07..95bf222 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +423,11 @@ optional_policy(` +@@ -343,10 +424,11 @@ optional_policy(` ####################################### # @@ -971,7 +972,7 @@ index eb50f07..95bf222 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +446,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +447,56 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1031,7 +1032,7 @@ index eb50f07..95bf222 100644 ####################################### # -@@ -404,7 +503,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +504,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1040,7 +1041,7 @@ index eb50f07..95bf222 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +512,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +513,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1084,7 +1085,7 @@ index eb50f07..95bf222 100644 ') ####################################### -@@ -430,10 +555,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +556,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -16252,7 +16253,7 @@ index 715a826..3f0c0dc 100644 + ') ') diff --git a/couchdb.te b/couchdb.te -index ae1c1b1..07ba975 100644 +index ae1c1b1..0d8ca8f 100644 --- a/couchdb.te +++ b/couchdb.te @@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t) @@ -16294,7 +16295,7 @@ index ae1c1b1..07ba975 100644 corecmd_exec_bin(couchdb_t) corecmd_exec_shell(couchdb_t) -@@ -75,14 +79,15 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) +@@ -75,14 +79,20 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) corenet_tcp_bind_couchdb_port(couchdb_t) corenet_tcp_sendrecv_couchdb_port(couchdb_t) @@ -16313,6 +16314,11 @@ index ae1c1b1..07ba975 100644 auth_use_nsswitch(couchdb_t) -miscfiles_read_localization(couchdb_t) ++optional_policy(` ++ rpc_read_nfs_state_data(couchdb_t) ++') ++ ++ diff --git a/courier.fc b/courier.fc index 2f017a0..defdc87 100644 --- a/courier.fc @@ -17918,7 +17924,7 @@ index 1303b30..615caac 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..c5ba745 100644 +index 7de3859..d88194b 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,46 @@ gen_require(` @@ -18631,15 +18637,20 @@ index 7de3859..c5ba745 100644 ') optional_policy(` -@@ -608,6 +622,7 @@ optional_policy(` +@@ -607,7 +621,12 @@ optional_policy(` + ') optional_policy(` ++ snapper_dbus_chat(system_cronjob_t) ++') ++ ++optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) + spamassassin_manage_home_client(system_cronjob_t) ') optional_policy(` -@@ -615,12 +630,24 @@ optional_policy(` +@@ -615,12 +634,24 @@ optional_policy(` ') optional_policy(` @@ -18666,7 +18677,7 @@ index 7de3859..c5ba745 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +655,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +659,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -18700,7 +18711,7 @@ index 7de3859..c5ba745 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +688,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +692,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -20721,7 +20732,7 @@ index dda905b..ccd0ba9 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..cbf09ce 100644 +index 62d22cb..5f27946 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -20793,12 +20804,13 @@ index 62d22cb..cbf09ce 100644 # Local policy # -+ # For connecting to the bus - allow $3 $1_dbusd_t:unix_stream_socket connectto; +- allow $3 $1_dbusd_t:unix_stream_socket connectto; - allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; - allow $3 $1_dbusd_t:fd use; - - allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; ++ # For connecting to the bus ++ allow $3 $1_dbusd_t:unix_stream_socket { connectto rw_socket_perms }; - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms }; @@ -20846,7 +20858,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -103,91 +129,84 @@ template(`dbus_role_template',` +@@ -103,91 +129,86 @@ template(`dbus_role_template',` # interface(`dbus_system_bus_client',` gen_require(` @@ -20856,11 +20868,13 @@ index 62d22cb..cbf09ce 100644 + type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; + attribute dbusd_unconfined; ++ attribute system_bus_client; ') - typeattribute $1 dbusd_system_bus_client; - + # SE-DBus specific permissions ++ typeattribute $1 system_bus_client; allow $1 { system_dbusd_t self }:dbus send_msg; - allow system_dbusd_t $1:dbus send_msg; + allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; @@ -20972,7 +20986,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -195,15 +214,18 @@ interface(`dbus_connect_spec_session_bus',` +@@ -195,15 +216,18 @@ interface(`dbus_connect_spec_session_bus',` ## ## # @@ -20997,7 +21011,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -211,57 +233,39 @@ interface(`dbus_session_bus_client',` +@@ -211,57 +235,39 @@ interface(`dbus_session_bus_client',` ## ## # @@ -21069,7 +21083,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -269,15 +273,19 @@ interface(`dbus_spec_session_bus_client',` +@@ -269,15 +275,19 @@ interface(`dbus_spec_session_bus_client',` ## ## # @@ -21095,7 +21109,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -285,44 +293,52 @@ interface(`dbus_send_session_bus',` +@@ -285,44 +295,52 @@ interface(`dbus_send_session_bus',` ## ## # @@ -21162,7 +21176,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -330,18 +346,18 @@ interface(`dbus_send_spec_session_bus',` +@@ -330,18 +348,18 @@ interface(`dbus_send_spec_session_bus',` ## ## # @@ -21186,7 +21200,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -349,20 +365,18 @@ interface(`dbus_read_config',` +@@ -349,20 +367,18 @@ interface(`dbus_read_config',` ## ## # @@ -21212,7 +21226,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -370,26 +384,20 @@ interface(`dbus_read_lib_files',` +@@ -370,26 +386,20 @@ interface(`dbus_read_lib_files',` ## ## # @@ -21245,7 +21259,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## Type to be used as a domain. -@@ -397,81 +405,67 @@ interface(`dbus_manage_lib_files',` +@@ -397,81 +407,67 @@ interface(`dbus_manage_lib_files',` ## ## ## @@ -21355,7 +21369,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -479,18 +473,18 @@ interface(`dbus_spec_session_domain',` +@@ -479,18 +475,18 @@ interface(`dbus_spec_session_domain',` ## ## # @@ -21379,7 +21393,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -498,98 +492,100 @@ interface(`dbus_connect_system_bus',` +@@ -498,98 +494,100 @@ interface(`dbus_connect_system_bus',` ## ## # @@ -21523,7 +21537,7 @@ index 62d22cb..cbf09ce 100644 ## ## ## -@@ -597,28 +593,50 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +595,51 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -21558,12 +21572,13 @@ index 62d22cb..cbf09ce 100644 gen_require(` - attribute dbusd_unconfined; + attribute system_bus_type; ++ attribute system_bus_client; + class dbus send_msg; ') - typeattribute $1 dbusd_unconfined; -+ allow $1 system_bus_type:dbus send_msg; -+ allow system_bus_type $1:dbus send_msg; ++ allow $1 { system_bus_type system_bus_client }:dbus send_msg; ++ allow { system_bus_type system_bus_client } $1:dbus send_msg; +') + +####################################### @@ -21583,10 +21598,10 @@ index 62d22cb..cbf09ce 100644 + files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") ') diff --git a/dbus.te b/dbus.te -index c9998c8..94ff984 100644 +index c9998c8..4e0254d 100644 --- a/dbus.te +++ b/dbus.te -@@ -4,17 +4,15 @@ gen_require(` +@@ -4,17 +4,16 @@ gen_require(` class dbus all_dbus_perms; ') @@ -21599,6 +21614,7 @@ index c9998c8..94ff984 100644 attribute dbusd_unconfined; +attribute system_bus_type; ++attribute system_bus_client; attribute session_bus_type; -attribute dbusd_system_bus_client; @@ -21607,7 +21623,7 @@ index c9998c8..94ff984 100644 type dbusd_etc_t; files_config_file(dbusd_etc_t) -@@ -22,9 +20,6 @@ type dbusd_exec_t; +@@ -22,9 +21,6 @@ type dbusd_exec_t; corecmd_executable_file(dbusd_exec_t) typealias dbusd_exec_t alias system_dbusd_exec_t; @@ -21617,7 +21633,7 @@ index c9998c8..94ff984 100644 type session_dbusd_tmp_t; typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t }; typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t }; -@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t) +@@ -41,7 +37,8 @@ files_type(system_dbusd_var_lib_t) type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) @@ -21627,7 +21643,7 @@ index c9998c8..94ff984 100644 ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,59 +47,62 @@ ifdef(`enable_mls',` +@@ -51,59 +48,62 @@ ifdef(`enable_mls',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) ') @@ -21707,7 +21723,7 @@ index c9998c8..94ff984 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +122,165 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +123,165 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -21887,7 +21903,7 @@ index c9998c8..94ff984 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +289,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +290,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -21912,7 +21928,7 @@ index c9998c8..94ff984 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +308,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +309,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -21920,7 +21936,7 @@ index c9998c8..94ff984 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +317,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +318,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -21962,7 +21978,7 @@ index c9998c8..94ff984 100644 ') ######################################## -@@ -244,5 +354,9 @@ optional_policy(` +@@ -244,5 +355,9 @@ optional_policy(` # Unconfined access to this module # @@ -25025,10 +25041,10 @@ index 0000000..2a614ed +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..d03d41b +index 0000000..a1ed007 --- /dev/null +++ b/docker.te -@@ -0,0 +1,281 @@ +@@ -0,0 +1,285 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -25088,7 +25104,7 @@ index 0000000..d03d41b +# +# docker local policy +# -+allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service setfcap }; ++allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap }; +allow docker_t self:process { getattr signal_perms }; +allow docker_t self:fifo_file rw_fifo_file_perms; +allow docker_t self:unix_stream_socket create_stream_socket_perms; @@ -25115,12 +25131,15 @@ index 0000000..d03d41b +manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) +manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t) ++can_exec(docker_t, docker_tmpfs_t) +fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file }) +allow docker_t docker_tmpfs_t:chr_file mounton; + +manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) +manage_files_pattern(docker_t, docker_share_t, docker_share_t) +manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) ++allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto }; +can_exec(docker_t, docker_share_t) +docker_filetrans_named_content(docker_t) + @@ -25149,6 +25168,7 @@ index 0000000..d03d41b +kernel_read_all_proc(docker_t) + +domain_use_interactive_fds(docker_t) ++domain_dontaudit_read_all_domains_state(docker_t) + +corecmd_exec_bin(docker_t) +corecmd_exec_shell(docker_t) @@ -25603,7 +25623,7 @@ index d5badb7..c2431fc 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e..9b188d5 100644 +index 0aabc7e..7bd570c 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -25855,7 +25875,7 @@ index 0aabc7e..9b188d5 100644 sendmail_domtrans(dovecot_t) ') -@@ -227,46 +222,65 @@ optional_policy(` +@@ -227,46 +222,67 @@ optional_policy(` ######################################## # @@ -25913,6 +25933,8 @@ index 0aabc7e..9b188d5 100644 sysnet_use_ldap(dovecot_auth_t) +systemd_login_read_pid_files(dovecot_auth_t) ++systemd_dbus_chat_logind(dovecot_auth_t) ++systemd_write_inherited_logind_sessions_pipes(dovecot_auth_t) + +userdom_getattr_user_home_dirs(dovecot_auth_t) + @@ -25930,7 +25952,7 @@ index 0aabc7e..9b188d5 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -277,53 +291,79 @@ optional_policy(` +@@ -277,53 +293,79 @@ optional_policy(` ') optional_policy(` @@ -26029,7 +26051,7 @@ index 0aabc7e..9b188d5 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -332,5 +372,6 @@ optional_policy(` +@@ -332,5 +374,6 @@ optional_policy(` ') optional_policy(` @@ -34009,7 +34031,7 @@ index 180f1b7..3c8757e 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 0e97e82..b983d2f 100644 +index 0e97e82..9d13873 100644 --- a/gpg.te +++ b/gpg.te @@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0) @@ -34083,6 +34105,7 @@ index 0e97e82..b983d2f 100644 +#at setrlimit is for ulimit -c 0 +allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid }; +dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; ++allow gpgdomain self:netlink_kobject_uevent_socket create_socket_perms; + +allow gpgdomain self:fifo_file rw_fifo_file_perms; +allow gpgdomain self:tcp_socket create_stream_socket_perms; @@ -34092,7 +34115,6 @@ index 0e97e82..b983d2f 100644 files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file }) -manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t) -+ +allow gpg_t gpg_secret_t:dir create_dir_perms; manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) @@ -38379,14 +38401,16 @@ index 2990962..c153d15 100644 ') diff --git a/keepalived.fc b/keepalived.fc new file mode 100644 -index 0000000..7e6f8be +index 0000000..9a19f91 --- /dev/null +++ b/keepalived.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ +/usr/lib/systemd/system/keepalived.* -- gen_context(system_u:object_r:keepalived_unit_file_t,s0) + +/usr/sbin/keepalived -- gen_context(system_u:object_r:keepalived_exec_t,s0) + ++/usr/libexec/keepalived(/.*)? gen_context(system_u:object_r:keepalived_unconfined_script_exec_t,s0) ++ +/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0) diff --git a/keepalived.if b/keepalived.if new file mode 100644 @@ -38480,10 +38504,10 @@ index 0000000..0d61849 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..ad2d023 +index 0000000..1a78c67 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,57 @@ +@@ -0,0 +1,89 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -38501,18 +38525,21 @@ index 0000000..ad2d023 +type keepalived_var_run_t; +files_pid_file(keepalived_var_run_t) + ++type keepalived_unconfined_script_exec_t; ++application_executable_file(keepalived_unconfined_script_exec_t) ++ +######################################## +# +# keepalived local policy +# -+allow keepalived_t self:capability { net_admin net_raw }; ++ ++allow keepalived_t self:capability { net_admin net_raw kill }; +allow keepalived_t self:process { signal_perms }; +allow keepalived_t self:netlink_socket create_socket_perms; +allow keepalived_t self:netlink_route_socket nlmsg_write; +allow keepalived_t self:packet_socket create_socket_perms; +allow keepalived_t self:rawip_socket create_socket_perms; + -+ +manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t) +files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file }) + @@ -38530,6 +38557,8 @@ index 0000000..ad2d023 +corenet_tcp_connect_snmp_port(keepalived_t) +corenet_tcp_connect_agentx_port(keepalived_t) + ++domain_read_all_domains_state(keepalived_t) ++ +dev_read_urand(keepalived_t) + +modutils_domtrans_insmod(keepalived_t) @@ -38537,10 +38566,37 @@ index 0000000..ad2d023 +logging_send_syslog_msg(keepalived_t) + +optional_policy(` ++ rhcs_signull_haproxy(keepalived_t) ++') ++ ++optional_policy(` + snmp_manage_var_lib_files(keepalived_t) + snmp_manage_var_lib_sock_files(keepalived_t) + snmp_manage_var_lib_dirs(keepalived_t) +') ++ ++######################################## ++# ++# keepalived_unconfined_script_script_t local policy ++# ++ ++optional_policy(` ++ type keepalived_unconfined_script_t; ++ domain_type(keepalived_unconfined_script_t) ++ ++ domain_entry_file(keepalived_unconfined_script_t, keepalived_unconfined_script_exec_t) ++ role system_r types keepalived_unconfined_script_t; ++ ++ domtrans_pattern(keepalived_t, keepalived_unconfined_script_exec_t, keepalived_unconfined_script_t) ++ ++ allow keepalived_t keepalived_unconfined_script_exec_t:dir search_dir_perms; ++ allow keepalived_t keepalived_unconfined_script_exec_t:dir read_file_perms; ++ allow keepalived_t keepalived_unconfined_script_exec_t:file ioctl; ++ ++ optional_policy(` ++ unconfined_domain(keepalived_unconfined_script_t) ++ ') ++') diff --git a/kerberos.fc b/kerberos.fc index 4fe75fd..b05128a 100644 --- a/kerberos.fc @@ -42082,7 +42138,7 @@ index 61db5a0..9d5d255 100644 +userdom_use_inherited_user_terminals(lockdev_t) + diff --git a/logrotate.fc b/logrotate.fc -index a11d5be..36c8de7 100644 +index a11d5be..4cf59d3 100644 --- a/logrotate.fc +++ b/logrotate.fc @@ -1,6 +1,9 @@ @@ -42095,7 +42151,7 @@ index a11d5be..36c8de7 100644 /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) -/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) +', ` -+/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) ++/var/lib/logrotate\.status.* -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) +') diff --git a/logrotate.if b/logrotate.if index dd8e01a..9cd6b0b 100644 @@ -46462,14 +46518,15 @@ index 0000000..74302c2 +logging_send_syslog_msg(mon_procd_t) + diff --git a/mongodb.fc b/mongodb.fc -index 6fcfc31..85dcd4b 100644 +index 6fcfc31..91adcaf 100644 --- a/mongodb.fc +++ b/mongodb.fc -@@ -1,9 +1,12 @@ +@@ -1,9 +1,13 @@ /etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) -/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) ++/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) /var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) @@ -46482,7 +46539,7 @@ index 6fcfc31..85dcd4b 100644 +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/mongodb.te b/mongodb.te -index 169f236..1f19104 100644 +index 169f236..dec8a95 100644 --- a/mongodb.te +++ b/mongodb.te @@ -21,19 +21,25 @@ files_type(mongod_var_lib_t) @@ -46517,7 +46574,7 @@ index 169f236..1f19104 100644 manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -@@ -41,21 +47,41 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) +@@ -41,21 +47,42 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) @@ -46541,6 +46598,7 @@ index 169f236..1f19104 100644 corenet_tcp_sendrecv_generic_if(mongod_t) corenet_tcp_sendrecv_generic_node(mongod_t) +corenet_tcp_connect_mongod_port(mongod_t) ++corenet_tcp_bind_mongod_port(mongod_t) corenet_tcp_bind_generic_node(mongod_t) dev_read_sysfs(mongod_t) @@ -53498,7 +53556,7 @@ index 0641e97..cad402c 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 7b3e682..a22a321 100644 +index 7b3e682..75ed416 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -53753,7 +53811,14 @@ index 7b3e682..a22a321 100644 ') optional_policy(` -@@ -411,6 +427,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -406,11 +422,14 @@ allow nagios_system_plugin_t self:capability dac_override; + dontaudit nagios_system_plugin_t self:capability { setuid setgid }; + + read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t) ++allow nagios_system_plugin_t nrpe_exec_t:file read_file_perms; ++allow nagios_system_plugin_t nagios_exec_t:file read_file_perms; + + manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -53761,7 +53826,7 @@ index 7b3e682..a22a321 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,14 +437,18 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,14 +439,18 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -53782,7 +53847,7 @@ index 7b3e682..a22a321 100644 ####################################### # # Event local policy -@@ -442,11 +463,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,9 +465,39 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -53823,11 +53888,6 @@ index 7b3e682..a22a321 100644 # optional_policy(` - unconfined_domain(nagios_unconfined_plugin_t) - ') -+ -+ -+ diff --git a/namespace.fc b/namespace.fc new file mode 100644 index 0000000..ce51c8d @@ -57059,7 +57119,7 @@ index 97df768..852d1c6 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 421bf1a..e3f91f6 100644 +index 421bf1a..fd870fc 100644 --- a/nslcd.te +++ b/nslcd.te @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) @@ -57079,7 +57139,7 @@ index 421bf1a..e3f91f6 100644 allow nslcd_t nslcd_conf_t:file read_file_perms; -@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) +@@ -36,16 +36,17 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) kernel_read_system_state(nslcd_t) @@ -57096,13 +57156,18 @@ index 421bf1a..e3f91f6 100644 +corenet_sendrecv_ldap_client_packets(nslcd_t) dev_read_sysfs(nslcd_t) ++dev_read_urand(nslcd_t) ++ ++corecmd_exec_bin(nslcd_t) -@@ -54,10 +52,14 @@ auth_use_nsswitch(nslcd_t) + files_read_usr_symlinks(nslcd_t) + files_list_tmp(nslcd_t) +@@ -54,10 +55,13 @@ auth_use_nsswitch(nslcd_t) logging_send_syslog_msg(nslcd_t) -miscfiles_read_localization(nslcd_t) - +- userdom_read_user_tmp_files(nslcd_t) optional_policy(` @@ -80443,7 +80508,7 @@ index 47de2d6..2c625fb 100644 +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index c8bdea2..b68d5b7 100644 +index c8bdea2..57fad67 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -80551,7 +80616,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -111,18 +108,18 @@ interface(`rhcs_getattr_fenced_exec_files',` +@@ -111,18 +108,36 @@ interface(`rhcs_getattr_fenced_exec_files',` ## ## # @@ -80565,6 +80630,24 @@ index c8bdea2..b68d5b7 100644 files_search_pids($1) - stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) + stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t) ++') ++ ++######################################## ++## ++## Send a null signal to haproxy. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_signull_haproxy',` ++ gen_require(` ++ type haproxy_t; ++ ') ++ ++ allow $1 haproxy_t:process signull; ') ##################################### @@ -80574,7 +80657,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -160,9 +157,27 @@ interface(`rhcs_domtrans_fenced',` +@@ -160,9 +175,27 @@ interface(`rhcs_domtrans_fenced',` domtrans_pattern($1, fenced_exec_t, fenced_t) ') @@ -80603,7 +80686,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -181,10 +196,9 @@ interface(`rhcs_rw_fenced_semaphores',` +@@ -181,10 +214,9 @@ interface(`rhcs_rw_fenced_semaphores',` manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) ') @@ -80616,7 +80699,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -192,19 +206,18 @@ interface(`rhcs_rw_fenced_semaphores',` +@@ -192,19 +224,18 @@ interface(`rhcs_rw_fenced_semaphores',` ## ## # @@ -80640,7 +80723,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -221,10 +234,28 @@ interface(`rhcs_stream_connect_fenced',` +@@ -221,10 +252,28 @@ interface(`rhcs_stream_connect_fenced',` stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) ') @@ -80671,7 +80754,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -243,7 +274,7 @@ interface(`rhcs_domtrans_gfs_controld',` +@@ -243,7 +292,7 @@ interface(`rhcs_domtrans_gfs_controld',` #################################### ## @@ -80680,7 +80763,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -264,7 +295,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',` +@@ -264,7 +313,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',` ######################################## ## @@ -80689,7 +80772,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -285,8 +316,7 @@ interface(`rhcs_rw_gfs_controld_shm',` +@@ -285,8 +334,7 @@ interface(`rhcs_rw_gfs_controld_shm',` ##################################### ## @@ -80699,7 +80782,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -324,8 +354,8 @@ interface(`rhcs_domtrans_groupd',` +@@ -324,8 +372,8 @@ interface(`rhcs_domtrans_groupd',` ##################################### ## @@ -80710,7 +80793,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -342,10 +372,51 @@ interface(`rhcs_stream_connect_groupd',` +@@ -342,10 +390,51 @@ interface(`rhcs_stream_connect_groupd',` stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) ') @@ -80764,7 +80847,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -366,8 +437,7 @@ interface(`rhcs_rw_cluster_shm',` +@@ -366,8 +455,7 @@ interface(`rhcs_rw_cluster_shm',` #################################### ## @@ -80774,7 +80857,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -383,9 +453,10 @@ interface(`rhcs_rw_cluster_semaphores',` +@@ -383,9 +471,10 @@ interface(`rhcs_rw_cluster_semaphores',` allow $1 cluster_domain:sem { rw_sem_perms destroy }; ') @@ -80787,7 +80870,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -393,20 +464,44 @@ interface(`rhcs_rw_cluster_semaphores',` +@@ -393,20 +482,44 @@ interface(`rhcs_rw_cluster_semaphores',` ## ## # @@ -80838,7 +80921,7 @@ index c8bdea2..b68d5b7 100644 ## ## ## -@@ -414,15 +509,12 @@ interface(`rhcs_rw_groupd_semaphores',` +@@ -414,15 +527,12 @@ interface(`rhcs_rw_groupd_semaphores',` ## ## # @@ -80857,7 +80940,7 @@ index c8bdea2..b68d5b7 100644 ') ###################################### -@@ -446,52 +538,361 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -446,52 +556,361 @@ interface(`rhcs_domtrans_qdiskd',` ######################################## ## @@ -80908,7 +80991,11 @@ index c8bdea2..b68d5b7 100644 + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -+ + +- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; +- allow $2 system_r; +##################################### +## +## Allow domain to manage cluster lib files @@ -80923,15 +81010,15 @@ index c8bdea2..b68d5b7 100644 + gen_require(` + type cluster_var_lib_t; + ') -+ + +- files_search_pids($1) +- admin_pattern($1, cluster_pid) + files_search_var_lib($1) + manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) -- domain_system_change_exemption($1) -- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; -- allow $2 system_r; +- files_search_locks($1) +- admin_pattern($1, fenced_lock_t) +#################################### +## +## Allow domain to relabel cluster lib files @@ -80952,8 +81039,8 @@ index c8bdea2..b68d5b7 100644 + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- files_search_pids($1) -- admin_pattern($1, cluster_pid) +- files_search_tmp($1) +- admin_pattern($1, fenced_tmp_t) +###################################### +## +## Execute a domain transition to run cluster administrative domain. @@ -80969,14 +81056,14 @@ index c8bdea2..b68d5b7 100644 + type cluster_t, cluster_exec_t; + ') -- files_search_locks($1) -- admin_pattern($1, fenced_lock_t) +- files_search_var_lib($1) +- admin_pattern($1, qdiskd_var_lib_t) + corecmd_search_bin($1) + domtrans_pattern($1, cluster_exec_t, cluster_t) +') -- files_search_tmp($1) -- admin_pattern($1, fenced_tmp_t) +- fs_search_tmpfs($1) +- admin_pattern($1, cluster_tmpfs) +####################################### +## +## Execute cluster init scripts in @@ -80992,14 +81079,10 @@ index c8bdea2..b68d5b7 100644 + gen_require(` + type cluster_initrc_exec_t; + ') - -- files_search_var_lib($1) -- admin_pattern($1, qdiskd_var_lib_t) ++ + init_labeled_script_domtrans($1, cluster_initrc_exec_t) +') - -- fs_search_tmpfs($1) -- admin_pattern($1, cluster_tmpfs) ++ +##################################### +## +## Execute cluster in the caller domain. @@ -83563,10 +83646,10 @@ index 0000000..8d833ed +') diff --git a/rolekit.te b/rolekit.te new file mode 100644 -index 0000000..da7bd10 +index 0000000..da94453 --- /dev/null +++ b/rolekit.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,47 @@ +policy_module(rolekit, 1.0.0) + +######################################## @@ -83605,6 +83688,10 @@ index 0000000..da7bd10 +') + +optional_policy(` ++ rpm_transition_script(rolekit_t, system_r) ++') ++ ++optional_policy(` + unconfined_domain_noaudit(rolekit_t) + #should be changed for debugging + #unconfined_domain(rolekit_t) @@ -87843,7 +87930,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..d16940f 100644 +index 2b7c441..9c52c41 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -88915,7 +89002,7 @@ index 2b7c441..d16940f 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +914,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +914,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -88945,7 +89032,9 @@ index 2b7c441..d16940f 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +937,17 @@ kernel_read_system_state(winbind_t) + kernel_read_kernel_sysctls(winbind_t) + kernel_read_system_state(winbind_t) ++kernel_read_usermodehelper_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -88966,7 +89055,7 @@ index 2b7c441..d16940f 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +955,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +956,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -89025,7 +89114,7 @@ index 2b7c441..d16940f 100644 ') optional_policy(` -@@ -959,31 +1016,29 @@ optional_policy(` +@@ -959,31 +1017,29 @@ optional_policy(` # Winbind helper local policy # @@ -89063,7 +89152,7 @@ index 2b7c441..d16940f 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1052,38 @@ optional_policy(` +@@ -997,25 +1053,38 @@ optional_policy(` ######################################## # @@ -98852,7 +98941,7 @@ index 42946bc..9f70e4c 100644 + can_exec($1, telepathy_executable) ') diff --git a/telepathy.te b/telepathy.te -index 9afcbc9..1664384 100644 +index 9afcbc9..29ae736 100644 --- a/telepathy.te +++ b/telepathy.te @@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2) @@ -98964,14 +99053,14 @@ index 9afcbc9..1664384 100644 - corenet_sendrecv_generic_client_packets(telepathy_gabble_t) corenet_tcp_connect_generic_port(telepathy_gabble_t) - corenet_tcp_sendrecv_generic_port(telepathy_gabble_t) -+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t) - ') - +-') +- -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_gabble_t) - fs_manage_nfs_files(telepathy_gabble_t) --') -- ++ corenet_sendrecv_generic_client_packets(telepathy_gabble_t) + ') + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_gabble_t) - fs_manage_cifs_files(telepathy_gabble_t) @@ -99084,11 +99173,11 @@ index 9afcbc9..1664384 100644 manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) -userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control") +userdom_search_user_home_dirs(telepathy_mission_control_t) - --manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) ++ +manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) +manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -+ + +-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) +manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t }) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t) -filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") @@ -99106,16 +99195,16 @@ index 9afcbc9..1664384 100644 dev_read_rand(telepathy_mission_control_t) --files_list_tmp(telepathy_mission_control_t) --files_read_usr_files(telepathy_mission_control_t) +fs_getattr_all_fs(telepathy_mission_control_t) ++ + files_list_tmp(telepathy_mission_control_t) +-files_read_usr_files(telepathy_mission_control_t) -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(telepathy_mission_control_t) - fs_manage_nfs_files(telepathy_mission_control_t) -') -+files_list_tmp(telepathy_mission_control_t) - +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(telepathy_mission_control_t) - fs_manage_cifs_files(telepathy_mission_control_t) @@ -99124,7 +99213,7 @@ index 9afcbc9..1664384 100644 optional_policy(` dbus_system_bus_client(telepathy_mission_control_t) -@@ -248,59 +218,51 @@ optional_policy(` +@@ -248,59 +218,47 @@ optional_policy(` devicekit_dbus_chat_power(telepathy_mission_control_t) ') optional_policy(` @@ -99187,19 +99276,18 @@ index 9afcbc9..1664384 100644 -corenet_sendrecv_sip_client_packets(telepathy_msn_t) corenet_tcp_connect_sip_port(telepathy_msn_t) -corenet_tcp_sendrecv_sip_port(telepathy_msn_t) +- +-corecmd_exec_bin(telepathy_msn_t) +-corecmd_exec_shell(telepathy_msn_t) +- +-files_read_usr_files(telepathy_msn_t) +corenet_sendrecv_http_client_packets(telepathy_msn_t) +corenet_sendrecv_mmcc_client_packets(telepathy_msn_t) +corenet_sendrecv_msnp_client_packets(telepathy_msn_t) - corecmd_exec_bin(telepathy_msn_t) - corecmd_exec_shell(telepathy_msn_t) -- --files_read_usr_files(telepathy_msn_t) -+corecmd_read_bin_symlinks(telepathy_msn_t) - init_read_state(telepathy_msn_t) -@@ -310,18 +272,19 @@ logging_send_syslog_msg(telepathy_msn_t) +@@ -310,18 +268,19 @@ logging_send_syslog_msg(telepathy_msn_t) miscfiles_read_all_certs(telepathy_msn_t) @@ -99224,7 +99312,7 @@ index 9afcbc9..1664384 100644 ') optional_policy(` -@@ -332,43 +295,33 @@ optional_policy(` +@@ -332,43 +291,33 @@ optional_policy(` ') ') @@ -99273,7 +99361,7 @@ index 9afcbc9..1664384 100644 ') optional_policy(` -@@ -381,73 +334,53 @@ optional_policy(` +@@ -381,73 +330,51 @@ optional_policy(` ####################################### # @@ -99340,8 +99428,8 @@ index 9afcbc9..1664384 100644 -can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t) - - corecmd_exec_bin(telepathy_sunshine_t) - +-corecmd_exec_bin(telepathy_sunshine_t) +- -files_read_usr_files(telepathy_sunshine_t) - -tunable_policy(`use_nfs_home_dirs',` @@ -99357,7 +99445,7 @@ index 9afcbc9..1664384 100644 optional_policy(` xserver_read_xdm_pid(telepathy_sunshine_t) xserver_stream_connect(telepathy_sunshine_t) -@@ -455,31 +388,49 @@ optional_policy(` +@@ -455,31 +382,51 @@ optional_policy(` ####################################### # @@ -99372,17 +99460,19 @@ index 9afcbc9..1664384 100644 manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) -# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") -- --manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t) --# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy") +optional_policy(` + gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") +') +-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t) +-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy") ++corecmd_exec_bin(telepathy_domain) ++corecmd_exec_shell(telepathy_domain) + dev_read_urand(telepathy_domain) -kernel_read_system_state(telepathy_domain) - +- fs_getattr_all_fs(telepathy_domain) fs_search_auto_mountpoints(telepathy_domain) +fs_rw_inherited_tmpfs_files(telepathy_domain) @@ -108466,10 +108556,10 @@ index ae919b9..32cbf8c 100644 optional_policy(` diff --git a/wine.if b/wine.if -index fd2b6cc..938c4a7 100644 +index fd2b6cc..111b5b7 100644 --- a/wine.if +++ b/wine.if -@@ -1,46 +1,57 @@ +@@ -1,46 +1,58 @@ -## Run Windows programs in Linux. +## Wine Is Not an Emulator. Run Windows programs in Linux. @@ -108545,10 +108635,11 @@ index fd2b6cc..938c4a7 100644 + relabel_dirs_pattern($2, wine_home_t, wine_home_t) + relabel_files_pattern($2, wine_home_t, wine_home_t) + relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) ++ ') ####################################### -@@ -72,31 +83,25 @@ interface(`wine_role',` +@@ -72,31 +84,26 @@ interface(`wine_role',` # template(`wine_role_template',` gen_require(` @@ -108579,6 +108670,7 @@ index fd2b6cc..938c4a7 100644 userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_user_tmpfs_files($1_wine_t) + userdom_manage_tmpfs_role($2, $1_wine_t) ++ userdom_manage_home_role($1_wine_t, $2) domain_mmap_low($1_wine_t) @@ -108589,7 +108681,7 @@ index fd2b6cc..938c4a7 100644 optional_policy(` xserver_role($1_r, $1_wine_t) ') -@@ -123,9 +128,8 @@ interface(`wine_domtrans',` +@@ -123,9 +130,8 @@ interface(`wine_domtrans',` ######################################## ## @@ -108601,7 +108693,7 @@ index fd2b6cc..938c4a7 100644 ## ## ## -@@ -140,11 +144,11 @@ interface(`wine_domtrans',` +@@ -140,11 +146,11 @@ interface(`wine_domtrans',` # interface(`wine_run',` gen_require(` @@ -108615,7 +108707,7 @@ index fd2b6cc..938c4a7 100644 ') ######################################## -@@ -165,3 +169,22 @@ interface(`wine_rw_shm',` +@@ -165,3 +171,22 @@ interface(`wine_rw_shm',` allow $1 wine_t:shm rw_shm_perms; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index d1fcdf54..3a5d9007 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 89%{?dist} +Release: 90%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -604,6 +604,22 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Nov 03 2014 Lukas Vrabec 3.13.1-90 +- Add support for /dev/nvme controllerdevice nodes created by nvme driver. +- Add 15672 as amqp_port_t +- Allow wine domains to read user homedir content +- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc +- Allow winbind to read usermodehelper +- Allow telepathy domains to execute shells and bin_t +- Allow gpgdomains to create netlink_kobject_uevent_sockets +- Allow abrt to read software raid state. BZ (1157770) +- Fix rhcs_signull_haproxy() interface. +- Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. +- Allow snapperd to dbus chat with system cron jobs. +- Allow nslcd to read /dev/urandom. +- Allow dovecot to create user's home directory when they log into IMAP. +- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835) + * Wed Oct 29 2014 Lukas Vrabec 3.13.1-89 - Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424) - Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld