From a4801c838b7a9751bb63e9ba4aed5aadd06c2263 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 17 Jan 2017 09:55:15 +0100 Subject: [PATCH] * Tue Jan 17 2017 Lukas Vrabec - 3.13.1-234 - After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017) - Tighten security on containe types - Make working cracklib_password_check for MariaDB service - Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505) --- container-selinux.tgz | Bin 5425 -> 5492 bytes policy-rawhide-base.patch | 144 +++++++------- policy-rawhide-contrib.patch | 351 ++++++++++++++++++----------------- selinux-policy.spec | 8 +- 4 files changed, 256 insertions(+), 247 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index dfc4dfddfca1b37d2db01a56ef03caed2d1319bb..d4135c69ea287e8205b0e4eb41c247b9c27fddb7 100644 GIT binary patch literal 5492 zcmV-)6^rU0iwFR8*?m|51MOW~kK8tv&TH4N5bOZ%4(x8X?ZkkcnZY8Shk2MyFq5~< zuA-7yRZ6R*ib(Zk4gdE&hc{6YNl_}5?FG63yQ`(ckK`eFcy45;RmqaPB=u#!`Q}8Q zm+<-Fhd221`tA2G&7bgjef{?J58qtBe);+j!uk960sU%h(sP4x0q4KhCsWl0@H z-xRlXvL>mMZtVU4)6eSZ)96Rq?Dt9i@Yi2=B&rUid_k+GPDzv;4n>|OEU(HaRTCv5 z^3vw5mzE&tgiFI^D(V zygdK*`eJpas*4W^gI3{FH<;}WyI5fbCm1N;>{mNV$d4%_6gC)XQgTY~ARNi>fAcyG zb{F|N%AolvtLmK437kIjaXLv;LOI&mG!{#yK(j&^e4Err+VYmyAANgmqj?AYj3hpM zjSr;WQz*E}3qn=JlA4dm!ZZ78V>O>ppOev!39ic>$?<=YB<=q z#ct;uJ>%fwwOxp7tk1x6x=U*EHF2FcD4g$tJb>#(P8rT^7tpy_s z6b+2T7z(JRGaL_Cp{xTIG{ab*@_rj zVZldJoOh+#a7iqfg2FrHT$)mqC>y6mLaC!F{%%;;n#k(1DfQw1PonC8{7;I%JYjX? z>LQZ%s$G-3+y+%^Um{Az1)JyA1>&=|jYaV7EBN;s{=HdNKl|k$AHI^EgKIH|Je#&} zfGzA0H~>W_D8wAd`fzcxkCOU!5eJlaAO^0Dsdo1RWn`bSVv^_S{qS8==8Uty9VmgF zNkvOlBt|Po@|qMCD(k?h9Oe^$6UmP%EQfVd3Gf35mb(mFB5*ABsL_&l_#@IYLtCUH zrDTI5xq-=FRq55)0j5}8;R+aWpel?z{Ml3g)URo3hA*nBew@e zk+b*`8HGPB{8fbS(p?>k1#%ZdE0$q0euTN$8i-=|HJFXxNXe$K8b8CDJS^u0Cb7NU zsImSmmaW852pJ{MOJ?y#U{vWm&h}bBB?e5t zE$GX98oE&U6jcbtecGvBO@Ch#q_XR1!c3e2BPJtQhI1yyivq+QHD^|!{%>*QwX=Vd zZ!bxCyCmwaqKqyL$nCWSF>6Ar;`S0bun4ReDGG|fy1FOJbYEbiQoA5r1@=RcJS>m+ zYC*_^Rr_4Y08m_N*tO#%+vla&i!c!6T0Ua4Qb?Ej1)v@2`l-rN`8TxEft`<%2o(MM zh%!(~_I!UK?2GHqqBW>*V5?{60EAk~-Rfpp%cn4Qj6wVNFF&;v(64#q4r%b{AuZ}O z@FR4j#A9x*#L!m0xr?6Dp83nc-yw%odjwr1o5iY0dc8FSq&#bN1Fec=|F{c+ulF1( zhJBCwN4p6=w|QNa`$-D_X@-lp^H@)Z(`l_n)bAP@YW$$%+Fxv~&xI-wXhKUrMf4F2 z+#0wM(R^Dbg)sG^Pw%HWGoUgq+3kd?Vg9Iq55aK#JJ-ZmdFjpTl}9cI0EofB(n=H7 z<+nk_W%n%(w(-)&JQ??FDIXPzg@J=gIm_ciRpjXdpW(`(COv2gtN^BhmlwwS5r^Be zr5&Yl(y*P(avFF``OB{?8;rMiO2Qs5(2*8Kmyb-GApN)p>aDr>m^PRd6U85V6aut$obUcheV)Wi8URMQ4lf%_0=iBDa%_;V&eu7Q}z}lL`Xc)~B4y$fXXbYwu>$KQmNo%^D(VX6E z50W(>tJjt=Bx`z7i`0Luk^E3PL&l1PZ#_*KrV$ug99PKn%Q7b<2GeT1td_TyrJHg;JR1@9p2&~Q83^XTv z^H*Ll?yD+_=+~cqi4IlGbaeh8SCv4=rNWvrS(|;(iYF)|&!bIJPy+pN=|@mao}m80 zWfd$j?{?m$R$DyJk;xLWugX|RjB`s(zB5CjR7{)oA2DnP=`Ja^{Oz7Q2yAe=5b803 zCA67jYo5DxD^mo?TJh1jlsMP|nFkctT-l|Hy3bCbzIWLuo((u}x*LY{LA>`G^k%;d z)217pJ@337&Liyz>o(CyE)aN}U3UMOH8G$Ir;-I!*am-!hgc4@#`AvpA+B=zb&*>i zrD&)8op;^pFtj>FyO_#RDi8~m8gSk(WkVY@P&!xp@$U0pAaL7#a@cM+ z@D0E=l(0OD_BUmfMc7#G4Cmk0d8zY2`GY#S15CC7NQ_d9R1BN7ig(qd0L7}nc-Kgw zHZ-y&pe3`q8ykVz>muLhjJJcz9JcYcXxBNW)fs+t;hP^RYzyG=in|X3(O7y|0Hw(W zC{v2Jlj2ph<`SAV^gznYSF%5Y&90yc#U~7?0bZ}9U0GRKPZy0SRw`3rxF6aMxf}~N zJhU_$aWo?%5ZRWZF{A5h$G3+K=ZuUWQ9u!vhWEGy>?Nqp?6OcwY(d63-F2h&)S{ri zDzuN-SDp?OebPyN^E$h=Jeb>6FV^Hm;=;4%JcfZ8j8pB2K3xO}HjeO4Ek<#i3bsH7 zm~s!>)YZP-&v5G*CTxu~)0(Rw+uqNseenma%1d}TbL>0nt@FjaxiArX^4ti;@9OqJ zGo=UZm@!8(9QA$AtD~77ihm5_!}}n0s#8{?&PJTFj&*TDW`&5LULk&ehar33`yD&J z+Bc?&I(3x;4>)u$^lPZ}Nf)?AVF?xwAJ2bE*;< z2t03^1pv>QW(0%6m-wf)DRq<3C=D7#L2 zYhMh{{S9!F6f$8##2b0ugk4UX)FokeRecjm&XcttXvzvJt6SnbL=GYae$aGBvarh0 z=k3^iWB?ZPcX&!klCu037E0!*U(#pzuF3dq4zd#QhWePYQW>{AX1caVwlBI=bVrK9 z1BV<#H!+VTY~j~BPvf%698EBbP*P@4)2%L+Z)OylSywM)<0!^^#fK2{7RKpQnXRy6 z>=0OmDw0~!*cMxR}vuV>Yr16p23qY~!qRGbLkH?AJF zhlX(K@ap$;>!9usgQ!QhEKs|QgPf+uWaEL^{C^X7QqGEdJ@i2p*BFq7<#L0_$R=qD zCajcu*OWI)h$-)aexSINGHLz9;vBbwx009(`h4TXwH$7$4|}JDe<5Cr9$9SAm?NNF72~!aqvVrq1nFybZV8U$;gqlp>#63PepAL{^gkvQQ4_ zagge|XG--+Jp=F*n+dxbm7zEnS@i4AAAXMh1s%F2(XV)Nj;Ct5(*{?)<0L#)kyj(m zm~nl6)LA78sGpLl+WQmV^L6PRftHvXFN@eW{F3)w19G8QJB=6aZ9-#2oAG$)$x5q9 z4{U$$AyI+|ker?7gtFV?glgV3C2qqhUV$4kXFFH8kAZIA>ZGs_Qh4ZA@OhrCFp2mw z(CM`<1FJ0|hN7*=(|cQmH?nm@m1`8gimUS+#*{ca!O3=smq<(laT^0(M}gDF(I@Yn z7P>ObZOUEBh>d=qq&uK{9q4rWR=+RSS(oT% zaULjw?Z6~#Pk2wN>Nc<0xRXGTc}#cyK4jtBC}Vla+gRO-&bJN)wF>ft(yLY5DZnS8 zqtw%AQ`KmuOMv#Kl9-Afy1VpTAC}Tb!#ic=~1$rj<&DCuo|Ve#S*kp6M5;cHCeC2#`8lJPcl*8vNU`(;{G@mTl=%^2bcvXuGFx+@%oyt)_@q3S}u zR%p89iE3wGIC+BRM#JZwy%N^|jU2#|=U!(VJTgm8Jawe~Y7RKVajZ{yb*#cja~LsKdA zT<_(RSe&?;)E5EOL`IZQ9elEag+&xK`FJ=_lg<=)tS{}JMn5$*Xhp1e5Z5{7;vOy7 zok5L7VSI`AjYbxoF$R%-C_3gly17s<5$9*kYQ+<=Ie_ZTM*;K}n~TdR#{FEpj1HVC z!IyV9E~dm#W)8)rI3a77u$JSL-Sd>uP{_|b!Fk;AQD1~@QcO(60=ecqrvo#J)X81G zM6Yk;U&(67Ejl)QEeTFunvl|BkYaX4AnB;-!6qc)*jhV6=go6s_GBdo>1sqZTy-9D z!Pa+(FiQ^OAUuuk0}8h94ga<$Twf2!knU_D;y!}mlc1dFK%{}?+hG9iDLQ`7uZwc@ z+z?ip{=L<*9^mtH|AE+?HV_wQ02HNx(2`vK+WV7GUUAzk`O5rrIirn~a>3Weu28hg zim|e=GO|3`28r7-tO+9Q+4Jc4_R3^4?(WKilBSWV`{ebX7Tt$+lUObBa~0ZF>ARcW zOZ^Vawc7Ej7s2*Lw|gp2OKK)+cV(3L6?#p>PEqn72<=tC9VkqA`82F3#|CcLyvM9*w891xX`5Yxr^* zPpXrX$+*Tygh_fKIg7GwP2P5dP$;FD+jMn1DFT8NvhbI_z3upq?$YJvWOv*7@Be%G z_RX7@gZuxkuOILK`y8Ju%=Nqa?NSI5e&-}k33AWQrJJpJC%2XQT|58fEh7|f2)t@& zeO2UZ)Tgcl&ei32XD?m^qbUkt{hjcGEXz#!hqM-Ju|!RUS7B+`vbwE`W=~#BXN7rtl3gyMoqwF)>C&a zEzSX>hUMm13oUnM`E%X^HZGKt=!7W|a}I**;%{fcSgE>th%=zYk;~vHxYgBdB6FV9h<^FqZ+OK`I1|NXIpe_Ue0ex> zc%%8z@@0TA?Plsc^5My=0VYm@0K`{EK(?4IAD5Y?#<++-e78i$Q6w+ZJVd(Ef7x&m z4jv_eyo+68o?y)@Wc$)Tdga^U7Zm{RDwdH03V&g7pkNo53O(TCg#+jXGdJlr2&mhM zV47ggQnuiU#{GtWIeC&kG6IKwJHVsM;K@IsybufJ1|XC?Iu&#fqc!9h02^x01PQ>e qM>K)9^Kg_T`O^0JuZ%wW-(hke+c#!SC$ z@2XW2t4eKMszu3{4f5aj9Nt7pBt@xIi5GAIiObUANAi$7JU7yDS=3Qlkm@4cyg1V5 z3O+yn_#S`0{qVz;{u4g$-hO!Z;rhdech@hj-oCrOzIqW{9jih5r=fLJ z1;LB#u8P(qw$hEg|9|>fot_3i(I(HM>hZ6??nqGXN%4l3O%;=(J zfD~K!dGXVwEVcp=zfY$&_~qp94{&i5pC-x$UvaGx(Nl=$TT}1^=u~R0{ONI*HS7}j`Y7@oe?040guxg4r%}EIL zF`QSge_x$!NfB1$&nB&ac6D-6Kkl_2s513y!$Sfb22Li;Zr-9=}mpU!U~QsP{7$IJ4(opDI?@J7;#iEO6MRP$nSr# zIyH7@={iWD`EgxVDWMZMed6MD6vu=zw3BHp7EFO=`7rn{s*tqhEvrBH?yZUD2KpHY zeE1sfNtIJ5xJffYWyOM;jmW|?`>C;-O{lNQXv+jwlXUN7&XT|Mo z1pfga4EMjWRge2K-IF-oq%c5yAaQRc1Cht-O!$Pr@&|72N0ftyO%#h{o56Ae)BhtX zqHTX8c^YdhXH7erY!mQ@NH>WwwqTAbC5iT z@SCE65otpKwRDE#5sTcX^)85ju&IH=bs7h(_pR{&;tuH|O%Cp>^bYGm%C9(}J!H{} z5L;ouM^l`2rQ9${%$b71J7!#(QWY;7##uzEr7HGrSl60}>XIq-;r}m#a*zCvvcJ5n ztH#zvB<)qZCTX$ts@A+jq>S@6&y5SjWo>JV;Ja)1_YVHOUsgZ+<=;O&k)4BSG5a)` zwr_wfY!NsBMJFi449NI!akGz->TVGSlye{ku8pa7_am)I9@p6<&(p`@yQWBM#{PDo zICdfwEm;vCtrW>Cl9i~e1E*4$PwY(~KC-YF)=kO5_aIpA6Kn~`G1#M8OK$K-pk{`$ zNJmPE1_fdR6TiyRtCKxUv8u!sFycU4#LS9{B)G3qlY*U-9Cog6zo_qlNBPtlWb-E| z8W@K>;MkJ)6S&!DW)Sqa*{v;Hw#8L1c25tMdP$(M`-}M(rR&E_dwY|_nu`6@Zp95l36q_#Vp?zyalGnjY z_3i@7y*!_dla%r8d=Lty!$FJi=^Qjr^>v&#ahAgH&PU>XTc9Pgc*8NucphhaEuaDe zrr#FyWi}0MC~S&KgzO>iR4=E$s|iBcwKQQS&VUh<5e&mQ6XQ(=;*RPw%Txb1IP%)r zze%?jq_|rWbyw1wE)B@+wFNONLd)##0y(e0W1>>KAY2LdLl!+Q zk9fTxWK@@VDrEpDE*0$BVU*-)!S^Bz1lg7k->f9kg?a&K2fBXBqLBU#rF3BDgD3z+ z{~@3?s3bYtUr7DU^=IB1)HkrzvvUA^E#+=?v#jM~7(3da{p**X+Y0DY9=Uz&J$gus zIt~2r9Vz~pnJXc*m2K|4=d@@3GVmMZkZcd93q-T(a*|$e3;{{cTGc?S0?|L_f?(@C zg^FR{WB$=@g3n!Al|?>D;XlrBv34Hn>99Jj<%qgnBSVcJbX@a`t?@Zm1w2h?;im{b zgMnKCHv*b&izwr!Uhw7PG-n1>#w5F$P&UjR6>uSFu7B&A7%MNldA;(;We)&87+6|r z!m9k%tGMXC!NE3OTAL^1o-OI4La{J#P)TQbxG%Fbeq=LTI@E**ErJzL%i!g?_I||S z_G)QIX&5#2PGmU^yrt~r6Uzo;?VXaa#|m_$h1TT*Q}r~Y!Q;bX{^o%?G*9nHa$R!4 zdpHhC&C?K;(|LM)e!4mj>-}_HBW_f-#I{Kgh$JbL+Ax63P|~ zMk1GyWjvUw;19@YZJRjDf3Np&NCn&1;c6%Bf>H5kfERlP=LM*ou%T6t`x3g#HPw^~ zZhyTM1K+DMBXP999OZo5+_^c$F4d3I@c>v`6CVw&S=?dO%?WM61nA)@{x?J8Qc9HR{y;F` zcfRzneIq^zDa$REAfsV?8$bWk25D+?tTRUL^Iz}Zf4IIHp8xvreE#cee7L$$EF`aHED$U z2a{E>#GKoCms)P|EJr4ZNM05pml$V;np|gwc&U&!>pw!+4&q%@Y}wnKIS5Q}su1ci zo+Xr-WNMzhbt_#2iCXc|nUFZx0+9z4R!rHYlDf}MuD*BK$e#^3ue%$D^j^Go8uWU< zG}ERVojvQk9nK@=2m#=rA-oMZ1{NQOXfBnHq4`FJ(d-G*CEK`|<9xULnT{&-a5>j*ryHz%M<- zPEjZFh8nOpw1W=6+VPRrJgeA*8_p{8EH!&pd#HW0x(hxu@~w6BNrzQw4$y8b9T&Uw zWU7Z}MuZ`}%#7+{w~19eNveK48x|RYi8yH&OXdD>Cgfl_*UT_G8x%A!8g{G!d)c#( zEA(I$q-MXL^@~j1cia6FR#cP)d{>88+}<>8ca&tC8!&sLb(*F1WAHhMcjbK%+@`SI zZr~e$Z78YJB*<@zG6}G;%o)zUtZ?TijD2P4K*1N4)HkoQTf>97U3FqjUL-a=bIzk5n8rBSp5V*5mtbQEH*zuZ<5aK( z)_^JYuuWCw?S6(^&oE(Yq?yKC1=03?UhSJdXjxpq%b8=}QE#m;=FNqP*pugmFMe0I z_nIj^Xv>T_km0EBJ6;{kbYJ{K81LT)p;H~R5_vY_n02hPBQncJ1oaBB`#Ut*^U>|t zan-)jP1LE&g!fI~lje0too``gR#|+UwaQ#qD$JcM9+;CShX>};c#~JV3)5$W1@XjP z({~oDrYy6~nv=tig573{9~1t1d3@99hT~MBolH1h1$dZXb=uOjHFZvuxee1P!fEUR zg*gk~6LYfA^TeGj_&jmdS+b>pCriOGTpvl;xpZry1z|eZzH1hzSHO*YOT|d0{G!T%cX`uSfCWOy49-c++&E0z?XIi%``fB@+zX`FF8xrexz}o8Cl&D-y^aYDe!~FJCgWS zjy`Y8?jr)Qn7_kPN}{+hg zY*ln0vRK&zsK`l5Z!PpJ#Dnswp!7biu6-coSBLd;rqtc zqxR4cP90W#PPZ274l#&&bjt#@%{WMDtW7o+m`(pTvM1%NnAbxcRI!Z#Y3fvL5DD2t zO;&R&<-s=P^%8u_+n^sQE~P|RKOsNIZQ-pTW`aK5IB^Y!o2q?oweZjRYu>}PgTfB* z%3SLPCUBY25f)ntr~4Z7%Vw6wYt`@gBJc`&vZUA5X^=g{{P-rO(@lxyCs7=t8=y)P zf;!kXP4LGa ztOA&9DC9yAjVhoWaJ7p)?}WHVW8AV7U-I2xxe?JT44^oO z9Z3N}ERPM3Fwb{x4Tcq1Jo?6LQR_7#fI}C)%>V#OCRG~{Ul!IX zn(U5AsJbd0_2OM$Sf!I9E6cqX)M%ALvy#0{DVV~Tay6=p35)!I0;5Xepu~t)W-g?B zbdyRc51gwM->IoOWa6qo%uuBEp)24YC2>=wW-H!=+wHGiBj!qxODzSWrtl)GhzFT3 z2h=zSb=@(g`lOBlIK^hdu0};D&PEpe`j1cl2>uBjx+B4_cyf-VYT45USH0sTELD+J z!_Sy8eSXwg#S6%vf~m^;6F#tY=^TNUm>DmN*f;Ew_gw>WAzNFG7v^n3V?>$pc<9MU zt4Q~C{@@^yf(VeToo0lh+v9|C-Zceo!!cfg8`jo#u5cd%-M-aHVIQRM(5~RKJX>xO zv1OprYi-6uTcoN(^_#o^)Lf6uVe?UR6)m?>T^a3$Qp$ye51bCHwgexFwjxLGjfG?~ z$<#7-0bw#2w)=K|!FN2`H^tsa)(w@eQT)oU&a)U({OklH+eJbLcTGiuD0#4>I-PwDeg>Rw^#U*cJbxS(eI^@(c$m2^dS8b;N zn}n89r@^MI&`cKq?M)>i9sm6rH+Po%7`&H8Dlq_1TSy_n!^@Pn-ajZ{G)Rr=CkN3%YcTLXm z5r?o|tm~(a__bZ5r8+T!k=mx6Wd=15PbnMEbg*-E=n@zj)We*I;LGq{0oP%@!5uau zw!BKM5C;LLme-=y0>Lri*u`nBzsc%RGMtV!uR*^Wg}22Jw6Duf2o(J<2KnmP%0vt7 zyJLHz+q%~?@^-^lnA%I=1d1i?t?#Y_79R77IC6P)J|;rt zg?z2hw8<0M&c1MR1kJUE&pUg?uK^l4fF;ho&Nz6amz;R&Ncq()aGK*-o$~6O)v@m9 z@)n+vWRmf#gk0}N^GX(icV>btREH}mgQFr7<9%EMEXAKnD6N3LcN5apVh17Px$5lsy7=2&|6F{F0B~9OKD^a z;_p>tRZ7ORGbF&XPFcq1zJ10g)==^eg)Tp5YnIc7Lz&%EnZaxqjx z5)`GL(1Kk2+WR{=&e_o|d9DAAkkLkp(5I`7-RP+Kfbm#au$YoG+Iq!Z$FOe2UpH&W z9Xh03&3g4Z_`SU+Ru4AXl0Sq#s0;kG`qLor>u%}DUs0h)jC=N*wSf(y?6Kcf2P+C^vCIvn2V~9H_mwz|2R0$f_&W!KPDJXS6XULca!e_efe|9*J?*VPZt_kVqj&n4#iT>f^! z*A%;R4yOcp02`W{+0BiRu+>dF)5I+U6mJN-Y-n|vrE63zE;-KS#rG#~-gu))6<%D6 zjHo71@u!IvfnKLYi?c7~W=Bhx0miWV)OqB>6Gww5P67|a z>jNNL%$ASKOjB)K_#eJnqT?u%muVg%U8=uqwg?9gl0eSIE-;U<<|VRu=^woE&G3r~ z0DBe7$N`DJusD#gi%W$b@ZrJ%^n#h2bQ=Uv?L;s|FlQ+n@Oa~X!@rz5Ngo-3Ll+j{ z(Pi+&pHN+hg<=EXN*=lS#edHy_qmiqi3jR{!d0H6Q>A^5H^ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 148e1caa..df71d930 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5948,7 +5948,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..9729941 100644 +index b191055..4d57db3 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6302,8 +6302,9 @@ index b191055..9729941 100644 +network_port(swift, tcp,6200-6203,s0) network_port(sype_transport, tcp,9911,s0, udp,9911,s0) -network_port(syslogd, udp,514,s0) -+network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0) - network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +-network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) ++network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0, tcp,20514,s0, udp,20514,s0) ++network_port(syslog_tls, tcp,6514,s0, udp,6514,s0, tcp,10514,s0, udp,10514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -51833,7 +51834,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..adc5f75 100644 +index 9dc60c6..269ce67 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -53002,11 +53003,12 @@ index 9dc60c6..adc5f75 100644 ############################## # # Local policy -@@ -907,53 +1195,142 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1195,143 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # + allow $1_usertype self:cap_userns { sys_admin sys_chroot }; ++ dontaudit $1_usertype self:cap_userns sys_ptrace; + allow $1_usertype self:dir { add_name write }; - auth_role($1_r, $1_t) @@ -53159,7 +53161,7 @@ index 9dc60c6..adc5f75 100644 ') ####################################### -@@ -987,27 +1364,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1365,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -53197,7 +53199,7 @@ index 9dc60c6..adc5f75 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1401,63 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1402,63 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -53271,7 +53273,7 @@ index 9dc60c6..adc5f75 100644 ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1466,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1467,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -53282,7 +53284,7 @@ index 9dc60c6..adc5f75 100644 ') ') -@@ -1079,7 +1504,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1505,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -53293,7 +53295,7 @@ index 9dc60c6..adc5f75 100644 ') ############################## -@@ -1095,6 +1522,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1523,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -53301,7 +53303,7 @@ index 9dc60c6..adc5f75 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1533,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1534,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -53318,7 +53320,7 @@ index 9dc60c6..adc5f75 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1550,8 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1551,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -53327,7 +53329,7 @@ index 9dc60c6..adc5f75 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1569,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1570,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -53343,7 +53345,7 @@ index 9dc60c6..adc5f75 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1588,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1589,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -53388,7 +53390,7 @@ index 9dc60c6..adc5f75 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1631,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1632,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -53397,7 +53399,7 @@ index 9dc60c6..adc5f75 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1640,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1641,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -53420,7 +53422,7 @@ index 9dc60c6..adc5f75 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1690,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1691,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -53429,7 +53431,7 @@ index 9dc60c6..adc5f75 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1700,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1701,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -53438,7 +53440,7 @@ index 9dc60c6..adc5f75 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1714,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1715,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -53450,7 +53452,7 @@ index 9dc60c6..adc5f75 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1728,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1729,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -53493,7 +53495,7 @@ index 9dc60c6..adc5f75 100644 ') optional_policy(` -@@ -1357,14 +1813,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1814,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -53512,7 +53514,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -1397,12 +1856,52 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1857,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -53566,7 +53568,7 @@ index 9dc60c6..adc5f75 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +2008,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +2009,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -53598,7 +53600,7 @@ index 9dc60c6..adc5f75 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2074,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2075,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -53613,7 +53615,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -1570,9 +2097,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2098,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -53625,7 +53627,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -1613,6 +2142,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2143,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -53650,7 +53652,7 @@ index 9dc60c6..adc5f75 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2178,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2179,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -53710,7 +53712,7 @@ index 9dc60c6..adc5f75 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2304,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2305,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -53725,7 +53727,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -1741,10 +2343,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2344,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -53740,7 +53742,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -1769,7 +2373,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2374,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -53749,7 +53751,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -1777,19 +2381,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2382,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -53773,7 +53775,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -1797,55 +2399,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2400,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -53844,7 +53846,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -1853,18 +2455,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2456,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -53872,7 +53874,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -1872,13 +2475,163 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,13 +2476,163 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -54043,7 +54045,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -1893,11 +2646,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2647,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -54061,7 +54063,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -1938,7 +2694,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2695,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -54070,7 +54072,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -1946,10 +2702,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2703,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -54083,7 +54085,7 @@ index 9dc60c6..adc5f75 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2713,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2714,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -54092,7 +54094,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -1966,12 +2721,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2722,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -54161,7 +54163,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -2007,8 +2816,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2817,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -54171,7 +54173,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -2024,20 +2832,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2833,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -54196,7 +54198,7 @@ index 9dc60c6..adc5f75 100644 ######################################## ## -@@ -2120,7 +2922,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2923,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -54205,7 +54207,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -2128,19 +2930,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2931,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -54229,7 +54231,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -2148,12 +2948,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2949,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -54245,7 +54247,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -2388,18 +3188,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3189,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -54303,7 +54305,7 @@ index 9dc60c6..adc5f75 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3250,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3251,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -54312,7 +54314,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -2455,6 +3291,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3292,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -54338,7 +54340,7 @@ index 9dc60c6..adc5f75 100644 ######################################## ## -@@ -2538,7 +3393,27 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3394,27 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -54367,7 +54369,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -2566,6 +3441,27 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,6 +3442,27 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -54395,7 +54397,7 @@ index 9dc60c6..adc5f75 100644 interface(`userdom_manage_user_tmp_pipes',` gen_require(` type user_tmp_t; -@@ -2661,6 +3557,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3558,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -54417,7 +54419,7 @@ index 9dc60c6..adc5f75 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3583,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3584,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -54439,7 +54441,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -2692,19 +3598,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3599,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -54462,7 +54464,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -2713,13 +3613,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3614,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -54523,7 +54525,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -2814,6 +3757,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3758,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -54548,7 +54550,7 @@ index 9dc60c6..adc5f75 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3793,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3794,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -54591,7 +54593,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -2856,14 +3829,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3830,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -54629,7 +54631,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -2882,8 +3874,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3875,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -54659,7 +54661,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -2955,6 +3966,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3967,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54702,7 +54704,7 @@ index 9dc60c6..adc5f75 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4025,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4026,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54727,7 +54729,7 @@ index 9dc60c6..adc5f75 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4043,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4044,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -54739,7 +54741,7 @@ index 9dc60c6..adc5f75 100644 ## memory segments. ## ## -@@ -3025,17 +4054,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4055,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -54760,7 +54762,7 @@ index 9dc60c6..adc5f75 100644 ## memory segments. ## ## -@@ -3044,12 +4073,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4074,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -54775,7 +54777,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -3094,7 +4123,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4124,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -54784,7 +54786,7 @@ index 9dc60c6..adc5f75 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4139,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4140,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -54818,7 +54820,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -3214,7 +4227,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4228,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -54845,7 +54847,7 @@ index 9dc60c6..adc5f75 100644 ') ######################################## -@@ -3269,12 +4300,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4301,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -54861,7 +54863,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -3282,54 +4314,56 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,54 +4315,56 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -54933,7 +54935,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -3337,18 +4371,92 @@ interface(`userdom_getattr_all_users',` +@@ -3337,18 +4372,92 @@ interface(`userdom_getattr_all_users',` ## ## # @@ -55030,7 +55032,7 @@ index 9dc60c6..adc5f75 100644 ## ## ## -@@ -3382,6 +4490,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4491,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -55073,7 +55075,7 @@ index 9dc60c6..adc5f75 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4546,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4547,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -55134,7 +55136,7 @@ index 9dc60c6..adc5f75 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4633,1817 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4634,1817 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 924f8626..a8c9dfc3 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -56762,7 +56762,7 @@ index 687af38..5381f1b 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..31069d2 100644 +index 7584bbe..1443a3a 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) @@ -56850,11 +56850,13 @@ index 7584bbe..31069d2 100644 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -@@ -95,50 +100,64 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +@@ -95,50 +100,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) -kernel_read_kernel_sysctls(mysqld_t) ++usermanage_read_crack_db(mysqld_t) ++ +userdom_dontaudit_use_unpriv_user_fds(mysqld_t) + kernel_read_network_state(mysqld_t) @@ -56933,7 +56935,7 @@ index 7584bbe..31069d2 100644 ') optional_policy(` -@@ -146,6 +165,10 @@ optional_policy(` +@@ -146,6 +167,10 @@ optional_policy(` ') optional_policy(` @@ -56944,7 +56946,7 @@ index 7584bbe..31069d2 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +178,20 @@ optional_policy(` +@@ -155,21 +180,20 @@ optional_policy(` ####################################### # @@ -56972,7 +56974,7 @@ index 7584bbe..31069d2 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +199,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +201,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -56983,7 +56985,7 @@ index 7584bbe..31069d2 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +207,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +209,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -56999,9 +57001,9 @@ index 7584bbe..31069d2 100644 +files_dontaudit_access_check_root(mysqld_safe_t) files_dontaudit_search_all_mountpoints(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) - -+files_write_root_dirs(mysqld_safe_t) + ++files_write_root_dirs(mysqld_safe_t) + +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) logging_send_syslog_msg(mysqld_safe_t) @@ -57019,7 +57021,7 @@ index 7584bbe..31069d2 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +237,7 @@ optional_policy(` +@@ -209,7 +239,7 @@ optional_policy(` ######################################## # @@ -57028,7 +57030,7 @@ index 7584bbe..31069d2 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +246,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -218,11 +248,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -57046,7 +57048,7 @@ index 7584bbe..31069d2 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +259,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +261,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -69237,10 +69239,6 @@ index 0000000..80246e6 + can_exec($1, pcp_pmlogger_exec_t) +') + -diff --git a/pcp.pp b/pcp.pp -new file mode 100644 -index 0000000..fa4cfaa -Binary files /dev/null and b/pcp.pp differ diff --git a/pcp.te b/pcp.te new file mode 100644 index 0000000..04a0b20 @@ -91064,7 +91062,7 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..6935f5c 100644 +index 2da9fca..a37f579 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91319,7 +91317,8 @@ index 2da9fca..6935f5c 100644 -# fs_manage_nfsd_fs(nfsd_t) +fs_manage_nfsd_fs(nfsd_t) - storage_dontaudit_read_fixed_disk(nfsd_t) +-storage_dontaudit_read_fixed_disk(nfsd_t) ++storage_raw_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) +allow nfsd_t nfsd_unit_file_t:file manage_file_perms; @@ -114658,10 +114657,10 @@ index facdee8..2cff369 100644 + domtrans_pattern($1,container_file_t, $2) ') diff --git a/virt.te b/virt.te -index f03dcf5..481f902 100644 +index f03dcf5..8036117 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,403 @@ +@@ -1,451 +1,410 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -114744,6 +114743,13 @@ index f03dcf5..481f902 100644 -## can use nfs file systems. -##

+##

++## Allow sandbox containers to share apache content ++##

++## ++gen_tunable(virt_sandbox_share_apache_content, false) ++ ++## ++##

+## Allow sandbox containers manage fuse files +##

+## @@ -114828,15 +114834,15 @@ index f03dcf5..481f902 100644 +##

+## +gen_tunable(virt_sandbox_use_audit, true) -+ + +-attribute svirt_lxc_domain; +## +##

+## Allow sandbox containers to use netlink system calls +##

+## +gen_tunable(virt_sandbox_use_netlink, false) - --attribute svirt_lxc_domain; ++ +## +##

+## Allow sandbox containers to use sys_admin system calls, for example mount @@ -114885,10 +114891,10 @@ index f03dcf5..481f902 100644 + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; ++ ++type qemu_exec_t, virt_file_type; -type virt_cache_t alias svirt_cache_t; -+type qemu_exec_t, virt_file_type; -+ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -115257,11 +115263,9 @@ index f03dcf5..481f902 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -+allow svirt_t self:process ptrace; - +- -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; ++allow svirt_t self:process ptrace; -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - @@ -115269,7 +115273,9 @@ index f03dcf5..481f902 100644 -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) @@ -115375,7 +115381,7 @@ index f03dcf5..481f902 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +407,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +414,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -115422,22 +115428,22 @@ index f03dcf5..481f902 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +442,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +449,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- -can_exec(virtd_t, virt_tmp_t) +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) @@ -115456,7 +115462,7 @@ index f03dcf5..481f902 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +467,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +474,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -115484,7 +115490,7 @@ index f03dcf5..481f902 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +487,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +494,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -115515,7 +115521,7 @@ index f03dcf5..481f902 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +539,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +546,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -115535,7 +115541,7 @@ index f03dcf5..481f902 100644 selinux_validate_context(virtd_t) -@@ -620,18 +561,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +568,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -115572,7 +115578,7 @@ index f03dcf5..481f902 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +589,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +596,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -115581,7 +115587,7 @@ index f03dcf5..481f902 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +614,12 @@ optional_policy(` +@@ -665,20 +621,12 @@ optional_policy(` ') optional_policy(` @@ -115602,7 +115608,7 @@ index f03dcf5..481f902 100644 ') optional_policy(` -@@ -691,20 +632,26 @@ optional_policy(` +@@ -691,20 +639,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -115633,7 +115639,7 @@ index f03dcf5..481f902 100644 ') optional_policy(` -@@ -712,11 +659,18 @@ optional_policy(` +@@ -712,11 +666,18 @@ optional_policy(` ') optional_policy(` @@ -115652,7 +115658,7 @@ index f03dcf5..481f902 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +681,18 @@ optional_policy(` +@@ -727,10 +688,18 @@ optional_policy(` ') optional_policy(` @@ -115671,7 +115677,7 @@ index f03dcf5..481f902 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +708,336 @@ optional_policy(` +@@ -746,44 +715,336 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -115869,7 +115875,7 @@ index f03dcf5..481f902 100644 +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) - ++ +term_use_all_inherited_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) @@ -115986,7 +115992,7 @@ index f03dcf5..481f902 100644 +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; -+ + +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap setexec signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; @@ -116030,7 +116036,7 @@ index f03dcf5..481f902 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1048,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1055,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -116057,7 +116063,7 @@ index f03dcf5..481f902 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1068,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1075,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -116074,10 +116080,10 @@ index f03dcf5..481f902 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -116091,7 +116097,7 @@ index f03dcf5..481f902 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1105,20 @@ optional_policy(` +@@ -856,14 +1112,20 @@ optional_policy(` ') optional_policy(` @@ -116113,7 +116119,7 @@ index f03dcf5..481f902 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1143,66 @@ optional_policy(` +@@ -888,49 +1150,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -116198,7 +116204,7 @@ index f03dcf5..481f902 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1214,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1221,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -116218,7 +116224,7 @@ index f03dcf5..481f902 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1235,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1242,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -116242,7 +116248,7 @@ index f03dcf5..481f902 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1260,376 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1267,370 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -116269,12 +116275,12 @@ index f03dcf5..481f902 100644 + hal_dbus_chat(virtd_lxc_t) + ') +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + container_exec_lib(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -116315,7 +116321,89 @@ index f03dcf5..481f902 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') -+ + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -116413,96 +116501,12 @@ index f03dcf5..481f902 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -+optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') + +optional_policy(` -+ gear_read_pid_files(svirt_sandbox_domain) ++tunable_policy(`virt_sandbox_share_apache_content',` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++ ') +') + +optional_policy(` @@ -116592,15 +116596,11 @@ index f03dcf5..481f902 100644 -allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; -+tunable_policy(`virt_sandbox_use_mknod',` -+ allow container_t self:capability mknod; -+') - +- -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_all_caps',` -+ allow container_t self:capability all_capability_perms; -+ allow container_t self:capability2 all_capability2_perms; ++tunable_policy(`virt_sandbox_use_mknod',` ++ allow container_t self:capability mknod; +') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) @@ -116613,6 +116613,14 @@ index f03dcf5..481f902 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_all_caps',` ++ allow container_t self:capability all_capability_perms; ++ allow container_t self:capability2 all_capability2_perms; ++') + +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +tunable_policy(`virt_sandbox_use_netlink',` + allow container_t self:netlink_socket create_socket_perms; + allow container_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -116629,32 +116637,30 @@ index f03dcf5..481f902 100644 + logging_dontaudit_send_audit_msgs(container_t) +') --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) -+allow container_t virt_lxc_var_run_t:dir list_dir_perms; -+allow container_t virt_lxc_var_run_t:file read_file_perms; - -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) -+kernel_read_irq_sysctls(container_t) -+kernel_read_messages(container_t) ++allow container_t virt_lxc_var_run_t:dir list_dir_perms; ++allow container_t virt_lxc_var_run_t:file read_file_perms; -dev_getattr_mtrr_dev(svirt_lxc_net_t) -dev_read_rand(svirt_lxc_net_t) -dev_read_sysfs(svirt_lxc_net_t) -dev_read_urand(svirt_lxc_net_t) ++kernel_read_irq_sysctls(container_t) ++kernel_read_messages(container_t) + +-files_read_kernel_modules(svirt_lxc_net_t) +dev_read_sysfs(container_t) +dev_read_mtrr(container_t) +dev_read_rand(container_t) +dev_read_urand(container_t) --files_read_kernel_modules(svirt_lxc_net_t) -+files_read_kernel_modules(container_t) - -fs_mount_cgroup(svirt_lxc_net_t) -fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) ++files_read_kernel_modules(container_t) + +-auth_use_nsswitch(svirt_lxc_net_t) +fs_noxattr_type(container_file_t) +# Do we actually need these? +fs_mount_cgroup(container_t) @@ -116663,19 +116669,14 @@ index f03dcf5..481f902 100644 +# Needed for docker +fs_unmount_xattr_fs(container_t) --auth_use_nsswitch(svirt_lxc_net_t) +-logging_send_audit_msgs(svirt_lxc_net_t) +term_pty(container_file_t) --logging_send_audit_msgs(svirt_lxc_net_t) -+auth_use_nsswitch(container_t) - -userdom_use_user_ptys(svirt_lxc_net_t) -+rpm_read_db(container_t) ++logging_send_syslog_msg(container_t) -optional_policy(` - rpm_read_db(svirt_lxc_net_t) -+logging_send_syslog_msg(container_t) -+ +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(container_t) ') @@ -116763,7 +116764,7 @@ index f03dcf5..481f902 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1642,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1643,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -116778,7 +116779,7 @@ index f03dcf5..481f902 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1660,7 @@ optional_policy(` +@@ -1192,7 +1661,7 @@ optional_policy(` ######################################## # @@ -116787,7 +116788,7 @@ index f03dcf5..481f902 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1669,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1670,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 88f81d60..85fbc1e8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 233%{?dist} +Release: 234%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,12 @@ exit 0 %endif %changelog +* Tue Jan 17 2017 Lukas Vrabec - 3.13.1-234 +- After the latest changes in nfsd. We should allow nfsd_t to read raw fixed disk. For more info see: BZ(1403017) +- Tighten security on containe types +- Make working cracklib_password_check for MariaDB service +- Label 20514 tcp/udp ports as syslogd_port_t Label 10514 tcp/udp portas as syslog_tls_port_t BZ(1410505) + * Sun Jan 08 2017 Lukas Vrabec - 3.13.1-233 -Allow thumb domain sendto via dgram sockets. BZ(1398813) - Add condor_procd_t domain sys_ptrace cap_userns BZ(1411077)