From aabe3f000e02b549d0dbbc6015c681a6d24481c4 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Wed, 14 Dec 2016 16:29:22 +0100 Subject: [PATCH] * Wed Dec 14 2016 Lukas Vrabec - 3.13.1-231 - Allow pptp_t to read /dev/random BZ(1404248) - Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t - Allow systemd to stop glusterd_t domains. - Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base - Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323) - Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs." --- container-selinux.tgz | Bin 4957 -> 4964 bytes policy-rawhide-base.patch | 49 +++++++++++++++++++---------------- policy-rawhide-contrib.patch | 41 ++++++++++++++++++++--------- selinux-policy.spec | 10 ++++++- 4 files changed, 65 insertions(+), 35 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 9b07a0f33c013c46b0d2cd40a423a0cbea5e92b4..734bfcddf01b5255bdd26ea4661d865a63eac34b 100644 GIT binary patch literal 4964 zcmV-q6PxTGiwFQTUr|^91MOYwkK8tr&)4a{La+mPCa`DxN&<|tdpIQb;XWKT*v+@i zomMTeyA|uTqBM^){J(D%U!o+EqSR`87H9!>cS}`2l0~vuRV-@avS^~TAoX>+`{qQ~ zYq);+;XQu7`SJVL`X^lP-n@JL!#D8X+xKt3|M5N2y?OWc&D(E+*QctGezmlT>LBZv|Ntwf!YsPw`@diItQ61$$5#{7h&p6ey zKaWcIg*^zOEGzFx5;SGd)KNiGY?KM~hM~guOiI zyZ@8TdR(7rMdEaqLI?4V#I==-R30lc;R6Esk6heOs0WW5C>G7OK;#CY|4&pz`{6?J zH0D^&s&+EnCg6|JZW3c^!kkn~8hh|5nF3lrqEb6eH#*eiNu~cYXiU&b<@OJdH$?{{ z(z*gl>2=2=vfQW5A&7vmZ9u|J8V9WPo$~?W3f=TO|PH?1)ilW3J!*NE?#JO*Sj?^kMw0Ez*XGzw0QDod`oq z7Q}liMe>?tB^v7>sT9T&dlHCCGK+5Al^nbR#d4ouO*oFhAJuAdiywg+8OkG_;1U%I z!~!OMO76`?1w*VZaRy8T&{lD?q9O_I>(pdm=Ol-f>+4VIdyr8+cLdqu35o{#ArCmV zl>H284uu&618MfBWz{^+UBZI_zEzyT%y?r2^+tWqM0LVyv8LtM9vsyiM?B>vHTBiyt@PqOnn{aRh*^Jy~~k!+g7NFlnr$L9;{V12y7^9fJlVwA?_6~ z2cN47!qgm8fgXor5XC}_R~e`Zs`rYg?Q95wbt7k&?ypI4w*2Q)s-c2v>rgoJEi8Bfeb`GHS{^m9q^N=o(h1FiP^Y;5rvKJZwXqD`kmv ztsVf{ks*$nBkUKq$SXXB zQLlB{-+ukMD}X-bo~vT--a}ekyWzvPr}%AVmWNPRwv6(Y(}A1Ez;97PvOb(H5Y=kR zS@x@Ot3yVR>K1Ahi1sm8o6YwW3Wha`#R2Upe3Zw=1M9(9KR z#+EJEa^?qn<9)ttd%B9k9}hl(BUgho0-ElNDB~_o@cF|$ryUAon%zt&E9Q=VyAZSx zw{=cT@r$U{fFGso0l+&0xuwmi`1fAyqWOkE(loa=PNpL`G8ThsVHAjwLE*3}vowBW zBU}cKM5HK!8PLd0x-0GZL}2N~+5y2ZYMX<|<{3o=*~2H6^~CBsCozpN^t6T6BmA*^Tf4CMTDZ64P8`6lal7F1aaDt2A7b%^Qv zZ2p8X^yY9gg9V|sWm_baO&Hv9TSu4iO+y8LMDAu+#YJ&yy@g{cSiX)oJ7E=!ibn&y zSTndRz~qDlt$wUZXfC%@Q!1qWH?(T; z;8H*Lu>+I0Rr=?c)0kGKRcG+nfn>}(8q~!P$(V-IAq^iZBsY}G1TiAvQ%9A?+vS?o zIEn@i_q#1(@9!56gsvVsYSrK6v>B~tUVSr0W0kjErHc+5YSn*zR?^pqew;vSqv}Bg5Q4rHK@wEQM>b%&^8<$RY=no z(N=GRGRVP5dl~Gaj1p*%&2EHZ(g^J`ro%z?IL(|swKRQLj!Y7fyevYlNiPj0xy}r6 zu8_9dKSEe0<3m*J+0&c_PE2r$3GF*i4&^?Ys%Nj=Mpwa{{QO z9*UE@HGMJidn3u~VVE(!m+YN^4!vEP%h%r@zU)06k0TWz>{n4sF5q}fT;{lc|FB%)^uYa)fg=9W6A(BN6chuz~zw3gf^<6 z2s#gU+%E@Ajv1a;qgjr(RL{VV0b-BUiM*o*>>cf)!%sUt(wavV8*t-MWgeyGi1Pq- z7;fl;kAol9GKQq%qO`zpzm(qAgN*R1o0mp}F}%!->SK3_RXjZZjZ61S9L3}9hi{N7l%k2)n0oaa`CQX9;V^JmnR+eoNuy5P6P*>7oh4N@j43*F)1Gmt(=khn5y2PG+ijBAZfI7BpS1_~z}@B|YOt+ zXCqEo#x^^luzXa|fQh}oL(@GU+<_fe={wy;ojXl<+w?VQS##9+7UpJ^#fL?+%=Joz zrGv!-bN1lyz+4+|_H1`y`t-0Mp1ErJj$&1nb(UFk()>xVyA1kM!oOV~-*iIbG(~8q zD^6Dco(I`H?`SM1%G{3W9OX3i0)-_L-xG7T((}Zft@u1~)mgH&foE&MDO?{-*n8>L zOb^0zHp{=tD;ls2%lj*K8rjU zyZ1`ZbYWSH)edie7SVYTq3j3gjcw5)_a8x;Bom1we7}+9lbH3iPF;}ZzN|m`lCvcC zM;bSoQPdsrJtBLNf;?z^AcgMH z_!H_9%0^})vpv(Td1w2oPel(T%N%ehF$@#4y@WmdtkXCw%EVFyorRJjfs*bNTe@4o zw6LtfmW_ptwTg8i<}FOq$0A$d&@`225t1b?^SsK)L&!RKnwM=5%$1;#Xc?-7=3Om3HbE!KRz-2}!L~LPBs|NGS7INcj)$jNu@Y?ib$-tZE zLG}>yW38A@H)l6LiQ*8$0Ck!Ww88dif*%#`&%s(Z_GwvTWEFFx2E%aWoTb zwOM=fq73nY-NcF(RbbZ7=(y)p0WjE5$%UXA)rNM!%`SGox5YiV$1S<|l<#kr8xg(o z0Fr&(r2%|0ZN3MnJGf&vKe6DGBPk$=<#Fl>VOl)WF626obsVzw4c_UgZ^G*B)&MUf zdCx8GyR-roRP4$Li~64}p-sqMU^Yy5HPDOpggK0ASo7RAy(D&9>;__|!>|F5M_-sN zX1zuPa2Ue3IRHS(v}z0L%OYAulie{5)zqbkT zt|o0U;gKJ~Fli)?I3}zzGn0zZ&EirKI2RXRsi``A<0?RmP^9*uE8rg`aa*TmFW!XP zZ?D}V=0=grECr&r@FJ^;2br$~R6huF-7%zwq>c`Fj@5)!jf$-}8(Hw%Uw-*Z@Km^*#jLhb6!^QZ`e!T z4=w10Y-@F1ShNY95#`3?VK5`DBCVSI!9gMw5g=I`%?L%arwQe_YYSY4V|)c}*jVei z!F3F5`_3kXb&$eMyMfR0Y`IIsrh!VYwK)$ROWlO(mwW-Jxg43p=40q8TJEE|GTIGX zDujhMoB^zkgLg$&kfZfRCYek!m&dLkOb)}o>c$s*$0Lt({EcMWQW+Y>ul&_{7H5i| zonT~#$VtS90e?#czNQ0*kEKn{cYUbBFt;hS86zh8JcFw6?K=^&2*4}lQ~>>_S|RUnnj8gG)$x3++vMsSZo2BlA5T z(dQ;->~@#nOYJ_$W{Pz~ueNQdFb2>o5r!fJJ?7)5?5wW2l@4dsP+>!QKTl7(=n;3P z|Ba|7m&1jY{aIOiewJbvGT>#*MF-98h(yh^PQ2Lb2uYrE9~!7?c{%g$c$*CS0Fz!K+P z7aTm&IcJ_aQgJm4oEA7%r@VS+b*$^Td^^!ZGRgESmR!#!^Ga5NcV>dDRE8@lWquNe60F3^Fea;Z8;B+ACB<+J2fmB4h;f+j~>w(;Hus^lQJaVf9Nj@p^Z% zcU!pM|MB{V@868y|8f5N&tK-c!M(nl->>=UWcDr|7I=ApHIy&2?XCFxQT1&%AH*p` zif;(HX=!}})*CuzHyr2Y`n!u)ue{OZDlA?XiKr$}@uvw^f!?M?hqo3WJc|)-Ej&f_ z_y4>3-|x7(Ubpe$<^AhbS-{3^4bIW}xJ7waW^GPh31Q5E*WXC053&C68Wpi(3F~!Z z2Q7RC@wseFYwuVP=&-s9s7sj3SO0P0jTOt&xJ&>Yju>f2!EJ89R?!4H7p!wLS>^g* zfOW%5`yJ0Uc!Nsc*957kD576~_dA}}^sg^J_c;wLk4pF>`&XKsl2`{ABgk{R%!MaT zxd_M=5#JsG*6A;$SBNhqn4y$@1m?B6P%w_`~uiWqWhqh*|)e~^&tpgri2T%OP zt(8P5lq@%Z=v>fIv_jKk0DO}@#B(9V+cb2b{W2V>Nxrr_cfQWo`8r?c>wKNB^L4(? i*ZDeM=j(i(uk&@j&e!=mU+3$5vFl%=%W=N|pa1~7s;+ea literal 4957 zcmV-j6Qb-NiwFQSd`VaU1MOYikJ~m9&+GcH5RwAfEt1{MCQX1%+ry!`hkH1*X!CZt zQ)P*^)#$6Dv>zAbf4>=iNR&iUlq@G(zycE6(#((KkQ~kohuSdDsvyotc^+>b9q77* z>-Fnb`1#_^cbDoXTrXd|ynOu#{=2%mdh`17^~*<>FJ4|RnsacJ?~L+ zQwD1i8tKNK|3$CWlPBKyv`*8Yy#Mk2j(B-Nvgb6f%aC|MQ6zB~RB@hpp&Te4$+qx$ z{{4kyTLFmM)hP{roc!aCgmpy}^f>dXoq8k6Q}}YuST7V_@B1PsgVf7{l>G3RQ$7B1 zP{KR*zzdQjza^1ZBcGC>40rxI&Q8C1 zake^<#rZ{0L9Otv8BF)2I$L1@2k0n}?1Swkl*g1Fa_fvR$QY%y6ZVw%Z>&s3+)2Fl zBB*{?LE)0{Qn`+z+S+_Zuh%%{D{i8lnFy$bxNuA$b^c zEM-+Ym~IpB`)D_bF*aciswK5O_>fEir5{nL9i|&C>hhq{{|PiEXr+Ap2gsYEgApiQ z0i|@h;~rUV<7(#xKv-8G;VKS2*80|Y0Ck6SfuaYCGQPobkn#(5Xb)M`!pB-@@X-}# zP02S*6LX=U@(!7lrWD0_{V)kAH5A334a-^+QCu{oJpBK$mlr7iAo<~ORo12^B5AMK zHHovWQ?dFfB6Xazd#;@zHg8**1m9f2znAdu)w1^4FaLb^KvoWB#T0QgZQTH0*r0F# zicT4?t5C1G^~+p4bylT#{LI>n7*m1t^x=2y4P|H2$bklWY9&nvv0Xq$6CSLY`Q_ z#81h+Iw@d?l{wCUkpS8vZdQ;*-fbD{4D6JouyTFQ#_%efqqCmjxA+B zL7IJGdR|YO-Dz1=_fwZ}uZM3Gr#CU)SW_5m)jd;>I2XD?l{2I#+KAi~6-CM7LlhK# zYUC>kuftvG^9ge6LoJpOGG5$WY#l_t`YOW4ZzQXxh#Ie9NfwbahDl;?7iug&@r+S^f>`V%C{w-#1qEi_Q<@|5()fLIj8qRU!nUK)|)nfJJPb`E@x&t~I9 zdH8WY2nB9`P$RrM2MtVp73X=F#L&I-k$Bq{sEL#fbp95sRW=ArC~Sa8gyb&l6fXy# ztqQ`_>{Ws8hoce2OpNCVs0ym~ilgnU34*mFXA^JFNp`a&>Mo}hT^f-2ItyZ!gyzZ3 zIZ9v=Sl&};ye$ZqgPoiN_sb(*EeIJ@c^b>v1`BivtCJr@X`FGLiyI!Mq0W`EL^^LC z0NS1*jy%hxAKxsl*my7Sz@WYJXa!4e%Je9yzPg>rYlG`5)_V3{x2s3kEpC=qcnG6j z>9pT|`Kc{{KIEP&Lg(H?T3ox~!?maQZDyAHP*=8$@|M${o5#SfQ9`mloX!)~s`5$p zt9GkHMv%%HYUPRcF;|<-_ZSL>HHyUnyNN6}ahYf7B*XSF-Nov;uSahT&dMIOhX96_ zE!cAU2V3oZzHB?XiozfFK7k`wf;2oDZ?hobE{*s3?KGzy3S*jGPbe#9kAB+_ln}RZ zPK@!3s8x?2rR)H}I|I3;&Drp8o!CY5HG!mYZe^T|M{r~;2GznK5F>-aevv0}c+W<- z3>=9_Q2;ZblACmA%JY%H($l2_f__j}JCV&ZhzhcY4=n46)ptr_8e`~a3#G|>rlcuI zgWLP2)au=kC}m1x-O%&gSXK`Qh3;to74P*5NEDk{VR(vSw=^)AiZ( z38U%F{$>UXLap;Uizu5gxZ}2rF5{bq4g4Otn{5?m#i`X64yj=I+TZMiRWQizHSl81 z;IaUd6Be}czR01u+)|CHkoK3GG4Q?26A}i+#i-=l>dwubwV8gLj&Jm|CGp-+s>Op# z-Q33(Ox|wNKZl&!v@)eSy~h?LZQfC@E^bKLG@KTx|F}W2Lp7NoS|ogGsnT$}T(KGl z(ZK$Gw?XXP{ol5NJV8do z*6TlfSSG_=kZsx1lm$+7a19gMca9t@RmTc;ymcy6Dnf~b9=~MPJeAaaxp4oaD-V8e zAVM{sGNgABqBUZnwoCEdx*NTxou|VA(M0;XRaCMBI35$1K0v75;qSu9U4OYRg`fOp z$a5G@`}{*(8P)6}w?SB5Pw|^IT^kYAMt!@OG7`)Y6S>EK+UL@t4Js(2$NjDI(;ky$ zs;0$Yy5g;-XW&No_f`+AMAYOLw?FvJ58L8Os(>}}81+-lVVMYas$Cqb##2sqgxyuDH{cR^I?Qp zw?oMa?%s4ntHNRdlsX!qOkr;a#g(^a8k*L$AX#MN?2llzDd;1z0Rv`$HSB7zI<&`x zMl2+miZNUdb*EMK1sk3|nvFP`a^i@r%R!mZbh+Z|_eJOQj2)3fkt%d=aSPbXb(`5_ zZj|VDQRg(*jMg)YoZ2eUK4Du~zLWR4$q$^@*sbQq+@@NwCQlL*o<4oj4NMW7tdIBk z%t^5^gljn&`MD@q0xQ52YuKjD({??>rDvFtHd0M(GKQ#oKSB2SA2iR-;o;1_@0hp7 z2lK|lMC{39!xg`4+dGYv9<*V^>?v@x_bre17P>3`K7w~|gRrR%S%^I3aL6*&$pMAs zqJnx%>_r@k?g6htZtzd57|avZMV&fLc-z!9X`e%BCcY!)WToebJ6Z8L;x>oEmIj`z1;=n*G-2oMSra`7-61RY zDlcfjjvcL^J9?ckry7xt!1IQg1MsY2X2aDTJ#>fE4TGlbY(TgShZ4guG22Vn!p|}e{Vb0RRZv+d$s#D}reTXWGni(U)!VW$ zu(4LLF2n?car#iC9qg*Aa4bTygn6143AyuG2aofz4T7l>)H01ru*2pk4&<3QC>oZL zB7_oULqBZyxDC{txScU#--%BeOpu(+Who4Oa9*!%nb(E2UV@T4&h$P_;_RcDR-~Q> zrr8K2ojRH-NUOZWm8}eJeYRJ22PSe9(~kyvw#9?`DWmi@uEL$3P8>k#iwo@aD8Ds8 zi}%XNj6gjVBf{sksYUInC>%Ph_>^u9)E#0_^%#}~YLjyi(@+^~Y-2Y5Utr0uVNs9f zB#x;MNL|HZfr!W^sFR9&DR-tJuX6AqZ-Tz3IF%yd{rLP)xk0vqm?`>rW5v~+-YSdK z=;5F7$GnAW3xyfrslL<=4B$MWBO*31$3=ySVl%n%{pdG*5;$#ovaH_K6EC?7`T11L zi<`2W9|fV0VSqA@2-;xVIKqzt_vhiW#-I08?C9gSb)Hx33m9tht2ko`w%Vk}K%mTM86@&KZ3*`@(} z(rvzbs5`i0H$Ac7lO-v@3+1`!5n&oU(l+Eejdd8Zbq(IBsc*vSZPx%NBYDd$?why( z6_joA5sUiIn$XH;ZzAjGt!n5+d;AneHLQ7dn_d#zEp`pD)nQnH$D=OH2D4rv0yqre zn;Zb3WLmWb^<@xkLzCPv4ONx7rCfYz7Zz!yNb(e5Iz%DH>Y=VuT{K3ta~PC<*H_)_d_f+-`f#7BM%9 zY-TAC)tM7nNgT*rCD8PPFxM?Zs!wX^fG1c@Sk79i{Dk4BKHkuKNW{(rfaaU)!42SqGTfZ{abA{^|*!HbW z3hN++n`Q%_<=JwVh)shgz1HMBv@B)iH^1bYJoV+s95xq2x1r@esx6~k!_|ba@P;*j z)pGEzXbZBmUdtqtNv86c6@<=V*cR>hg70{Caf-hYt!pYnqxhA-1JB@0@v{?*Y!_IG z_%PtFo51&N;P5fD$@krItI^r=y(XrRpU z{_4i8GC8y+#*BH^8OB+RCxc))Pzl>3?30SRiOXs{NWjS~t~-0~GVyhkJ_W;cof~v+ zTehUL%|lKtH+fv?<*e;6ut8|xdg5*J65VtG(7uYrr@V#cCOvBoOEqWTJ3OM#bxNow(@Z~Yu}D^WyS zG@JHS-q`}h_=`rrT9z_V1M}+G9$7c8^^Ck-@Ec6!AxHw%lJeAb)d3HW#bsJlew)V! z)jh-!WTErxbyqoZeRVdbLggC=Tcv5zC$gS>=l2{(Z~TTaqe}-!6TJ( z;;Ex1u4aH!0>{lMug+N=<9aS%Gc=M+GXAb4+q2QUl7--{nIH?5VM_|xw+MTFhzt67 zj)+szK{G0PnHQRHXG3b+D{P3A{WN(*NDJn+_tub)Z+uD8ul?SIhjKNNIo}-Y-4^!u ze_X!)?!}wq-+%r}*9C47UVJ#`hnm^Dcv!sV4whcNI@j0Y??;u_?KBdH6DhtSSV zEx&Bz#moDbtFnL%>k@pb<#Dt8CQs^=JQu>40+Pz{F7mIu)$-PFdx;V1RYOOZ$Mw zA)G;_%dCTJs3@YJfBOLsdAiq^9~T`5mM1LSk=-lJ4p%G#jDhE=U1q}*hhqfff{0gp zK(?5z94EpVhN;po{BK($&r*%RJ%md6TiL9Sqd(SRC{GyZ0T*NYSP2w*+v$cn<8{1_*YP@D$Ln|uaUQB diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c2288f89..9b14adfc 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -10068,7 +10068,7 @@ index 0b1a871..29965c3 100644 +dev_getattr_all(devices_unconfined_type) + diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..1a2713b 100644 +index 6a1e4d1..f23f6a6 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -10107,15 +10107,6 @@ index 6a1e4d1..1a2713b 100644 ') ######################################## -@@ -128,7 +103,7 @@ interface(`domain_entry_file',` - ') - - allow $1 $2:file entrypoint; -- allow $1 $2:file { mmap_file_perms ioctl lock }; -+ allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans }; - - typeattribute $2 entry_type; - @@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',` ######################################## @@ -39984,7 +39975,7 @@ index c42fbc3..bf211db 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..218750e 100644 +index be8ed1e..aa38f90 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,21 @@ role iptables_roles types iptables_t; @@ -40120,7 +40111,16 @@ index be8ed1e..218750e 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +154,16 @@ optional_policy(` +@@ -119,11 +149,25 @@ optional_policy(` + ') + + optional_policy(` ++ plymouthd_exec_plymouth(iptables_t) ++') ++ ++optional_policy(` + ppp_dontaudit_use_fds(iptables_t) + ') optional_policy(` psad_rw_tmp_files(iptables_t) @@ -40137,7 +40137,7 @@ index be8ed1e..218750e 100644 ') optional_policy(` -@@ -135,9 +175,9 @@ optional_policy(` +@@ -135,9 +179,9 @@ optional_policy(` ') optional_policy(` @@ -40184,7 +40184,7 @@ index 0000000..c814795 +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..549c41b 100644 +index 73bb3c0..fffae71 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -40222,7 +40222,12 @@ index 73bb3c0..549c41b 100644 /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -103,6 +106,12 @@ ifdef(`distro_redhat',` +@@ -99,10 +102,17 @@ ifdef(`distro_redhat',` + # /sbin + # + /sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) ++/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0) + # # /usr # @@ -40235,7 +40240,7 @@ index 73bb3c0..549c41b 100644 /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -111,12 +120,12 @@ ifdef(`distro_redhat',` +@@ -111,12 +121,12 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -40250,7 +40255,7 @@ index 73bb3c0..549c41b 100644 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -@@ -125,10 +134,12 @@ ifdef(`distro_redhat',` +@@ -125,10 +135,12 @@ ifdef(`distro_redhat',` /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40263,7 +40268,7 @@ index 73bb3c0..549c41b 100644 /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -141,19 +152,23 @@ ifdef(`distro_redhat',` +@@ -141,19 +153,23 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40292,7 +40297,7 @@ index 73bb3c0..549c41b 100644 /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -182,11 +197,13 @@ ifdef(`distro_redhat',` +@@ -182,11 +198,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40306,7 +40311,7 @@ index 73bb3c0..549c41b 100644 /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -241,13 +258,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -241,13 +259,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40322,7 +40327,7 @@ index 73bb3c0..549c41b 100644 # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +284,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -269,20 +285,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40353,7 +40358,7 @@ index 73bb3c0..549c41b 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +313,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +314,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 70263d82..e10ed4d8 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -20522,7 +20522,7 @@ index b25b01d..06895f3 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..47199aa 100644 +index 001b502..9892b34 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -20576,7 +20576,7 @@ index 001b502..47199aa 100644 kernel_read_network_state(ctdbd_t) kernel_read_system_state(ctdbd_t) kernel_rw_net_sysctls(ctdbd_t) -@@ -72,9 +89,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t) +@@ -72,10 +89,16 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -20588,9 +20588,12 @@ index 001b502..47199aa 100644 +corenet_tcp_bind_smbd_port(ctdbd_t) +corenet_tcp_connect_ctdb_port(ctdbd_t) corenet_tcp_sendrecv_ctdb_port(ctdbd_t) ++corenet_tcp_connect_gluster_port(ctdbd_t) ++corenet_tcp_connect_nfs_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,14 +106,18 @@ dev_read_urand(ctdbd_t) + corecmd_exec_shell(ctdbd_t) +@@ -85,14 +108,18 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -20611,10 +20614,14 @@ index 001b502..47199aa 100644 optional_policy(` consoletype_exec(ctdbd_t) ') -@@ -106,9 +131,16 @@ optional_policy(` +@@ -106,9 +133,20 @@ optional_policy(` ') optional_policy(` ++ rpc_read_nfs_state_data(ctdbd_t) ++') ++ ++optional_policy(` + samba_signull_smbd(ctdbd_t) samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) @@ -32116,10 +32123,10 @@ index 5cd0909..bd3c3d2 100644 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..52b4110 +index 0000000..a3633cd --- /dev/null +++ b/glusterd.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,29 @@ +/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + +/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) @@ -32128,6 +32135,13 @@ index 0000000..52b4110 +/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + ++/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ ++ ++/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ +/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) @@ -32411,10 +32425,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..0a33da3 +index 0000000..40c6ade --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,305 @@ +@@ -0,0 +1,307 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32604,6 +32618,7 @@ index 0000000..0a33da3 +init_rw_script_tmp_files(glusterd_t) +init_manage_script_status_files(glusterd_t) +init_status(glusterd_t) ++init_stop_transient_unit(glusterd_t) + +systemd_config_systemd_services(glusterd_t) +systemd_signal_passwd_agent(glusterd_t) @@ -32622,6 +32637,7 @@ index 0000000..0a33da3 +userdom_delete_user_tmp_files(glusterd_t) +userdom_rw_user_tmp_files(glusterd_t) +userdom_kill_all_users(glusterd_t) ++userdom_signal_unpriv_users(glusterd_t) + +mount_domtrans(glusterd_t) + @@ -76636,7 +76652,7 @@ index cd8b8b9..2cfa88a 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..b03d137 100644 +index d616ca3..76f9b25 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -76911,7 +76927,7 @@ index d616ca3..b03d137 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +266,45 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +266,46 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -76942,6 +76958,7 @@ index d616ca3..b03d137 100644 +dev_read_sysfs(pptp_t) +dev_read_rand(pptp_t) +dev_read_urand(pptp_t) ++dev_read_rand(pptp_t) + corecmd_exec_shell(pptp_t) corecmd_read_bin_symlinks(pptp_t) @@ -76970,7 +76987,7 @@ index d616ca3..b03d137 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +312,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +313,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -76985,7 +77002,7 @@ index d616ca3..b03d137 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +329,10 @@ optional_policy(` +@@ -299,6 +330,10 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index ea5883ee..add14296 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 230%{?dist} +Release: 231%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,14 @@ exit 0 %endif %changelog +* Wed Dec 14 2016 Lukas Vrabec - 3.13.1-231 +- Allow pptp_t to read /dev/random BZ(1404248) +- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t +- Allow systemd to stop glusterd_t domains. +- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base +- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323) +- Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs." + * Thu Dec 08 2016 Lukas Vrabec - 3.13.1-230 - Label /usr/bin/rpcbind as rpcbind_exec_t - Dontaudit mozilla plugin rawip socket creation. BZ(1275961)