- Allow init_t to stream connect to ipsec

- Add /usr/lib/systemd/systemd-networkd policy - Add sysnet_manage_config_dirs() - Add support for /var/run/systemd/network and labeled it as net_conf_t - Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Add support for /dev/vmcp and /dev/sclp - Add docker_connect_any boolean - Fix zabbix policy - Allow zabbix to send system log msgs - Allow pegasus_openlmi_storage_t to write lvm metadata - Updated pcp_bind_all_unreserved_ports - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
2014-03-12 11:14:14 +01:00 · 2014-03-12 11:14:14 +01:00 · ab84f40064
commit ab84f40064
parent 24a25f20cc
5 changed files with 632 additions and 455 deletions
--- a/permissivedomains.pp
+++ b/permissivedomains.pp
--- a/permissivedomains.te
+++ b/permissivedomains.te
@ -13,3 +13,10 @@ optional_policy(`
    ')
    permissive docker_t;
 ')
+
+optional_policy(`
+    gen_require(`
+        type systemd_networkd_t;
+    ')
+    permissive systemd_networkd_t;
+')
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -23461,19 +23461,28 @@ index 0000000..89401fe
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..75d51ed
+index 0000000..412e818
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,240 @@
+@@ -0,0 +1,256 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
+
+## <desc>
+##  <p>
+##  Determine whether docker can
+##  connect to all TCP ports.
+##  </p>
+## </desc>
+gen_tunable(docker_connect_any, false)
+
 +## <desc>
 +## <p>
-+## Allow docker to transition to unconfined conateiners
+## Allow docker to transition to unconfined containers.
 +## </p>
 +## </desc>
 +gen_tunable(docker_transition_unconfined, false)
@ -23583,6 +23592,7 @@ index 0000000..75d51ed
 +corenet_tcp_sendrecv_generic_port(docker_t)
 +corenet_tcp_bind_all_ports(docker_t)
 +corenet_tcp_connect_http_port(docker_t)
+corenet_tcp_connect_commplex_main_port(docker_t)
 +corenet_udp_sendrecv_generic_if(docker_t)
 +corenet_udp_sendrecv_generic_node(docker_t)
 +corenet_udp_sendrecv_all_ports(docker_t)
@ -23701,6 +23711,12 @@ index 0000000..75d51ed
 +	virt_mounton_sandbox_file(docker_t)
 +')
 +
+tunable_policy(`docker_connect_any',`
+    corenet_tcp_connect_all_ports(docker_t)
+    corenet_sendrecv_all_packets(docker_t)
+    corenet_tcp_sendrecv_all_ports(docker_t)
+')
+
 +tunable_policy(`docker_transition_unconfined',`
 +	unconfined_transition(docker_t, docker_share_t)
 +	unconfined_transition(docker_t, docker_var_lib_t)
@ -59105,10 +59121,10 @@ index 0000000..d9296b1
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..fc9dd48
+index 0000000..d4c7e21
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,215 @@
+@@ -0,0 +1,232 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@ -59116,6 +59132,14 @@ index 0000000..fc9dd48
 +# Declarations
 +#
 +
+
+## <desc>
+## <p>
+## Allow pcp to bind to all unreserved_ports
+## </p>
+## </desc>
+gen_tunable(pcp_bind_all_unreserved_ports, false)
+
 +attribute pcp_domain;
 +
 +pcp_domain_template(pmcd)
@ -59185,6 +59209,15 @@ index 0000000..fc9dd48
 +
 +sysnet_read_config(pcp_domain)
 +
+tunable_policy(`pcp_bind_all_unreserved_ports',`
+    corenet_sendrecv_all_server_packets(pcp_pmcd_t)
+    corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
+    corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
+    corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
+    
+')
+
+
 +########################################
 +#
 +# pcp_pmcd local  policy
@ -59572,7 +59605,7 @@ index d2fc677..ded726f 100644
 ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 608f454..b01f04d 100644
+index 608f454..100a122 100644
 --- a/pegasus.te
 +++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -59591,7 +59624,7 @@ index 608f454..b01f04d 100644
 type pegasus_cache_t;
 files_type(pegasus_cache_t)
 
-@@ -30,20 +29,318 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
 type pegasus_var_run_t;
 files_pid_file(pegasus_var_run_t)
 
@ -59871,6 +59904,7 @@ index 608f454..b01f04d 100644
 +optional_policy(`
 +    lvm_domtrans(pegasus_openlmi_storage_t)
 +    lvm_read_metadata(pegasus_openlmi_storage_t)
+    lvm_write_metadata(pegasus_openlmi_storage_t)
 +')
 +
 +optional_policy(`
@ -59915,7 +59949,7 @@ index 608f454..b01f04d 100644
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
 
 manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +351,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
 manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
 manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -59946,7 +59980,7 @@ index 608f454..b01f04d 100644
 
 kernel_read_network_state(pegasus_t)
 kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +377,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
 kernel_read_xen_state(pegasus_t)
 kernel_write_xen_state(pegasus_t)
 
@ -59979,7 +60013,7 @@ index 608f454..b01f04d 100644
 
 corecmd_exec_bin(pegasus_t)
 corecmd_exec_shell(pegasus_t)
-@@ -114,9 +405,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
@ -59991,7 +60025,7 @@ index 608f454..b01f04d 100644
 
 files_list_var_lib(pegasus_t)
 files_read_var_lib_files(pegasus_t)
-@@ -128,18 +421,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
 logging_send_audit_msgs(pegasus_t)
 logging_send_syslog_msg(pegasus_t)
 
@ -60027,7 +60061,7 @@ index 608f454..b01f04d 100644
 ')
 
 optional_policy(`
-@@ -151,16 +455,24 @@ optional_policy(`
+@@ -151,16 +456,24 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -60056,7 +60090,7 @@ index 608f454..b01f04d 100644
 ')
 
 optional_policy(`
-@@ -168,7 +480,7 @@ optional_policy(`
+@@ -168,7 +481,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -104778,7 +104812,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
 ')
 diff --git a/zabbix.te b/zabbix.te
-index 7f496c6..eac3196 100644
+index 7f496c6..6a63c90 100644
 --- a/zabbix.te
 +++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@ -104865,17 +104899,17 @@ index 7f496c6..eac3196 100644
 -allow zabbix_t self:shm create_shm_perms;
 -allow zabbix_t self:tcp_socket create_stream_socket_perms;
 +allow zabbix_t self:capability { dac_read_search dac_override };
-+
-+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
-+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
-+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
-+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
 
 -allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
 -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 -create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 -setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 -logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
+
 +manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 +manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 +manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@ -104897,7 +104931,7 @@ index 7f496c6..eac3196 100644
 
 corenet_sendrecv_ftp_client_packets(zabbix_t)
 corenet_tcp_connect_ftp_port(zabbix_t)
-@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
 corenet_sendrecv_http_client_packets(zabbix_t)
 corenet_tcp_connect_http_port(zabbix_t)
 corenet_tcp_sendrecv_http_port(zabbix_t)
@ -104920,8 +104954,12 @@ index 7f496c6..eac3196 100644
 -
 zabbix_agent_tcp_connect(zabbix_t)
 
+logging_send_syslog_msg(zabbix_t)
+
 tunable_policy(`zabbix_can_network',`
-@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',`
+ 	corenet_sendrecv_all_client_packets(zabbix_t)
+ 	corenet_tcp_connect_all_ports(zabbix_t)
+@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',`
 ')
 
 optional_policy(`
@ -104936,7 +104974,7 @@ index 7f496c6..eac3196 100644
 ')
 
 optional_policy(`
-@@ -125,6 +143,7 @@ optional_policy(`
+@@ -125,6 +145,7 @@ optional_policy(`
 
 optional_policy(`
 	snmp_read_snmp_var_lib_files(zabbix_t)
@ -104944,7 +104982,7 @@ index 7f496c6..eac3196 100644
 ')
 
 ########################################
-@@ -132,18 +151,7 @@ optional_policy(`
+@@ -132,18 +153,7 @@ optional_policy(`
 # Agent local policy
 #
 
@ -104964,7 +105002,7 @@ index 7f496c6..eac3196 100644
 
 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
 fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
 manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
 files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
 
@ -104983,7 +105021,7 @@ index 7f496c6..eac3196 100644
 
 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
 corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
 dev_getattr_all_blk_files(zabbix_agent_t)
 dev_getattr_all_chr_files(zabbix_agent_t)
 
@ -105259,7 +105297,7 @@ index 36e32df..3d08962 100644
 +    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
 ')
 diff --git a/zarafa.te b/zarafa.te
-index 3fded1c..5729b83 100644
+index 3fded1c..91ce270 100644
 --- a/zarafa.te
 +++ b/zarafa.te
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
@ -105268,7 +105306,7 @@ index 3fded1c..5729b83 100644
 
 +## <desc>
 +##  <p>
-+## Allow zarafa domains to setrlimit/sys_rouserce.
+## Allow zarafa domains to setrlimit/sys_resource.
 +##  </p>
 +## </desc>
 +gen_tunable(zarafa_setrlimit, false)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 31%{?dist}
+Release: 32%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -580,6 +580,25 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-33
+- Allow init_t to stream connect to ipsec
+- Add /usr/lib/systemd/systemd-networkd policy
+- Add sysnet_manage_config_dirs()
+- Add support for /var/run/systemd/network and labeled it as net_conf_t
+- Allow unpriv SELinux users to dbus chat with firewalld
+- Add lvm_write_metadata()
+- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
+- Add support for /dev/vmcp and /dev/sclp
+- Add docker_connect_any boolean
+- Fix zabbix policy
+- Allow zabbix to send system log msgs
+- Allow pegasus_openlmi_storage_t to write lvm metadata
+- Updated pcp_bind_all_unreserved_ports
+- Allow numad to write scan_sleep_millisecs
+- Turn on entropyd_use_audio boolean by default
+- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
+- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
+
 * Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32
 - Allow numad to write scan_sleep_millisecs
 - Turn on entropyd_use_audio boolean by default