- Allow init_t to stream connect to ipsec

- Add /usr/lib/systemd/systemd-networkd policy
- Add sysnet_manage_config_dirs()
- Add support for /var/run/systemd/network and labeled it as net_conf_t
- Allow unpriv SELinux users to dbus chat with firewalld
- Add lvm_write_metadata()
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
- Add support for /dev/vmcp and /dev/sclp
- Add docker_connect_any boolean
- Fix zabbix policy
- Allow zabbix to send system log msgs
- Allow pegasus_openlmi_storage_t to write lvm metadata
- Updated pcp_bind_all_unreserved_ports
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
This commit is contained in:
Miroslav Grepl 2014-03-12 11:14:14 +01:00
parent 24a25f20cc
commit ab84f40064
5 changed files with 632 additions and 455 deletions

Binary file not shown.

View File

@ -13,3 +13,10 @@ optional_policy(`
') ')
permissive docker_t; permissive docker_t;
') ')
optional_policy(`
gen_require(`
type systemd_networkd_t;
')
permissive systemd_networkd_t;
')

File diff suppressed because it is too large Load Diff

View File

@ -23461,19 +23461,28 @@ index 0000000..89401fe
+') +')
diff --git a/docker.te b/docker.te diff --git a/docker.te b/docker.te
new file mode 100644 new file mode 100644
index 0000000..75d51ed index 0000000..412e818
--- /dev/null --- /dev/null
+++ b/docker.te +++ b/docker.te
@@ -0,0 +1,240 @@ @@ -0,0 +1,256 @@
+policy_module(docker, 1.0.0) +policy_module(docker, 1.0.0)
+ +
+######################################## +########################################
+# +#
+# Declarations +# Declarations
+# +#
+
+## <desc> +## <desc>
+## <p> +## <p>
+## Allow docker to transition to unconfined conateiners +## Determine whether docker can
+## connect to all TCP ports.
+## </p>
+## </desc>
+gen_tunable(docker_connect_any, false)
+
+## <desc>
+## <p>
+## Allow docker to transition to unconfined containers.
+## </p> +## </p>
+## </desc> +## </desc>
+gen_tunable(docker_transition_unconfined, false) +gen_tunable(docker_transition_unconfined, false)
@ -23583,6 +23592,7 @@ index 0000000..75d51ed
+corenet_tcp_sendrecv_generic_port(docker_t) +corenet_tcp_sendrecv_generic_port(docker_t)
+corenet_tcp_bind_all_ports(docker_t) +corenet_tcp_bind_all_ports(docker_t)
+corenet_tcp_connect_http_port(docker_t) +corenet_tcp_connect_http_port(docker_t)
+corenet_tcp_connect_commplex_main_port(docker_t)
+corenet_udp_sendrecv_generic_if(docker_t) +corenet_udp_sendrecv_generic_if(docker_t)
+corenet_udp_sendrecv_generic_node(docker_t) +corenet_udp_sendrecv_generic_node(docker_t)
+corenet_udp_sendrecv_all_ports(docker_t) +corenet_udp_sendrecv_all_ports(docker_t)
@ -23701,6 +23711,12 @@ index 0000000..75d51ed
+ virt_mounton_sandbox_file(docker_t) + virt_mounton_sandbox_file(docker_t)
+') +')
+ +
+tunable_policy(`docker_connect_any',`
+ corenet_tcp_connect_all_ports(docker_t)
+ corenet_sendrecv_all_packets(docker_t)
+ corenet_tcp_sendrecv_all_ports(docker_t)
+')
+
+tunable_policy(`docker_transition_unconfined',` +tunable_policy(`docker_transition_unconfined',`
+ unconfined_transition(docker_t, docker_share_t) + unconfined_transition(docker_t, docker_share_t)
+ unconfined_transition(docker_t, docker_var_lib_t) + unconfined_transition(docker_t, docker_var_lib_t)
@ -59105,10 +59121,10 @@ index 0000000..d9296b1
+ +
diff --git a/pcp.te b/pcp.te diff --git a/pcp.te b/pcp.te
new file mode 100644 new file mode 100644
index 0000000..fc9dd48 index 0000000..d4c7e21
--- /dev/null --- /dev/null
+++ b/pcp.te +++ b/pcp.te
@@ -0,0 +1,215 @@ @@ -0,0 +1,232 @@
+policy_module(pcp, 1.0.0) +policy_module(pcp, 1.0.0)
+ +
+######################################## +########################################
@ -59116,6 +59132,14 @@ index 0000000..fc9dd48
+# Declarations +# Declarations
+# +#
+ +
+
+## <desc>
+## <p>
+## Allow pcp to bind to all unreserved_ports
+## </p>
+## </desc>
+gen_tunable(pcp_bind_all_unreserved_ports, false)
+
+attribute pcp_domain; +attribute pcp_domain;
+ +
+pcp_domain_template(pmcd) +pcp_domain_template(pmcd)
@ -59185,6 +59209,15 @@ index 0000000..fc9dd48
+ +
+sysnet_read_config(pcp_domain) +sysnet_read_config(pcp_domain)
+ +
+tunable_policy(`pcp_bind_all_unreserved_ports',`
+ corenet_sendrecv_all_server_packets(pcp_pmcd_t)
+ corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
+
+')
+
+
+######################################## +########################################
+# +#
+# pcp_pmcd local policy +# pcp_pmcd local policy
@ -59572,7 +59605,7 @@ index d2fc677..ded726f 100644
') ')
+ +
diff --git a/pegasus.te b/pegasus.te diff --git a/pegasus.te b/pegasus.te
index 608f454..b01f04d 100644 index 608f454..100a122 100644
--- a/pegasus.te --- a/pegasus.te
+++ b/pegasus.te +++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -59591,7 +59624,7 @@ index 608f454..b01f04d 100644
type pegasus_cache_t; type pegasus_cache_t;
files_type(pegasus_cache_t) files_type(pegasus_cache_t)
@@ -30,20 +29,318 @@ files_type(pegasus_mof_t) @@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t; type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t) files_pid_file(pegasus_var_run_t)
@ -59871,6 +59904,7 @@ index 608f454..b01f04d 100644
+optional_policy(` +optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t) + lvm_domtrans(pegasus_openlmi_storage_t)
+ lvm_read_metadata(pegasus_openlmi_storage_t) + lvm_read_metadata(pegasus_openlmi_storage_t)
+ lvm_write_metadata(pegasus_openlmi_storage_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -59915,7 +59949,7 @@ index 608f454..b01f04d 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,22 +351,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) @@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -59946,7 +59980,7 @@ index 608f454..b01f04d 100644
kernel_read_network_state(pegasus_t) kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t) kernel_read_kernel_sysctls(pegasus_t)
@@ -80,27 +377,21 @@ kernel_read_net_sysctls(pegasus_t) @@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t) kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t)
@ -59979,7 +60013,7 @@ index 608f454..b01f04d 100644
corecmd_exec_bin(pegasus_t) corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t) corecmd_exec_shell(pegasus_t)
@@ -114,9 +405,11 @@ files_getattr_all_dirs(pegasus_t) @@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t) auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t) auth_domtrans_chk_passwd(pegasus_t)
@ -59991,7 +60025,7 @@ index 608f454..b01f04d 100644
files_list_var_lib(pegasus_t) files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t) files_read_var_lib_files(pegasus_t)
@@ -128,18 +421,29 @@ init_stream_connect_script(pegasus_t) @@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t) logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t) logging_send_syslog_msg(pegasus_t)
@ -60027,7 +60061,7 @@ index 608f454..b01f04d 100644
') ')
optional_policy(` optional_policy(`
@@ -151,16 +455,24 @@ optional_policy(` @@ -151,16 +456,24 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -60056,7 +60090,7 @@ index 608f454..b01f04d 100644
') ')
optional_policy(` optional_policy(`
@@ -168,7 +480,7 @@ optional_policy(` @@ -168,7 +481,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -104778,7 +104812,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t) - admin_pattern($1, zabbix_tmpfs_t)
') ')
diff --git a/zabbix.te b/zabbix.te diff --git a/zabbix.te b/zabbix.te
index 7f496c6..eac3196 100644 index 7f496c6..6a63c90 100644
--- a/zabbix.te --- a/zabbix.te
+++ b/zabbix.te +++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@ -104865,17 +104899,17 @@ index 7f496c6..eac3196 100644
-allow zabbix_t self:shm create_shm_perms; -allow zabbix_t self:shm create_shm_perms;
-allow zabbix_t self:tcp_socket create_stream_socket_perms; -allow zabbix_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_t self:capability { dac_read_search dac_override }; +allow zabbix_t self:capability { dac_read_search dac_override };
+
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms; -allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-logging_log_filetrans(zabbix_t, zabbix_log_t, file) -logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
+
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@ -104897,7 +104931,7 @@ index 7f496c6..eac3196 100644
corenet_sendrecv_ftp_client_packets(zabbix_t) corenet_sendrecv_ftp_client_packets(zabbix_t)
corenet_tcp_connect_ftp_port(zabbix_t) corenet_tcp_connect_ftp_port(zabbix_t)
@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) @@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
corenet_sendrecv_http_client_packets(zabbix_t) corenet_sendrecv_http_client_packets(zabbix_t)
corenet_tcp_connect_http_port(zabbix_t) corenet_tcp_connect_http_port(zabbix_t)
corenet_tcp_sendrecv_http_port(zabbix_t) corenet_tcp_sendrecv_http_port(zabbix_t)
@ -104920,8 +104954,12 @@ index 7f496c6..eac3196 100644
- -
zabbix_agent_tcp_connect(zabbix_t) zabbix_agent_tcp_connect(zabbix_t)
+logging_send_syslog_msg(zabbix_t)
+
tunable_policy(`zabbix_can_network',` tunable_policy(`zabbix_can_network',`
@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',` corenet_sendrecv_all_client_packets(zabbix_t)
corenet_tcp_connect_all_ports(zabbix_t)
@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',`
') ')
optional_policy(` optional_policy(`
@ -104936,7 +104974,7 @@ index 7f496c6..eac3196 100644
') ')
optional_policy(` optional_policy(`
@@ -125,6 +143,7 @@ optional_policy(` @@ -125,6 +145,7 @@ optional_policy(`
optional_policy(` optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t) snmp_read_snmp_var_lib_files(zabbix_t)
@ -104944,7 +104982,7 @@ index 7f496c6..eac3196 100644
') ')
######################################## ########################################
@@ -132,18 +151,7 @@ optional_policy(` @@ -132,18 +153,7 @@ optional_policy(`
# Agent local policy # Agent local policy
# #
@ -104964,7 +105002,7 @@ index 7f496c6..eac3196 100644
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) @@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
@ -104983,7 +105021,7 @@ index 7f496c6..eac3196 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) @@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t)
@ -105259,7 +105297,7 @@ index 36e32df..3d08962 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
') ')
diff --git a/zarafa.te b/zarafa.te diff --git a/zarafa.te b/zarafa.te
index 3fded1c..5729b83 100644 index 3fded1c..91ce270 100644
--- a/zarafa.te --- a/zarafa.te
+++ b/zarafa.te +++ b/zarafa.te
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0) @@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
@ -105268,7 +105306,7 @@ index 3fded1c..5729b83 100644
+## <desc> +## <desc>
+## <p> +## <p>
+## Allow zarafa domains to setrlimit/sys_rouserce. +## Allow zarafa domains to setrlimit/sys_resource.
+## </p> +## </p>
+## </desc> +## </desc>
+gen_tunable(zarafa_setrlimit, false) +gen_tunable(zarafa_setrlimit, false)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 31%{?dist} Release: 32%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -580,6 +580,25 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-33
- Allow init_t to stream connect to ipsec
- Add /usr/lib/systemd/systemd-networkd policy
- Add sysnet_manage_config_dirs()
- Add support for /var/run/systemd/network and labeled it as net_conf_t
- Allow unpriv SELinux users to dbus chat with firewalld
- Add lvm_write_metadata()
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
- Add support for /dev/vmcp and /dev/sclp
- Add docker_connect_any boolean
- Fix zabbix policy
- Allow zabbix to send system log msgs
- Allow pegasus_openlmi_storage_t to write lvm metadata
- Updated pcp_bind_all_unreserved_ports
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32 * Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32
- Allow numad to write scan_sleep_millisecs - Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default - Turn on entropyd_use_audio boolean by default