- Allow init_t to stream connect to ipsec

- Add /usr/lib/systemd/systemd-networkd policy
- Add sysnet_manage_config_dirs()
- Add support for /var/run/systemd/network and labeled it as net_conf_t
- Allow unpriv SELinux users to dbus chat with firewalld
- Add lvm_write_metadata()
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
- Add support for /dev/vmcp and /dev/sclp
- Add docker_connect_any boolean
- Fix zabbix policy
- Allow zabbix to send system log msgs
- Allow pegasus_openlmi_storage_t to write lvm metadata
- Updated pcp_bind_all_unreserved_ports
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
This commit is contained in:
Miroslav Grepl 2014-03-12 11:14:14 +01:00
parent 24a25f20cc
commit ab84f40064
5 changed files with 632 additions and 455 deletions

Binary file not shown.

View File

@ -13,3 +13,10 @@ optional_policy(`
')
permissive docker_t;
')
optional_policy(`
gen_require(`
type systemd_networkd_t;
')
permissive systemd_networkd_t;
')

File diff suppressed because it is too large Load Diff

View File

@ -23461,19 +23461,28 @@ index 0000000..89401fe
+')
diff --git a/docker.te b/docker.te
new file mode 100644
index 0000000..75d51ed
index 0000000..412e818
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,240 @@
@@ -0,0 +1,256 @@
+policy_module(docker, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow docker to transition to unconfined conateiners
+## Determine whether docker can
+## connect to all TCP ports.
+## </p>
+## </desc>
+gen_tunable(docker_connect_any, false)
+
+## <desc>
+## <p>
+## Allow docker to transition to unconfined containers.
+## </p>
+## </desc>
+gen_tunable(docker_transition_unconfined, false)
@ -23583,6 +23592,7 @@ index 0000000..75d51ed
+corenet_tcp_sendrecv_generic_port(docker_t)
+corenet_tcp_bind_all_ports(docker_t)
+corenet_tcp_connect_http_port(docker_t)
+corenet_tcp_connect_commplex_main_port(docker_t)
+corenet_udp_sendrecv_generic_if(docker_t)
+corenet_udp_sendrecv_generic_node(docker_t)
+corenet_udp_sendrecv_all_ports(docker_t)
@ -23701,6 +23711,12 @@ index 0000000..75d51ed
+ virt_mounton_sandbox_file(docker_t)
+')
+
+tunable_policy(`docker_connect_any',`
+ corenet_tcp_connect_all_ports(docker_t)
+ corenet_sendrecv_all_packets(docker_t)
+ corenet_tcp_sendrecv_all_ports(docker_t)
+')
+
+tunable_policy(`docker_transition_unconfined',`
+ unconfined_transition(docker_t, docker_share_t)
+ unconfined_transition(docker_t, docker_var_lib_t)
@ -59105,10 +59121,10 @@ index 0000000..d9296b1
+
diff --git a/pcp.te b/pcp.te
new file mode 100644
index 0000000..fc9dd48
index 0000000..d4c7e21
--- /dev/null
+++ b/pcp.te
@@ -0,0 +1,215 @@
@@ -0,0 +1,232 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@ -59116,6 +59132,14 @@ index 0000000..fc9dd48
+# Declarations
+#
+
+
+## <desc>
+## <p>
+## Allow pcp to bind to all unreserved_ports
+## </p>
+## </desc>
+gen_tunable(pcp_bind_all_unreserved_ports, false)
+
+attribute pcp_domain;
+
+pcp_domain_template(pmcd)
@ -59185,6 +59209,15 @@ index 0000000..fc9dd48
+
+sysnet_read_config(pcp_domain)
+
+tunable_policy(`pcp_bind_all_unreserved_ports',`
+ corenet_sendrecv_all_server_packets(pcp_pmcd_t)
+ corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
+ corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
+
+')
+
+
+########################################
+#
+# pcp_pmcd local policy
@ -59572,7 +59605,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
index 608f454..b01f04d 100644
index 608f454..100a122 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -59591,7 +59624,7 @@ index 608f454..b01f04d 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
@@ -30,20 +29,318 @@ files_type(pegasus_mof_t)
@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@ -59871,6 +59904,7 @@ index 608f454..b01f04d 100644
+optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t)
+ lvm_read_metadata(pegasus_openlmi_storage_t)
+ lvm_write_metadata(pegasus_openlmi_storage_t)
+')
+
+optional_policy(`
@ -59915,7 +59949,7 @@ index 608f454..b01f04d 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,22 +351,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -59946,7 +59980,7 @@ index 608f454..b01f04d 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
@@ -80,27 +377,21 @@ kernel_read_net_sysctls(pegasus_t)
@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@ -59979,7 +60013,7 @@ index 608f454..b01f04d 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
@@ -114,9 +405,11 @@ files_getattr_all_dirs(pegasus_t)
@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@ -59991,7 +60025,7 @@ index 608f454..b01f04d 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
@@ -128,18 +421,29 @@ init_stream_connect_script(pegasus_t)
@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@ -60027,7 +60061,7 @@ index 608f454..b01f04d 100644
')
optional_policy(`
@@ -151,16 +455,24 @@ optional_policy(`
@@ -151,16 +456,24 @@ optional_policy(`
')
optional_policy(`
@ -60056,7 +60090,7 @@ index 608f454..b01f04d 100644
')
optional_policy(`
@@ -168,7 +480,7 @@ optional_policy(`
@@ -168,7 +481,7 @@ optional_policy(`
')
optional_policy(`
@ -104778,7 +104812,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
index 7f496c6..eac3196 100644
index 7f496c6..6a63c90 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@ -104865,17 +104899,17 @@ index 7f496c6..eac3196 100644
-allow zabbix_t self:shm create_shm_perms;
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_t self:capability { dac_read_search dac_override };
+
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
+
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@ -104897,7 +104931,7 @@ index 7f496c6..eac3196 100644
corenet_sendrecv_ftp_client_packets(zabbix_t)
corenet_tcp_connect_ftp_port(zabbix_t)
@@ -85,22 +112,14 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
corenet_sendrecv_http_client_packets(zabbix_t)
corenet_tcp_connect_http_port(zabbix_t)
corenet_tcp_sendrecv_http_port(zabbix_t)
@ -104920,8 +104954,12 @@ index 7f496c6..eac3196 100644
-
zabbix_agent_tcp_connect(zabbix_t)
+logging_send_syslog_msg(zabbix_t)
+
tunable_policy(`zabbix_can_network',`
@@ -110,12 +129,11 @@ tunable_policy(`zabbix_can_network',`
corenet_sendrecv_all_client_packets(zabbix_t)
corenet_tcp_connect_all_ports(zabbix_t)
@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',`
')
optional_policy(`
@ -104936,7 +104974,7 @@ index 7f496c6..eac3196 100644
')
optional_policy(`
@@ -125,6 +143,7 @@ optional_policy(`
@@ -125,6 +145,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(zabbix_t)
@ -104944,7 +104982,7 @@ index 7f496c6..eac3196 100644
')
########################################
@@ -132,18 +151,7 @@ optional_policy(`
@@ -132,18 +153,7 @@ optional_policy(`
# Agent local policy
#
@ -104964,7 +105002,7 @@ index 7f496c6..eac3196 100644
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
@@ -151,16 +159,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
@ -104983,7 +105021,7 @@ index 7f496c6..eac3196 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t)
@ -105259,7 +105297,7 @@ index 36e32df..3d08962 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
')
diff --git a/zarafa.te b/zarafa.te
index 3fded1c..5729b83 100644
index 3fded1c..91ce270 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
@ -105268,7 +105306,7 @@ index 3fded1c..5729b83 100644
+## <desc>
+## <p>
+## Allow zarafa domains to setrlimit/sys_rouserce.
+## Allow zarafa domains to setrlimit/sys_resource.
+## </p>
+## </desc>
+gen_tunable(zarafa_setrlimit, false)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 31%{?dist}
Release: 32%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -580,6 +580,25 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-33
- Allow init_t to stream connect to ipsec
- Add /usr/lib/systemd/systemd-networkd policy
- Add sysnet_manage_config_dirs()
- Add support for /var/run/systemd/network and labeled it as net_conf_t
- Allow unpriv SELinux users to dbus chat with firewalld
- Add lvm_write_metadata()
- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
- Add support for /dev/vmcp and /dev/sclp
- Add docker_connect_any boolean
- Fix zabbix policy
- Allow zabbix to send system log msgs
- Allow pegasus_openlmi_storage_t to write lvm metadata
- Updated pcp_bind_all_unreserved_ports
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-32
- Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default