rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-80 

- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21.
- Since docker will now label volumes we can tighten the security of docker
This commit is contained in:
Lukas Vrabec 2014-09-10 15:47:04 +02:00
parent 6c07cc84bd
commit ae5a648040
3 changed files with 160 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
policy-rawhide-base.patch
View File

@ -29903,7 +29903,7 @@ index 3efd5b6..12dca57 100644
+ allow $1 login_pgm:key manage_key_perms; + allow $1 login_pgm:key manage_key_perms;
+') +')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791d..ff0708e 100644 index 09b791d..49d8c47 100644
--- a/policy/modules/system/authlogin.te --- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -30227,7 +30227,7 @@ index 09b791d..ff0708e 100644
optional_policy(` optional_policy(`
kerberos_use(nsswitch_domain) kerberos_use(nsswitch_domain)
') ')
@@ -456,10 +520,145 @@ optional_policy(` @@ -456,10 +520,151 @@ optional_policy(`
optional_policy(` optional_policy(`
sssd_stream_connect(nsswitch_domain) sssd_stream_connect(nsswitch_domain)
@ -30235,6 +30235,12 @@ index 09b791d..ff0708e 100644
+ sssd_read_lib_files(nsswitch_domain) + sssd_read_lib_files(nsswitch_domain)
') ')
+#1134389
+userdom_manage_all_users_keys(nsswitch_domain)
+optional_policy(`
+ sssd_manage_keys(nsswitch_domain)
+")
+
optional_policy(` optional_policy(`
samba_stream_connect_winbind(nsswitch_domain) samba_stream_connect_winbind(nsswitch_domain)
+ samba_stream_connect_nmbd(nsswitch_domain) + samba_stream_connect_nmbd(nsswitch_domain)

278
policy-rawhide-contrib.patch
View File

@ -24183,7 +24183,7 @@ index 0000000..a952041
+') +')
diff --git a/dnssec.te b/dnssec.te diff --git a/dnssec.te b/dnssec.te
new file mode 100644 new file mode 100644
index 0000000..7f715f8 index 0000000..c1ab586
--- /dev/null --- /dev/null
+++ b/dnssec.te +++ b/dnssec.te
@@ -0,0 +1,58 @@ @@ -0,0 +1,58 @@
@ -24234,7 +24234,7 @@ index 0000000..7f715f8
+ +
+logging_send_syslog_msg(dnssec_trigger_t) +logging_send_syslog_msg(dnssec_trigger_t)
+ +
+auth_read_passwd(dnssec_trigger_t) +auth_use_nsswitch(dnssec_trigger_t)
+ +
+sysnet_dns_name_resolve(dnssec_trigger_t) +sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t) +sysnet_manage_config(dnssec_trigger_t)
@ -95487,7 +95487,7 @@ index dbb005a..45291bb 100644
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/sssd.if b/sssd.if diff --git a/sssd.if b/sssd.if
index a240455..16a04bf 100644 index a240455..f4d8c79 100644
--- a/sssd.if --- a/sssd.if
+++ b/sssd.if +++ b/sssd.if
@@ -1,21 +1,21 @@ @@ -1,21 +1,21 @@
@ -95781,7 +95781,7 @@ index a240455..16a04bf 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',` @@ -317,8 +388,46 @@ interface(`sssd_stream_connect',`
######################################## ########################################
## <summary> ## <summary>
@ -95804,6 +95804,25 @@ index a240455..16a04bf 100644
+ dontaudit $1 sssd_var_lib_t:sock_file { read write }; + dontaudit $1 sssd_var_lib_t:sock_file { read write };
+') +')
+ +
+#######################################
+## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_manage_keys',`
+ gen_require(`
+ type sssd_t;
+ ')
+
+ allow $1 sssd_t:key manage_key_perms;
+ allow sssd_t $1:key manage_key_perms;
+')
+
+######################################## +########################################
+## <summary> +## <summary>
+## All of the rules required to administrate +## All of the rules required to administrate
@ -95811,7 +95830,7 @@ index a240455..16a04bf 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',` @@ -327,7 +436,7 @@ interface(`sssd_stream_connect',`
## </param> ## </param>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -95820,7 +95839,7 @@ index a240455..16a04bf 100644
## </summary> ## </summary>
## </param> ## </param>
## <rolecap/> ## <rolecap/>
@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',` @@ -335,27 +444,29 @@ interface(`sssd_stream_connect',`
interface(`sssd_admin',` interface(`sssd_admin',`
gen_require(` gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t; type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@ -103952,7 +103971,7 @@ index facdee8..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain; + typeattribute $1 sandbox_caps_domain;
') ')
diff --git a/virt.te b/virt.te diff --git a/virt.te b/virt.te
index f03dcf5..58d42f6 100644 index f03dcf5..7b38f46 100644
--- a/virt.te --- a/virt.te
+++ b/virt.te +++ b/virt.te
@@ -1,150 +1,227 @@ @@ -1,150 +1,227 @@
@ -105439,7 +105458,7 @@ index f03dcf5..58d42f6 100644
selinux_get_enforce_mode(virtd_lxc_t) selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t) selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1155,319 @@ selinux_compute_create_context(virtd_lxc_t) @@ -974,194 +1155,316 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t)
@ -105468,12 +105487,12 @@ index f03dcf5..58d42f6 100644
+optional_policy(` +optional_policy(`
+ docker_exec_lib(virtd_lxc_t) + docker_exec_lib(virtd_lxc_t)
+') +')
+
-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(` +optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t) + gnome_read_generic_cache_files(virtd_lxc_t)
+') +')
+
-sysnet_domtrans_ifconfig(virtd_lxc_t)
+optional_policy(` +optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t) + setrans_manage_pid_files(virtd_lxc_t)
+') +')
@ -105503,6 +105522,97 @@ index f03dcf5..58d42f6 100644
+tunable_policy(`deny_ptrace',`',` +tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace; + allow svirt_sandbox_domain self:process ptrace;
+') +')
+
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
+
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
+
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
+
+kernel_getattr_proc(svirt_sandbox_domain)
+kernel_list_all_proc(svirt_sandbox_domain)
+kernel_read_all_sysctls(svirt_sandbox_domain)
+kernel_rw_net_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
+files_entrypoint_all_files(svirt_sandbox_domain)
+files_list_var(svirt_sandbox_domain)
+files_list_var_lib(svirt_sandbox_domain)
+files_search_all(svirt_sandbox_domain)
+files_read_config_files(svirt_sandbox_domain)
+files_read_usr_symlinks(svirt_sandbox_domain)
+files_search_locks(svirt_sandbox_domain)
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
+
+fs_getattr_all_fs(svirt_sandbox_domain)
+fs_list_inotifyfs(svirt_sandbox_domain)
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
+fs_read_fusefs_files(svirt_sandbox_domain)
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
+
+auth_dontaudit_read_passwd(svirt_sandbox_domain)
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
+auth_search_pam_console_data(svirt_sandbox_domain)
+
+clock_read_adjtime(svirt_sandbox_domain)
+
+init_read_utmp(svirt_sandbox_domain)
+init_dontaudit_write_utmp(svirt_sandbox_domain)
+
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
+
+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
+miscfiles_read_fonts(svirt_sandbox_domain)
+miscfiles_read_hwdata(svirt_sandbox_domain)
+
+systemd_read_unit_files(svirt_sandbox_domain)
+
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
+
+optional_policy(`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ docker_read_share_files(svirt_sandbox_domain)
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ docker_use_ptys(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ gear_read_pid_files(svirt_sandbox_domain)
+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@ -105586,103 +105696,6 @@ index f03dcf5..58d42f6 100644
-miscfiles_read_fonts(svirt_lxc_domain) -miscfiles_read_fonts(svirt_lxc_domain)
- -
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
+
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:file { relabelfrom relabelto };
+
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
+
+kernel_getattr_proc(svirt_sandbox_domain)
+kernel_list_all_proc(svirt_sandbox_domain)
+kernel_read_all_sysctls(svirt_sandbox_domain)
+kernel_rw_net_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
+files_entrypoint_all_files(svirt_sandbox_domain)
+files_list_var(svirt_sandbox_domain)
+files_list_var_lib(svirt_sandbox_domain)
+files_search_all(svirt_sandbox_domain)
+files_read_config_files(svirt_sandbox_domain)
+files_read_usr_symlinks(svirt_sandbox_domain)
+files_search_locks(svirt_sandbox_domain)
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
+
+fs_getattr_all_fs(svirt_sandbox_domain)
+fs_list_inotifyfs(svirt_sandbox_domain)
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
+fs_read_fusefs_files(svirt_sandbox_domain)
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
+
+auth_dontaudit_read_passwd(svirt_sandbox_domain)
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
+auth_search_pam_console_data(svirt_sandbox_domain)
+
+clock_read_adjtime(svirt_sandbox_domain)
+
+init_read_utmp(svirt_sandbox_domain)
+init_dontaudit_write_utmp(svirt_sandbox_domain)
+
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
+
+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
+miscfiles_read_fonts(svirt_sandbox_domain)
+miscfiles_read_hwdata(svirt_sandbox_domain)
+
+systemd_read_unit_files(svirt_sandbox_domain)
+
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
')
optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
+ docker_manage_lib_files(svirt_lxc_net_t)
+ docker_manage_lib_dirs(svirt_lxc_net_t)
+ docker_read_share_files(svirt_sandbox_domain)
+ docker_exec_lib(svirt_sandbox_domain)
+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
+ docker_use_ptys(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ gear_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(` +optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+') +')
@ -105690,12 +105703,15 @@ index f03dcf5..58d42f6 100644
+optional_policy(` +optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain) + ssh_use_ptys(svirt_sandbox_domain)
+') +')
+
+optional_policy(` optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+ udev_read_pid_files(svirt_sandbox_domain) + udev_read_pid_files(svirt_sandbox_domain)
+') ')
+
+optional_policy(` optional_policy(`
- apache_exec_modules(svirt_lxc_domain)
- apache_read_sys_content(svirt_lxc_domain)
+ userhelper_dontaudit_write_config(svirt_sandbox_domain) + userhelper_dontaudit_write_config(svirt_sandbox_domain)
+') +')
+ +
@ -105718,12 +105734,19 @@ index f03dcf5..58d42f6 100644
-# Lxc net local policy -# Lxc net local policy
+# svirt_lxc_net_t local policy +# svirt_lxc_net_t local policy
# #
-
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
+virt_sandbox_domain_template(svirt_lxc_net) +virt_sandbox_domain_template(svirt_lxc_net)
+virt_default_capabilities(svirt_lxc_net_t) +virt_default_capabilities(svirt_lxc_net_t)
+typeattribute svirt_lxc_net_t sandbox_net_domain; +typeattribute svirt_lxc_net_t sandbox_net_domain;
dontaudit svirt_lxc_net_t self:capability2 block_suspend; +dontaudit svirt_lxc_net_t self:capability2 {fsetid block_suspend };
+allow svirt_lxc_net_t self:process { execstack execmem };
+manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
+
+tunable_policy(`virt_sandbox_use_sys_admin',`
+ allow svirt_lxc_net_t self:capability sys_admin;
+')
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:process setrlimit;
-allow svirt_lxc_net_t self:tcp_socket { accept listen }; -allow svirt_lxc_net_t self:tcp_socket { accept listen };
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; -allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
@ -105736,8 +105759,9 @@ index f03dcf5..58d42f6 100644
- -
-kernel_read_network_state(svirt_lxc_net_t) -kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t)
+allow svirt_lxc_net_t self:process { execstack execmem }; +tunable_policy(`virt_sandbox_use_mknod',`
+manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t) + allow svirt_lxc_net_t self:capability mknod;
+')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@ -105749,14 +105773,6 @@ index f03dcf5..58d42f6 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t)
+tunable_policy(`virt_sandbox_use_sys_admin',`
+ allow svirt_lxc_net_t self:capability sys_admin;
+')
+
+tunable_policy(`virt_sandbox_use_mknod',`
+ allow svirt_lxc_net_t self:capability mknod;
+')
+
+tunable_policy(`virt_sandbox_use_all_caps',` +tunable_policy(`virt_sandbox_use_all_caps',`
+ allow svirt_lxc_net_t self:capability all_capability_perms; + allow svirt_lxc_net_t self:capability all_capability_perms;
+ allow svirt_lxc_net_t self:capability2 all_capability2_perms; + allow svirt_lxc_net_t self:capability2 all_capability2_perms;
@ -105846,10 +105862,10 @@ index f03dcf5..58d42f6 100644
+term_use_ptmx(svirt_qemu_net_t) +term_use_ptmx(svirt_qemu_net_t)
+ +
+dev_rw_kvm(svirt_qemu_net_t) +dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
-allow svirt_prot_exec_t self:process { execmem execstack }; -allow svirt_prot_exec_t self:process { execmem execstack };
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+ +
@ -105897,7 +105913,7 @@ index f03dcf5..58d42f6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1480,12 @@ dev_read_sysfs(virt_qmf_t) @@ -1174,12 +1477,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t) dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t) dev_read_urand(virt_qmf_t)
@ -105912,7 +105928,7 @@ index f03dcf5..58d42f6 100644
sysnet_read_config(virt_qmf_t) sysnet_read_config(virt_qmf_t)
optional_policy(` optional_policy(`
@@ -1192,9 +1498,8 @@ optional_policy(` @@ -1192,9 +1495,8 @@ optional_policy(`
######################################## ########################################
# #
@ -105923,7 +105939,7 @@ index f03dcf5..58d42f6 100644
allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1207,5 +1512,219 @@ kernel_read_network_state(virt_bridgehelper_t) @@ -1207,5 +1509,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t)

6
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 79%{?dist} Release: 80%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -602,6 +602,10 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-80
- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21.
- Since docker will now label volumes we can tighten the security of docker
* Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-79 * Wed Sep 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-79
- Re-arange openshift_net_read_t rules. - Re-arange openshift_net_read_t rules.
- Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide - Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide