* Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89

- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424) - Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld - Allow rabbitmq to read nfs state data. BZ(1122412) - Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t. - Add rolekit policy - ALlow rolekit domtrans to sssd_t. - Add kerberos_tmp_filetrans_kadmin() interface. - rolekit should be noaudit. - Add rolekit_manage_keys(). - Need to label rpmnew file correctly - Allow modemmanger to connectto itself
2014-10-29 11:24:42 +01:00 · 2014-10-29 11:24:42 +01:00 · af3cfa7b5c
commit af3cfa7b5c
parent 317f5a18dc
3 changed files with 640 additions and 287 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5481,7 +5481,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..57afd42 100644
+index b191055..2f2f2b9 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5555,11 +5555,13 @@ index b191055..57afd42 100644
 # reserved_port_t is the type of INET port numbers below 1024.
 #
 type reserved_port_t, port_type, reserved_port_type;
-@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -83,56 +106,70 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
+ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
 network_port(amavisd_recv, tcp,10024,s0)
 network_port(amavisd_send, tcp,10025,s0)
- network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
+-network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
 -network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0)
 +network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0) 
 +network_port(apc, tcp,3052,s0, udp,3052,s0)
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
@ -8936,7 +8938,7 @@ index 6a1e4d1..1b9b0b5 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..16c88de 100644
+index cf04cb5..c2776d0 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -9085,7 +9087,7 @@ index cf04cb5..16c88de 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,352 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
@ -9380,6 +9382,10 @@ index cf04cb5..16c88de 100644
 +')
 +
 +optional_policy(`
+    rolekit_dbus_chat(domain)
+')
+
+optional_policy(`
 +	ssh_rw_pipes(domain)
 +')
 +
@ -15685,7 +15691,7 @@ index 7be4ddf..71e675a 100644
 +/sys/class/net/ib.* 	  --	gen_context(system_u:object_r:sysctl_net_t,s0)
 +/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..227ae89 100644
+index e100d88..85da370 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@ -15823,10 +15829,29 @@ index e100d88..227ae89 100644
 ')
 
 ########################################
-@@ -1025,6 +1094,25 @@ interface(`kernel_write_proc_files',`
+@@ -1025,6 +1094,44 @@ interface(`kernel_write_proc_files',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to write the
+##	file in /proc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_proc_files',`
+	gen_require(`
+		type proc_t;
+	')
+
+	dontaudit $1 proc_t:file write;
+')
+
+########################################
+## <summary>
 +##	Do not audit attempts to check the 
 +##	access on generic proc entries.
 +## </summary>
@ -15849,7 +15874,7 @@ index e100d88..227ae89 100644
 ##	Do not audit attempts by caller to
 ##	read system state information in proc.
 ## </summary>
-@@ -1208,6 +1296,24 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1315,24 @@ interface(`kernel_read_messages',`
 
 ########################################
 ## <summary>
@ -15874,7 +15899,7 @@ index e100d88..227ae89 100644
 ##	Allow caller to get the attributes of kernel message
 ##	interface (/proc/kmsg).
 ## </summary>
-@@ -1458,6 +1564,25 @@ interface(`kernel_list_all_proc',`
+@@ -1458,6 +1583,25 @@ interface(`kernel_list_all_proc',`
 
 ########################################
 ## <summary>
@ -15900,7 +15925,7 @@ index e100d88..227ae89 100644
 ##	Do not audit attempts to list all proc directories.
 ## </summary>
 ## <param name="domain">
-@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1621,24 @@ interface(`kernel_dontaudit_list_all_proc',`
 
 ########################################
 ## <summary>
@ -15925,7 +15950,7 @@ index e100d88..227ae89 100644
 ##	Do not audit attempts by caller to search
 ##	the base directory of sysctls.
 ## </summary>
-@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1834,7 @@ interface(`kernel_read_net_sysctls',`
 	')
 
 	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@ -15934,7 +15959,7 @@ index e100d88..227ae89 100644
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
-@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1855,7 @@ interface(`kernel_rw_net_sysctls',`
 	')
 
 	rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@ -15943,7 +15968,7 @@ index e100d88..227ae89 100644
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
-@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1877,6 @@ interface(`kernel_read_unix_sysctls',`
 	')
 
 	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@ -15951,7 +15976,7 @@ index e100d88..227ae89 100644
 	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
 ')
 
-@@ -1750,16 +1892,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1911,9 @@ interface(`kernel_rw_unix_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -15969,7 +15994,7 @@ index e100d88..227ae89 100644
 ')
 
 ########################################
-@@ -1771,16 +1906,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1925,9 @@ interface(`kernel_read_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -15987,7 +16012,7 @@ index e100d88..227ae89 100644
 ')
 
 ########################################
-@@ -1792,16 +1920,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1939,9 @@ interface(`kernel_rw_hotplug_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -16005,7 +16030,7 @@ index e100d88..227ae89 100644
 ')
 
 ########################################
-@@ -1813,16 +1934,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1953,9 @@ interface(`kernel_read_modprobe_sysctls',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -16023,7 +16048,7 @@ index e100d88..227ae89 100644
 ')
 
 ########################################
-@@ -2085,9 +2199,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2218,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
 	')
 
 	dontaudit $1 sysctl_type:dir list_dir_perms;
@ -16053,7 +16078,7 @@ index e100d88..227ae89 100644
 ########################################
 ## <summary>
 ##	Allow caller to read all sysctls.
-@@ -2282,6 +2415,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2434,25 @@ interface(`kernel_list_unlabeled',`
 
 ########################################
 ## <summary>
@ -16079,7 +16104,7 @@ index e100d88..227ae89 100644
 ##	Read the process state (/proc/pid) of all unlabeled_t.
 ## </summary>
 ## <param name="domain">
-@@ -2306,7 +2458,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2477,7 @@ interface(`kernel_read_unlabeled_state',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -16088,7 +16113,7 @@ index e100d88..227ae89 100644
 ##	</summary>
 ## </param>
 #
-@@ -2488,6 +2640,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2659,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
 
 ########################################
 ## <summary>
@ -16113,7 +16138,7 @@ index e100d88..227ae89 100644
 ##	Do not audit attempts by caller to get attributes for
 ##	unlabeled character devices.
 ## </summary>
-@@ -2525,6 +2695,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2714,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
 
 ########################################
 ## <summary>
@ -16138,7 +16163,7 @@ index e100d88..227ae89 100644
 ##	Allow caller to relabel unlabeled files.
 ## </summary>
 ## <param name="domain">
-@@ -2667,6 +2855,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2874,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 
 ########################################
 ## <summary>
@ -16163,13 +16188,23 @@ index e100d88..227ae89 100644
 ##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
-@@ -2694,6 +2900,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,18 +2919,37 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
 
 ########################################
 ## <summary>
+-##	Do not audit attempts to receive TCP packets from an unlabeled
 +##	Do not audit attempts to receive DCCP packets from an unlabeled
-+##	connection.
-+## </summary>
+ ##	connection.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Do not audit attempts to receive TCP packets from an unlabeled
+-##	connection.
+-##	</p>
+-##	<p>
+-##	The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+-##	should be used instead of this one.
+-##	</p>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
@ -16186,29 +16221,34 @@ index e100d88..227ae89 100644
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to receive TCP packets from an unlabeled
- ##	connection.
- ## </summary>
-@@ -2803,20 +3028,47 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+##	Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
+##	</p>
+##	<p>
+##	The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+##	should be used instead of this one.
+##	</p>
+ ## </desc>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2803,6 +3047,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
 
 	allow $1 unlabeled_t:rawip_socket recvfrom;
 ')
-
- ########################################
- ## <summary>
-##	Do not audit attempts to receive Raw IP packets from an unlabeled
-##	connection.
+########################################
+## <summary>
 +##	Read/Write Raw IP packets from an unlabeled connection.
- ## </summary>
- ## <desc>
- ##	<p>
-##	Do not audit attempts to receive Raw IP packets from an unlabeled
-##	connection.
+## </summary>
+## <desc>
+##	<p>
 +##	Receive Raw IP packets from an unlabeled connection.
- ##	</p>
- ##	<p>
-##	The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
-##	should be used instead of this one.
+##	</p>
+##	<p>
 +##	The corenetwork interface corenet_raw_recv_unlabeled() should
 +##	be used instead of this one.
 +##	</p>
@ -16227,24 +16267,10 @@ index e100d88..227ae89 100644
 +	allow $1 unlabeled_t:rawip_socket rw_socket_perms;
 +')
 +
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to receive Raw IP packets from an unlabeled
-+##	connection.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Do not audit attempts to receive Raw IP packets from an unlabeled
-+##	connection.
-+##	</p>
-+##	<p>
-+##	The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
-+##	should be used instead of this one.
- ##	</p>
- ## </desc>
- ## <param name="domain">
-@@ -2958,6 +3210,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+ 
+ ########################################
+ ## <summary>
+@@ -2958,6 +3229,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
 
 ########################################
 ## <summary>
@ -16269,7 +16295,7 @@ index e100d88..227ae89 100644
 ##	Unconfined access to kernel module resources.
 ## </summary>
 ## <param name="domain">
-@@ -2972,5 +3242,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3261,565 @@ interface(`kernel_unconfined',`
 	')
 
 	typeattribute $1 kern_unconfined;
@ -28059,7 +28085,7 @@ index 3efd5b6..12dca57 100644
 +	allow $1 login_pgm:key manage_key_perms;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..dbf639e 100644
+index 09b791d..03657db 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -28337,12 +28363,12 @@ index 09b791d..dbf639e 100644
 +systemd_hostnamed_read_config(nsswitch_domain)
 +
 +
- tunable_policy(`authlogin_nsswitch_use_ldap',`
-	files_list_var_lib(nsswitch_domain)
+tunable_policy(`authlogin_nsswitch_use_ldap',`
 +    allow nsswitch_domain self:tcp_socket create_socket_perms;
 +')
 +
-+tunable_policy(`authlogin_nsswitch_use_ldap',`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+-	files_list_var_lib(nsswitch_domain)
 +	corenet_tcp_sendrecv_generic_if(nsswitch_domain)
 +	corenet_tcp_sendrecv_generic_node(nsswitch_domain)
 +	corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
@ -28383,7 +28409,7 @@ index 09b791d..dbf639e 100644
 optional_policy(`
 	kerberos_use(nsswitch_domain)
 ')
-@@ -456,10 +520,151 @@ optional_policy(`
+@@ -456,10 +520,155 @@ optional_policy(`
 
 optional_policy(`
 	sssd_stream_connect(nsswitch_domain)
@ -28395,6 +28421,10 @@ index 09b791d..dbf639e 100644
 +userdom_manage_all_users_keys(nsswitch_domain)
 +optional_policy(`
 +    sssd_manage_keys(nsswitch_domain)
+')
+
+optional_policy(`
+    rolekit_manage_keys(nsswitch_domain)
 ')
 
 optional_policy(`
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 88%{?dist}
+Release: 89%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -604,6 +604,19 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
+- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
+- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
+- Allow rabbitmq to read nfs state data. BZ(1122412)
+- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
+- Add rolekit policy
+- ALlow rolekit domtrans to sssd_t.
+- Add kerberos_tmp_filetrans_kadmin() interface.
+- rolekit should be noaudit.
+- Add rolekit_manage_keys().
+- Need to label rpmnew file correctly
+- Allow modemmanger to connectto itself
+
 * Tue Oct 21 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-88
 - Allow couchdb read sysctl_fs_t files. BZ(1154327)
 - Allow osad to connect to jabber client port. BZ (1154242)