* Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89

- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
- Allow rabbitmq to read nfs state data. BZ(1122412)
- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
- Add rolekit policy
- ALlow rolekit domtrans to sssd_t.
- Add kerberos_tmp_filetrans_kadmin() interface.
- rolekit should be noaudit.
- Add rolekit_manage_keys().
- Need to label rpmnew file correctly
- Allow modemmanger to connectto itself
This commit is contained in:
Lukas Vrabec 2014-10-29 11:24:42 +01:00
parent 317f5a18dc
commit af3cfa7b5c
3 changed files with 640 additions and 287 deletions

View File

@ -5481,7 +5481,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b191055..57afd42 100644
index b191055..2f2f2b9 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5555,11 +5555,13 @@ index b191055..57afd42 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
@@ -84,55 +107,69 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
@@ -83,56 +106,70 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
-network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0, tcp,15672,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(apc, tcp,3052,s0, udp,3052,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
@ -8936,7 +8938,7 @@ index 6a1e4d1..1b9b0b5 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..16c88de 100644
index cf04cb5..c2776d0 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -9085,7 +9087,7 @@ index cf04cb5..16c88de 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -166,5 +238,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
@@ -166,5 +238,352 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@ -9380,6 +9382,10 @@ index cf04cb5..16c88de 100644
+')
+
+optional_policy(`
+ rolekit_dbus_chat(domain)
+')
+
+optional_policy(`
+ ssh_rw_pipes(domain)
+')
+
@ -15685,7 +15691,7 @@ index 7be4ddf..71e675a 100644
+/sys/class/net/ib.* -- gen_context(system_u:object_r:sysctl_net_t,s0)
+/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e100d88..227ae89 100644
index e100d88..85da370 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@ -15823,10 +15829,29 @@ index e100d88..227ae89 100644
')
########################################
@@ -1025,6 +1094,25 @@ interface(`kernel_write_proc_files',`
@@ -1025,6 +1094,44 @@ interface(`kernel_write_proc_files',`
########################################
## <summary>
+## Do not audit attempts to write the
+## file in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_proc_files',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:file write;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to check the
+## access on generic proc entries.
+## </summary>
@ -15849,7 +15874,7 @@ index e100d88..227ae89 100644
## Do not audit attempts by caller to
## read system state information in proc.
## </summary>
@@ -1208,6 +1296,24 @@ interface(`kernel_read_messages',`
@@ -1208,6 +1315,24 @@ interface(`kernel_read_messages',`
########################################
## <summary>
@ -15874,7 +15899,7 @@ index e100d88..227ae89 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
## </summary>
@@ -1458,6 +1564,25 @@ interface(`kernel_list_all_proc',`
@@ -1458,6 +1583,25 @@ interface(`kernel_list_all_proc',`
########################################
## <summary>
@ -15900,7 +15925,7 @@ index e100d88..227ae89 100644
## Do not audit attempts to list all proc directories.
## </summary>
## <param name="domain">
@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',`
@@ -1477,6 +1621,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@ -15925,7 +15950,7 @@ index e100d88..227ae89 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',`
@@ -1672,7 +1834,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@ -15934,7 +15959,7 @@ index e100d88..227ae89 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',`
@@ -1693,7 +1855,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@ -15943,7 +15968,7 @@ index e100d88..227ae89 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',`
@@ -1715,7 +1877,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@ -15951,7 +15976,7 @@ index e100d88..227ae89 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
@@ -1750,16 +1892,9 @@ interface(`kernel_rw_unix_sysctls',`
@@ -1750,16 +1911,9 @@ interface(`kernel_rw_unix_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -15969,7 +15994,7 @@ index e100d88..227ae89 100644
')
########################################
@@ -1771,16 +1906,9 @@ interface(`kernel_read_hotplug_sysctls',`
@@ -1771,16 +1925,9 @@ interface(`kernel_read_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -15987,7 +16012,7 @@ index e100d88..227ae89 100644
')
########################################
@@ -1792,16 +1920,9 @@ interface(`kernel_rw_hotplug_sysctls',`
@@ -1792,16 +1939,9 @@ interface(`kernel_rw_hotplug_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -16005,7 +16030,7 @@ index e100d88..227ae89 100644
')
########################################
@@ -1813,16 +1934,9 @@ interface(`kernel_read_modprobe_sysctls',`
@@ -1813,16 +1953,9 @@ interface(`kernel_read_modprobe_sysctls',`
## Domain allowed access.
## </summary>
## </param>
@ -16023,7 +16048,7 @@ index e100d88..227ae89 100644
')
########################################
@@ -2085,9 +2199,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
@@ -2085,9 +2218,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@ -16053,7 +16078,7 @@ index e100d88..227ae89 100644
########################################
## <summary>
## Allow caller to read all sysctls.
@@ -2282,6 +2415,25 @@ interface(`kernel_list_unlabeled',`
@@ -2282,6 +2434,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@ -16079,7 +16104,7 @@ index e100d88..227ae89 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
@@ -2306,7 +2458,7 @@ interface(`kernel_read_unlabeled_state',`
@@ -2306,7 +2477,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@ -16088,7 +16113,7 @@ index e100d88..227ae89 100644
## </summary>
## </param>
#
@@ -2488,6 +2640,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
@@ -2488,6 +2659,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@ -16113,7 +16138,7 @@ index e100d88..227ae89 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
@@ -2525,6 +2695,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
@@ -2525,6 +2714,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@ -16138,7 +16163,7 @@ index e100d88..227ae89 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
@@ -2667,6 +2855,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
@@ -2667,6 +2874,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@ -16163,13 +16188,23 @@ index e100d88..227ae89 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
@@ -2694,6 +2900,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
@@ -2694,18 +2919,37 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
-## Do not audit attempts to receive TCP packets from an unlabeled
+## Do not audit attempts to receive DCCP packets from an unlabeled
+## connection.
+## </summary>
## connection.
## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to receive TCP packets from an unlabeled
-## connection.
-## </p>
-## <p>
-## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
-## should be used instead of this one.
-## </p>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
@ -16186,29 +16221,34 @@ index e100d88..227ae89 100644
+
+########################################
+## <summary>
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
@@ -2803,20 +3028,47 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
+## </p>
+## <p>
+## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+## should be used instead of this one.
+## </p>
## </desc>
## <param name="domain">
## <summary>
@@ -2803,6 +3047,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
-
########################################
## <summary>
-## Do not audit attempts to receive Raw IP packets from an unlabeled
-## connection.
+########################################
+## <summary>
+## Read/Write Raw IP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive Raw IP packets from an unlabeled
-## connection.
+## </summary>
+## <desc>
+## <p>
+## Receive Raw IP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
-## should be used instead of this one.
+## </p>
+## <p>
+## The corenetwork interface corenet_raw_recv_unlabeled() should
+## be used instead of this one.
+## </p>
@ -16227,24 +16267,10 @@ index e100d88..227ae89 100644
+ allow $1 unlabeled_t:rawip_socket rw_socket_perms;
+')
+
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
+## </p>
+## <p>
+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
@@ -2958,6 +3210,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -2958,6 +3229,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@ -16269,7 +16295,7 @@ index e100d88..227ae89 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
@@ -2972,5 +3242,565 @@ interface(`kernel_unconfined',`
@@ -2972,5 +3261,565 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@ -28059,7 +28085,7 @@ index 3efd5b6..12dca57 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791d..dbf639e 100644
index 09b791d..03657db 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@ -28337,12 +28363,12 @@ index 09b791d..dbf639e 100644
+systemd_hostnamed_read_config(nsswitch_domain)
+
+
tunable_policy(`authlogin_nsswitch_use_ldap',`
- files_list_var_lib(nsswitch_domain)
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+ allow nsswitch_domain self:tcp_socket create_socket_perms;
+')
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
tunable_policy(`authlogin_nsswitch_use_ldap',`
- files_list_var_lib(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
+ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
@ -28383,7 +28409,7 @@ index 09b791d..dbf639e 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
@@ -456,10 +520,151 @@ optional_policy(`
@@ -456,10 +520,155 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@ -28395,6 +28421,10 @@ index 09b791d..dbf639e 100644
+userdom_manage_all_users_keys(nsswitch_domain)
+optional_policy(`
+ sssd_manage_keys(nsswitch_domain)
+')
+
+optional_policy(`
+ rolekit_manage_keys(nsswitch_domain)
')
optional_policy(`

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 88%{?dist}
Release: 89%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -604,6 +604,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
- Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
- Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld
- Allow rabbitmq to read nfs state data. BZ(1122412)
- Allow named to read /var/tmp/DNS_25 labeled as krb5_host_rcache_t.
- Add rolekit policy
- ALlow rolekit domtrans to sssd_t.
- Add kerberos_tmp_filetrans_kadmin() interface.
- rolekit should be noaudit.
- Add rolekit_manage_keys().
- Need to label rpmnew file correctly
- Allow modemmanger to connectto itself
* Tue Oct 21 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-88
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
- Allow osad to connect to jabber client port. BZ (1154242)