* Tue Nov 29 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227

- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) - Allow pmie daemon to send signal pcmd daemon BZ(1398078) - Allow spamd_t to manage /var/spool/mail. BZ(1398437) - Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254) - Merge pull request #171 from t-woerner/rawhide-contrib - Allow firewalld to getattr open search read modules_object_t:dir - Allow systemd create /dev/log in own mount-namespace. BZ(1383867) - Add interface fs_dontaudit_getattr_nsfs_files() - Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853) - Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187)
2016-11-29 14:40:40 +01:00 · 2016-11-29 14:40:40 +01:00 · bc46371d77
parent 99509b3f86
commit bc46371d77
4 changed files with 380 additions and 324 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -29049,7 +29049,7 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
 ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..ee152e2 100644
+index 98072a3..0235724 100644
 --- a/firewalld.te
 +++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@ -29077,7 +29077,7 @@ index 98072a3..ee152e2 100644
 
 allow firewalld_t firewalld_var_log_t:file append_file_perms;
 allow firewalld_t firewalld_var_log_t:file create_file_perms;
-@@ -48,8 +56,14 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
+@@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
 files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
 allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
 
@ -29093,7 +29093,14 @@ index 98072a3..ee152e2 100644
 
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,26 @@ dev_search_sysfs(firewalld_t)
+ kernel_rw_net_sysctls(firewalld_t)
+ 
+files_list_kernel_modules(firewalld_t)
+
+ corecmd_exec_bin(firewalld_t)
+ corecmd_exec_shell(firewalld_t)
+ 
+@@ -63,20 +79,26 @@ dev_search_sysfs(firewalld_t)
 
 domain_use_interactive_fds(firewalld_t)
 
@ -29114,20 +29121,20 @@ index 98072a3..ee152e2 100644
 -seutil_exec_setfiles(firewalld_t)
 -seutil_read_file_contexts(firewalld_t)
 +logging_send_syslog_msg(firewalld_t)
- 
-sysnet_read_config(firewalld_t)
+
 +sysnet_dns_name_resolve(firewalld_t)
 +sysnet_manage_config_dirs(firewalld_t)
 +sysnet_manage_config(firewalld_t)
 +sysnet_relabelfrom_net_conf(firewalld_t)
 +sysnet_relabelto_net_conf(firewalld_t)
-+
+ 
+-sysnet_read_config(firewalld_t)
 +userdom_dontaudit_create_admin_dir(firewalld_t)
 +userdom_dontaudit_manage_admin_dir(firewalld_t)
 
 optional_policy(`
 	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -91,10 +111,15 @@ optional_policy(`
+@@ -91,10 +113,15 @@ optional_policy(`
 
 	optional_policy(`
 		networkmanager_dbus_chat(firewalld_t)
@ -46284,7 +46291,7 @@ index dd8e01a..9cd6b0b 100644
 ## <param name="domain">
 ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..d46c5e7 100644
+index be0ab84..6180bdb 100644
 --- a/logrotate.te
 +++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@ -46359,7 +46366,7 @@ index be0ab84..d46c5e7 100644
 allow logrotate_t self:shm create_shm_perms;
 allow logrotate_t self:sem create_sem_perms;
 allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +71,52 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive };
 allow logrotate_t logrotate_lock_t:file manage_file_perms;
 files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
 
@ -46386,6 +46393,7 @@ index be0ab84..d46c5e7 100644
 +fs_search_auto_mountpoints(logrotate_t)
 +fs_getattr_all_fs(logrotate_t)
 +fs_list_inotifyfs(logrotate_t)
+fs_dontaudit_getattr_nsfs_files(logrotate_t)
 +
 +mls_file_read_all_levels(logrotate_t)
 +mls_file_write_all_levels(logrotate_t)
@ -46417,7 +46425,7 @@ index be0ab84..d46c5e7 100644
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +134,56 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +135,56 @@ mls_process_write_to_clearance(logrotate_t)
 selinux_get_fs_mount(logrotate_t)
 selinux_get_enforce_mode(logrotate_t)
 
@ -46480,7 +46488,7 @@ index be0ab84..d46c5e7 100644
 ')
 
 optional_policy(`
-@@ -135,16 +198,17 @@ optional_policy(`
+@@ -135,16 +199,17 @@ optional_policy(`
 
 optional_policy(`
 	apache_read_config(logrotate_t)
@ -46500,7 +46508,7 @@ index be0ab84..d46c5e7 100644
 ')
 
 optional_policy(`
-@@ -170,6 +234,11 @@ optional_policy(`
+@@ -170,6 +235,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46512,7 +46520,7 @@ index be0ab84..d46c5e7 100644
 	fail2ban_stream_connect(logrotate_t)
 ')
 
-@@ -178,7 +247,8 @@ optional_policy(`
+@@ -178,7 +248,8 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46522,7 +46530,7 @@ index be0ab84..d46c5e7 100644
 ')
 
 optional_policy(`
-@@ -198,17 +268,18 @@ optional_policy(`
+@@ -198,17 +269,18 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46544,7 +46552,7 @@ index be0ab84..d46c5e7 100644
 ')
 
 optional_policy(`
-@@ -216,6 +287,14 @@ optional_policy(`
+@@ -216,6 +288,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -46559,7 +46567,7 @@ index be0ab84..d46c5e7 100644
 	samba_exec_log(logrotate_t)
 ')
 
-@@ -228,26 +307,50 @@ optional_policy(`
+@@ -228,26 +308,50 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -69146,10 +69154,10 @@ index 0000000..fa4cfaa
 Binary files /dev/null and b/pcp.pp differ
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..d6fdef6
+index 0000000..04a0b20
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,299 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@ -69405,6 +69413,8 @@ index 0000000..d6fdef6
 +
 +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
 +
+allow pcp_pmie_t pcp_pmcd_t:process signal;
+
 +kernel_read_system_state(pcp_pmie_t)
 +
 +corecmd_exec_bin(pcp_pmie_t)
@ -90449,7 +90459,7 @@ index ccb5991..fa10c5a 100644
 
 optional_policy(`
 diff --git a/rpc.fc b/rpc.fc
-index a6fb30c..3148280 100644
+index a6fb30c..97ef313 100644
 --- a/rpc.fc
 +++ b/rpc.fc
@@ -1,12 +1,25 @@
@ -90484,7 +90494,7 @@ index a6fb30c..3148280 100644
 /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
-@@ -16,7 +29,12 @@
+@@ -16,7 +29,13 @@
 /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
 /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 
@ -90498,6 +90508,7 @@ index a6fb30c..3148280 100644
 /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 -/var/run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.lock --	gen_context(system_u:object_r:rpcd_lock_t,s0)
 +
 diff --git a/rpc.if b/rpc.if
 index 0bf13c2..ed393a0 100644
@ -90960,7 +90971,7 @@ index 0bf13c2..ed393a0 100644
 	files_list_tmp($1)
 	admin_pattern($1, gssd_tmp_t)
 diff --git a/rpc.te b/rpc.te
-index 2da9fca..23bddad 100644
+index 2da9fca..6935f5c 100644
 --- a/rpc.te
 +++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@ -91003,10 +91014,13 @@ index 2da9fca..23bddad 100644
 
 attribute rpc_domain;
 
-@@ -39,21 +44,23 @@ files_tmp_file(gssd_tmp_t)
+@@ -39,21 +44,26 @@ files_tmp_file(gssd_tmp_t)
 type rpcd_var_run_t;
 files_pid_file(rpcd_var_run_t)
 
+type rpcd_lock_t;
+files_lock_file(rpcd_lock_t)
+
 +# rpcd_t is the domain of rpc daemons.
 +# rpc_exec_t is the type of rpc daemon programs.
 rpc_domain_template(rpcd)
@ -91032,7 +91046,7 @@ index 2da9fca..23bddad 100644
 
 type var_lib_nfs_t;
 files_mountpoint(var_lib_nfs_t)
-@@ -71,7 +78,6 @@ allow rpc_domain self:tcp_socket { accept listen };
+@@ -71,7 +81,6 @@ allow rpc_domain self:tcp_socket { accept listen };
 manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
 manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
 
@ -91040,7 +91054,7 @@ index 2da9fca..23bddad 100644
 kernel_read_kernel_sysctls(rpc_domain)
 kernel_rw_rpc_sysctls(rpc_domain)
 
-@@ -79,8 +85,6 @@ dev_read_sysfs(rpc_domain)
+@@ -79,8 +88,6 @@ dev_read_sysfs(rpc_domain)
 dev_read_urand(rpc_domain)
 dev_read_rand(rpc_domain)
 
@ -91049,7 +91063,7 @@ index 2da9fca..23bddad 100644
 corenet_tcp_sendrecv_generic_if(rpc_domain)
 corenet_udp_sendrecv_generic_if(rpc_domain)
 corenet_tcp_sendrecv_generic_node(rpc_domain)
-@@ -108,41 +112,45 @@ files_read_etc_runtime_files(rpc_domain)
+@@ -108,41 +115,48 @@ files_read_etc_runtime_files(rpc_domain)
 files_read_usr_files(rpc_domain)
 files_list_home(rpc_domain)
 
@ -91093,6 +91107,9 @@ index 2da9fca..23bddad 100644
 
 +read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t)
 +
+allow rpcd_t rpcd_lock_t:file manage_file_perms;
+files_lock_filetrans(rpcd_t, rpcd_lock_t, file)
+
 +# rpc.statd executes sm-notify
 can_exec(rpcd_t, rpcd_exec_t)
 
@ -91103,7 +91120,7 @@ index 2da9fca..23bddad 100644
 kernel_read_sysctl(rpcd_t)
 kernel_rw_fs_sysctls(rpcd_t)
 kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -163,13 +171,21 @@ fs_getattr_all_fs(rpcd_t)
+@@ -163,13 +177,21 @@ fs_getattr_all_fs(rpcd_t)
 
 storage_getattr_fixed_disk_dev(rpcd_t)
 
@ -91127,7 +91144,7 @@ index 2da9fca..23bddad 100644
 
 ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(rpcd_t)
-@@ -181,19 +197,27 @@ optional_policy(`
+@@ -181,19 +203,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -91158,7 +91175,7 @@ index 2da9fca..23bddad 100644
 ')
 
 ########################################
-@@ -202,41 +226,61 @@ optional_policy(`
+@@ -202,41 +232,61 @@ optional_policy(`
 #
 
 allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@ -91229,7 +91246,7 @@ index 2da9fca..23bddad 100644
 	miscfiles_manage_public_files(nfsd_t)
 ')
 
-@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',`
 	dev_getattr_all_chr_files(nfsd_t)
 
 	fs_read_noxattr_fs_files(nfsd_t)
@ -91237,7 +91254,7 @@ index 2da9fca..23bddad 100644
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',`
 
 	fs_read_noxattr_fs_files(nfsd_t)
 
@ -91252,7 +91269,7 @@ index 2da9fca..23bddad 100644
 ')
 
 ########################################
-@@ -270,7 +313,7 @@ optional_policy(`
+@@ -270,7 +319,7 @@ optional_policy(`
 # GSSD local policy
 #
 
@ -91261,7 +91278,7 @@ index 2da9fca..23bddad 100644
 allow gssd_t self:process { getsched setsched };
 allow gssd_t self:fifo_file rw_fifo_file_perms;
 
-@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
@ -91269,7 +91286,7 @@ index 2da9fca..23bddad 100644
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)
 kernel_request_load_module(gssd_t)
-@@ -288,25 +332,31 @@ kernel_signal(gssd_t)
+@@ -288,25 +338,31 @@ kernel_signal(gssd_t)
 
 corecmd_exec_bin(gssd_t)
 
@ -91304,7 +91321,7 @@ index 2da9fca..23bddad 100644
 ')
 
 optional_policy(`
-@@ -314,9 +364,12 @@ optional_policy(`
+@@ -314,9 +370,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -103021,7 +103038,7 @@ index 1499b0b..e695a62 100644
 -	spamassassin_role($2, $1)
 ')
 diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..d844f55 100644
+index cc58e35..963d86c 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@ -103728,7 +103745,7 @@ index cc58e35..d844f55 100644
 ')
 
 optional_policy(`
-@@ -463,9 +571,9 @@ optional_policy(`
+@@ -463,9 +571,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -103736,10 +103753,11 @@ index cc58e35..d844f55 100644
 	sendmail_stub(spamd_t)
 	mta_read_config(spamd_t)
 -	mta_send_mail(spamd_t)
+    mta_manage_spool(spamd_t)
 ')
 
 optional_policy(`
-@@ -474,32 +582,32 @@ optional_policy(`
+@@ -474,32 +583,32 @@ optional_policy(`
 
 ########################################
 #
@ -103782,7 +103800,7 @@ index cc58e35..d844f55 100644
 
 corecmd_exec_bin(spamd_update_t)
 corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +616,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t)
 
 domain_use_interactive_fds(spamd_update_t)
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 226%{?dist}
+Release: 227%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -675,6 +675,18 @@ exit 0
 %endif

 %changelog
+* Tue Nov 29 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-227
+- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
+- Allow pmie daemon to send signal pcmd daemon BZ(1398078)
+- Allow spamd_t to manage /var/spool/mail. BZ(1398437)
+- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254)
+- Merge pull request #171 from t-woerner/rawhide-contrib
+- Allow firewalld to getattr open search read modules_object_t:dir
+- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
+- Add interface fs_dontaudit_getattr_nsfs_files()
+- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
+- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187)
+
 * Wed Nov 16 2016 Lukas Vrabec  <lvrabec@redhat.com> - 3.13.1-226
 - Adding policy for tlp
 - Add interface  dev_manage_sysfs()