rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Nov 29 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227

Browse Source 
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow pmie daemon to send signal pcmd daemon BZ(1398078)
- Allow spamd_t to manage /var/spool/mail. BZ(1398437)
- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254)
- Merge pull request #171 from t-woerner/rawhide-contrib
- Allow firewalld to getattr open search read modules_object_t:dir
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187)
This commit is contained in:
Lukas Vrabec 2016-11-29 14:40:40 +01:00
parent 99509b3f86
commit bc46371d77
4 changed files with 380 additions and 324 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
container-selinux.tgz
View File

Binary file not shown.

596
policy-rawhide-base.patch
View File

File diff suppressed because it is too large Load Diff

94
policy-rawhide-contrib.patch
View File

@ -29049,7 +29049,7 @@ index c62c567..a74f123 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
index 98072a3..ee152e2 100644
index 98072a3..0235724 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@ -29077,7 +29077,7 @@ index 98072a3..ee152e2 100644
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -48,8 +56,14 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
@@ -48,13 +56,21 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
@ -29093,7 +29093,14 @@ index 98072a3..ee152e2 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
@@ -63,20 +77,26 @@ dev_search_sysfs(firewalld_t)
kernel_rw_net_sysctls(firewalld_t)
+files_list_kernel_modules(firewalld_t)
+
corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t)
@@ -63,20 +79,26 @@ dev_search_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@ -29114,20 +29121,20 @@ index 98072a3..ee152e2 100644
-seutil_exec_setfiles(firewalld_t)
-seutil_read_file_contexts(firewalld_t)
+logging_send_syslog_msg(firewalld_t)
-sysnet_read_config(firewalld_t)
+
+sysnet_dns_name_resolve(firewalld_t)
+sysnet_manage_config_dirs(firewalld_t)
+sysnet_manage_config(firewalld_t)
+sysnet_relabelfrom_net_conf(firewalld_t)
+sysnet_relabelto_net_conf(firewalld_t)
+
-sysnet_read_config(firewalld_t)
+userdom_dontaudit_create_admin_dir(firewalld_t)
+userdom_dontaudit_manage_admin_dir(firewalld_t)
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
@@ -91,10 +111,15 @@ optional_policy(`
@@ -91,10 +113,15 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(firewalld_t)
@ -46284,7 +46291,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
index be0ab84..d46c5e7 100644
index be0ab84..6180bdb 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@ -46359,7 +46366,7 @@ index be0ab84..d46c5e7 100644
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
@@ -48,36 +71,52 @@ allow logrotate_t self:msg { send receive };
@@ -48,36 +71,53 @@ allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
@ -46386,6 +46393,7 @@ index be0ab84..d46c5e7 100644
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_all_fs(logrotate_t)
+fs_list_inotifyfs(logrotate_t)
+fs_dontaudit_getattr_nsfs_files(logrotate_t)
+
+mls_file_read_all_levels(logrotate_t)
+mls_file_write_all_levels(logrotate_t)
@ -46417,7 +46425,7 @@ index be0ab84..d46c5e7 100644
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -95,32 +134,56 @@ mls_process_write_to_clearance(logrotate_t)
@@ -95,32 +135,56 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
@ -46480,7 +46488,7 @@ index be0ab84..d46c5e7 100644
')
optional_policy(`
@@ -135,16 +198,17 @@ optional_policy(`
@@ -135,16 +199,17 @@ optional_policy(`
optional_policy(`
apache_read_config(logrotate_t)
@ -46500,7 +46508,7 @@ index be0ab84..d46c5e7 100644
')
optional_policy(`
@@ -170,6 +234,11 @@ optional_policy(`
@@ -170,6 +235,11 @@ optional_policy(`
')
optional_policy(`
@ -46512,7 +46520,7 @@ index be0ab84..d46c5e7 100644
fail2ban_stream_connect(logrotate_t)
')
@@ -178,7 +247,8 @@ optional_policy(`
@@ -178,7 +248,8 @@ optional_policy(`
')
optional_policy(`
@ -46522,7 +46530,7 @@ index be0ab84..d46c5e7 100644
')
optional_policy(`
@@ -198,17 +268,18 @@ optional_policy(`
@@ -198,17 +269,18 @@ optional_policy(`
')
optional_policy(`
@ -46544,7 +46552,7 @@ index be0ab84..d46c5e7 100644
')
optional_policy(`
@@ -216,6 +287,14 @@ optional_policy(`
@@ -216,6 +288,14 @@ optional_policy(`
')
optional_policy(`
@ -46559,7 +46567,7 @@ index be0ab84..d46c5e7 100644
samba_exec_log(logrotate_t)
')
@@ -228,26 +307,50 @@ optional_policy(`
@@ -228,26 +308,50 @@ optional_policy(`
')
optional_policy(`
@ -69146,10 +69154,10 @@ index 0000000..fa4cfaa
Binary files /dev/null and b/pcp.pp differ
diff --git a/pcp.te b/pcp.te
new file mode 100644
index 0000000..d6fdef6
index 0000000..04a0b20
--- /dev/null
+++ b/pcp.te
@@ -0,0 +1,297 @@
@@ -0,0 +1,299 @@
+policy_module(pcp, 1.0.0)
+
+########################################
@ -69405,6 +69413,8 @@ index 0000000..d6fdef6
+
+allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
+
+allow pcp_pmie_t pcp_pmcd_t:process signal;
+
+kernel_read_system_state(pcp_pmie_t)
+
+corecmd_exec_bin(pcp_pmie_t)
@ -90449,7 +90459,7 @@ index ccb5991..fa10c5a 100644
optional_policy(`
diff --git a/rpc.fc b/rpc.fc
index a6fb30c..3148280 100644
index a6fb30c..97ef313 100644
--- a/rpc.fc
+++ b/rpc.fc
@@ -1,12 +1,25 @@
@ -90484,7 +90494,7 @@ index a6fb30c..3148280 100644
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
@@ -16,7 +29,12 @@
@@ -16,7 +29,13 @@
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
@ -90498,6 +90508,7 @@ index a6fb30c..3148280 100644
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/var/run/rpc\.statd\.lock -- gen_context(system_u:object_r:rpcd_lock_t,s0)
+
diff --git a/rpc.if b/rpc.if
index 0bf13c2..ed393a0 100644
@ -90960,7 +90971,7 @@ index 0bf13c2..ed393a0 100644
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
diff --git a/rpc.te b/rpc.te
index 2da9fca..23bddad 100644
index 2da9fca..6935f5c 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@ -91003,10 +91014,13 @@ index 2da9fca..23bddad 100644
attribute rpc_domain;
@@ -39,21 +44,23 @@ files_tmp_file(gssd_tmp_t)
@@ -39,21 +44,26 @@ files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
+type rpcd_lock_t;
+files_lock_file(rpcd_lock_t)
+
+# rpcd_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
@ -91032,7 +91046,7 @@ index 2da9fca..23bddad 100644
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
@@ -71,7 +78,6 @@ allow rpc_domain self:tcp_socket { accept listen };
@@ -71,7 +81,6 @@ allow rpc_domain self:tcp_socket { accept listen };
manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
@ -91040,7 +91054,7 @@ index 2da9fca..23bddad 100644
kernel_read_kernel_sysctls(rpc_domain)
kernel_rw_rpc_sysctls(rpc_domain)
@@ -79,8 +85,6 @@ dev_read_sysfs(rpc_domain)
@@ -79,8 +88,6 @@ dev_read_sysfs(rpc_domain)
dev_read_urand(rpc_domain)
dev_read_rand(rpc_domain)
@ -91049,7 +91063,7 @@ index 2da9fca..23bddad 100644
corenet_tcp_sendrecv_generic_if(rpc_domain)
corenet_udp_sendrecv_generic_if(rpc_domain)
corenet_tcp_sendrecv_generic_node(rpc_domain)
@@ -108,41 +112,45 @@ files_read_etc_runtime_files(rpc_domain)
@@ -108,41 +115,48 @@ files_read_etc_runtime_files(rpc_domain)
files_read_usr_files(rpc_domain)
files_list_home(rpc_domain)
@ -91093,6 +91107,9 @@ index 2da9fca..23bddad 100644
+read_lnk_files_pattern(rpcd_t, var_lib_nfs_t, var_lib_nfs_t)
+
+allow rpcd_t rpcd_lock_t:file manage_file_perms;
+files_lock_filetrans(rpcd_t, rpcd_lock_t, file)
+
+# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
@ -91103,7 +91120,7 @@ index 2da9fca..23bddad 100644
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
@@ -163,13 +171,21 @@ fs_getattr_all_fs(rpcd_t)
@@ -163,13 +177,21 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@ -91127,7 +91144,7 @@ index 2da9fca..23bddad 100644
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
@@ -181,19 +197,27 @@ optional_policy(`
@@ -181,19 +203,27 @@ optional_policy(`
')
optional_policy(`
@ -91158,7 +91175,7 @@ index 2da9fca..23bddad 100644
')
########################################
@@ -202,41 +226,61 @@ optional_policy(`
@@ -202,41 +232,61 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@ -91229,7 +91246,7 @@ index 2da9fca..23bddad 100644
miscfiles_manage_public_files(nfsd_t)
')
@@ -245,7 +289,6 @@ tunable_policy(`nfs_export_all_rw',`
@@ -245,7 +295,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@ -91237,7 +91254,7 @@ index 2da9fca..23bddad 100644
')
tunable_policy(`nfs_export_all_ro',`
@@ -257,12 +300,12 @@ tunable_policy(`nfs_export_all_ro',`
@@ -257,12 +306,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@ -91252,7 +91269,7 @@ index 2da9fca..23bddad 100644
')
########################################
@@ -270,7 +313,7 @@ optional_policy(`
@@ -270,7 +319,7 @@ optional_policy(`
# GSSD local policy
#
@ -91261,7 +91278,7 @@ index 2da9fca..23bddad 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
@@ -280,6 +323,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
@@ -280,6 +329,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@ -91269,7 +91286,7 @@ index 2da9fca..23bddad 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
@@ -288,25 +332,31 @@ kernel_signal(gssd_t)
@@ -288,25 +338,31 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@ -91304,7 +91321,7 @@ index 2da9fca..23bddad 100644
')
optional_policy(`
@@ -314,9 +364,12 @@ optional_policy(`
@@ -314,9 +370,12 @@ optional_policy(`
')
optional_policy(`
@ -103021,7 +103038,7 @@ index 1499b0b..e695a62 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
index cc58e35..d844f55 100644
index cc58e35..963d86c 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@ -103728,7 +103745,7 @@ index cc58e35..d844f55 100644
')
optional_policy(`
@@ -463,9 +571,9 @@ optional_policy(`
@@ -463,9 +571,10 @@ optional_policy(`
')
optional_policy(`
@ -103736,10 +103753,11 @@ index cc58e35..d844f55 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
- mta_send_mail(spamd_t)
+ mta_manage_spool(spamd_t)
')
optional_policy(`
@@ -474,32 +582,32 @@ optional_policy(`
@@ -474,32 +583,32 @@ optional_policy(`
########################################
#
@ -103782,7 +103800,7 @@ index cc58e35..d844f55 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
@@ -508,25 +616,26 @@ dev_read_urand(spamd_update_t)
@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)

14
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 226%{?dist}
Release: 227%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -675,6 +675,18 @@ exit 0
%endif
%changelog
* Tue Nov 29 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-227
- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081)
- Allow pmie daemon to send signal pcmd daemon BZ(1398078)
- Allow spamd_t to manage /var/spool/mail. BZ(1398437)
- Label /run/rpc.statd.lock as rpcd_lock_t and allow rpcd_t domain to manage it. BZ(1397254)
- Merge pull request #171 from t-woerner/rawhide-contrib
- Allow firewalld to getattr open search read modules_object_t:dir
- Allow systemd create /dev/log in own mount-namespace. BZ(1383867)
- Add interface fs_dontaudit_getattr_nsfs_files()
- Label /usr/lib/systemd/resolv.conf as lib_t to allow all domains read this file. BZ(1398853)
- Dontaudit systemd_journal sys_ptrace userns capability. BZ(1374187)
* Wed Nov 16 2016 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-226
- Adding policy for tlp
- Add interface dev_manage_sysfs()