From c3f53c2a7ed7d639a25e5987d2552e8ad306882f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 12 Sep 2017 14:05:47 +0200 Subject: [PATCH] * Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283 - Allow passwd_t domain mmap /etc/shadow and /etc/passwd - Allow pulseaudio_t domain to map user tmp files - Allow mozilla plugin to mmap mozilla tmpfs files --- container-selinux.tgz | Bin 6999 -> 6999 bytes policy-rawhide-base.patch | 101 +++++++++++++++++++++++++---------- policy-rawhide-contrib.patch | 40 +++++++------- selinux-policy.spec | 7 ++- 4 files changed, 100 insertions(+), 48 deletions(-) diff --git a/container-selinux.tgz b/container-selinux.tgz index 9d0d555801436c0998901fc75462111a4529ad5a..01fb911195533b3b65ece3d8fde274ca95843728 100644 GIT binary patch delta 6662 zcmV+h8u{hdHrFUp_=_qShF@kNwGQj}V4djSzh+9OpxB#UIRSS(UOp4EPw zMdf9@{pLjJEu;@0-sA7}58uC4e<8j5@b3Eho9lPi-+%vq!}|~Kf4KhU?e)8xo9l19 zx2GzQnhsU%m!9`ca$owJC@|6uz5f?YtCugmAFD%}`sLG~|FMs}yojJfdtm| zt%WNswiQvlx|3o7MFBUHr~xp4zS@C`9e#|c<#@D?w!qJb(mKkH98iCY{E*~ZlsR@j z4`wP5f4=Pxv6)7YLnk)~8;ZK7;!Wz+1!yf+#{unitVsV(&8WyPi8o#d#SH4ajH7Bq z=RJ)ec|U_;Ti=8=2L*f8d8m9NP-=1b z^NTXR$9$0TGd5@knU`XXrO@D`GncB8Z^`OlLP0|%ASsQ>it(<4#IGttR`jl)*CyiG zg=6x=|G)6^0_E=~e|k}u2U8W1w3F>7inEHUtRazA&YAgf74J5JLHQBkr8XH7|F{h$#G!{l8T`}(HoB^!OWX=n=|kN6w5=1 zC1E%k--}X`kND%so*}(216;g79-qMYpMv`{x+rNF`&sCJJ(RI-F_}gw%v@i7P(Of- z(n;Q4O-o1`Xou8e*h2Orq}dgw=XIpn9+pM@GdTmC`GOF_A{t_iH3oL7?3Jifw{us?ueTIof z?Tm0atRE8pX@10;86o{TPh+72z;G#H)?WKz8fR=S!c9-p@L`jcK)RGK0PRTEPo8DM zzafoI4y?TAdtm54dQ}Z3NlNoeRDW^%nUx0Z4J`HKC^GE=*AO{oSVXr=GHD@gSO>X5 zcS<||Sg8aDw$~?RbCx<)@|$)z_091|I zKh%33=-Ko5(#x+bAePEICTyJ;TG~RX@{!@_3R3U!aWOjjhB`J>`9ykMNWr-|j*3oJ z5RTnv)fn4M&R?(1L$x1ocK1g?ksLt9IvYbyMsOF?_1*XZqiN0VMin_2H~Aq8D;hAk zn>vp!V;jN}{)n*trihdFAk=>v_Nid{I^OJrSs|OV80*cbBt7dHzB#C>w0G2F)x_==cThL8#(nd~5Ma zE6?WCV3$vwD?wSe4G(`wBJu#Db0oTukI*xW>Mx~L-MaS6T~rI2G^y60H+I|^-FX>Q z*!R&f1DS>5F-}oDNMv2|Ho;dkJACPb)c>MMw&-OYohlFe`Tq|eZm!?=&i}uEyPW_3 z9Eo{a)@dGsVmp_;;k9>jdGqe_?Zv92FIbo-^R9Shp4a)^SW|y__0sz}0-TaA7JxZt zMXD@}s(^>s6g;>l!VncGj`y&SKo6E`IEhc@vG5akXy}S(E}d;|Td9VGI*D<+K{wfO>aM8SBD^hP_N><`s?)Gf@6;|< zx7>wNFU3L8juSa=z3ulg>CSE!Q3-S6XC+WvdM~&(M5%ubC&HG*1~Qoo^bq-A?RVbg z@8b&BeH*#iX<+5#e^b@9Zh!68MjKOXcQC|61Sy?&xpZi~0`e`AZsg5*hsiSf)1s#V z@R4j8_@jf^VznaUhG`F*Z6r%{_|uHPtxUa&I$Xb3>3gYuf24!jb&j>c`>r};9$nIY zR?0R;JC}dfMw!@;kPpwb2z_`FquIu8LOfZxX8m;DXX%6Sh>bRuj6!5WNONd1a<82C z7&U^1S+yr#dUm@)KXew=^!Is}1?SRu8%Epn-y)jx)?nV_QsgC%2*(K^JZ2h#wccCr zjfblSCjEW9+r!LD3-ET%30wEimN714)I3L9LXCe#1Ny^HJZ6u)37v0-0E3E0O8ZrBeni8b;+A=BVcLf5H>dD;f&0QEM+u%ux! zbTWU^D9F(u7^LQVix@ktY&5dXOJ`=~*r+3KTJ31N6n-5!Fo>Q7V5@=jLrnXIY46Ge zW%@&K;lCZ(bO9ecYxSWcS{)QKpd7*;${6-$K;C#8vIVL`RYX~6t^JVf^x9&kj-1R^v<82h^p zlz2M{(pD-tg<=OF4GoLLsEmU(C~&Qrbs<@>)P>9J;gU_^ zp`tm`OM#7`mkWM7%c`@)>Uib#JY2tTlJ2qo0n37!h5aWN0#P1}m;us7Bk_P8yv%>- znNRN9GEbX{o-RB|^AOC0mG&}(f#Qi!;QlgCcZ&R2u>L&@lMx3)o*j`jG0*~<7uvQa z)^xft0u#$$eI(qJ_Ov51D6sh4<A(B z_eq|$nO51I=E2meTCqkCEfb#pD3X60m?AhC?ET42(-Fc)F@)JI2QY8dfT>q}pV$(* z9pE-lOl|lrFMId6+ne93JiCOKFKiWf*1GKaK7ddCXo{EKU&4^Z6sG=N)C&07N5P%< zke7FtK=$u>5p54i@`Mg|kU*N>lQ%x|9wKk=!ymr4iBJGul_v-E-~!iwaRPtj33J-Q z+~!yhXx!HGqVts_I@?+_l4MkHhkXdNOQ z69U8SI&AFTFZ3^%?1%}&x8<%gzL++gM`DjRJVs_PT7S6Wx1FI*+N1+*&?-l^=)gIb zqg&M#{}{o$*MWOJPML`~)_#A=JVsmeWAbpBraDYynJe?tt$mlwmit!q>5m;ItZu5^ zGOarDYJ$ciH(`|7ZhoBFSsXA&cMb>4x$#Dib{nQk3v=R;mX&KSmPMJz6w{yUJqdPm z$oG`+H}m7`4yKw@o)yd7t)Su(AK31bs$Cz*T=PY zjUoGb{d@;Pj}jhE&fBkmsLXmd7 z8x9t!8}8af5Q@0LSJtt@s3yk>2zDO7(0H8CgSF9zr(CqDs(pWyBo1_Lo~t9aC0iSY zf-T-oV49d$CmPAXHg)fCU)P0W7J?{SnK zy|U?!hB{YwEJWQvuaE~#w5OH0(Qz&9fal>xa}8$3w@TfJ`4M8@G>(iZF+1mo(?Ku@s&IEiId^$^#=UQfsGU+8upSeS8Xea z-yaM$;skkN=QpV%dM}odd`p%tqQFoaOGB@kyGU@rQ>}l~YGz0gq0*qVjttoTZr?F!WlKZ#-wVZA90SCw* zhp2z5*JRUmPq1p}d41L?j1n+r>@FBVY{ytwe$3jZe8Y>W$+&b>cx7my$-is zUsHQ?o}qQT>Y1=D_ag@~R|!<@Kpg@DSgc;t<(E^?u@eq;+zH)3+K%;JBC zp($&BfZ>>IERc@A7($D)ypFd|c9%_@?IYC4p%S7rP$OB&`Q1eM_$IZo=tGAwoy*HD>_Lf}{WkTACJzpeZZS5px7+)__1xurB(dV5U;3w0mH zVI>qj&4H8zI9zDGn-4J*^6urCRZGZhll!8>)Vn9s%*5Ooy7!vkQ+D=+ZNJ@i@@xlH z=>V0>g=h!ARz6VGt$}n1yHtNybIYTdZCkY>GFY23Q^d@KORR=V%;jv6r{^-baQ%X| zH>iQEo3MgXgxuKYK|^l4qA_LQ-$n<6ft{v#9_~XkK7H`ZP+oS=k}wQxM9ku7w!P3& zF-&XLTkPGe5FLFAqKz|?`;6VxsLOd9m(c@^m~gP7uZ%*)<@_Y?|3QDQ^GzEXCdMql zEtw2=UX2&CT&!NIgv}YSQCZPY7~EZAWR|TPHliG?MjfRXibHwJA#0nMiCV-ry3z}i zuf;%}(7^SQZYND10}jx9n_%72E_$D_xL8eI20ft7C98~$;?)#tO)0jis}KX|6(6^v zI6Yoq6VolU290L+=xcuptho<|?Twzbh@10+_8xNBtUw<)M>?MNfvVhMILbB$3NeGwC0gsi=Si7x#+=CG~pCc)lkGPI+m zmyNvLcr3pX8O{+bJ)FMH)a)u6_YE}{FzW}sTaLV+Y69e;x2k{P#@KT^Q#j8;yJv5n zQaP7-mR9bPHrX6R-WVPdQ+WvjLiMP;b)EgzSx#nLgUTMWk0Z6hTJ6YDrtrr;FJIcc~{%5 zdi{*it`Oh<7&w2=G5iq|+q=P|9W%jO4`a-fhwWU(v02!UXtP1UZYKd`U+sU%jRcF1o3 znn=yH!a@>*u5$G8HQy%f=HEANB>k<8S_DHX)Vf1gx~NBPVw1nOf`$Ga^ZZ7sE;_HD zW2nSl-trDCgOo)z;;!H|LtE#Gs@2%565YSOF;;&MM{?Ee$S_SPTkUq3kq;Z&p$*!p zc0B=ByPpfH-7li7M_fQzk2uYwEA0TC^{`m&e!-+}s7}0s_PG0R`*%2x$y6H*JSyCF z`bD%8E}%X3;@SBwoSiHDxv##&Mc}F$6BmNh<=|i{@Br`w`zbI!+@&F>ZFd zIBfqIwx=6{R#aJcvtApO*4aomD)|#^i@R=zkJttu-2Qgh_IBIub`=R9r#9oq`ss8(aum0ydwpTE3gTFy9cU8|;Vvfo`Wi&Tzmfz>eA&uUQ z7lra&zy`V^A(wGJTSui{H9PESig|yEQszM%&V^U0fb(dPw)UL8KPfrPH)0!TzH;Wj z(^R(d**%UP)nZaP2jzP4Z)eU}f%ql`382B@O67Ps?43uUtgh~TCOZrsV@R$*O?VKM zM*y`%H47F%U9nRCiucGmgNpbk9i*hH5dHGIU-1hH?m}eWVi*P%SJS#9yBB|&Zl#?E z7z3lm_9Gh}zg2i-CvZT#IRdi5Y~(mkH&xojuk$n>JCd{&S3vnCQ*(;djDC!WB|Oeb z^T-yFuDFLH8rxp_=08daTQwEOJb}Uz$a=kXwA#|c&#Jx5SA`kHN2zh==_vaAF+!NNr_KuxouOyv>;Q`C&HaKBy_aX89c9DqYFIp9_E;Jx7o zl;&)YD`ta_?k~NdJw?X?uwqY+&`$JOGZknz4M%9XFYPc}lQA0^lRp~^lRp~^lRp~@ Q48CCce_{*g*8uPU02h4zasU7T delta 6626 zcmV<886D==HrF^00Zq^ZI9eGlFrxZUm@55JQLV6o^j#>JlQ=gk^}BO z91!d-a33yr9krzHRz`1;)bnx!?{B}V;)^JWq$su8o&`i8X^&L(kSvnLVzEdCc~<*z z7L}Lr_L~!>_mDn*{2qU=|K*4G>Mx`ZA3t1Qe{=oe`iCE5e)#zP%?~%T_Dj$ECb=*DO%xdEhTi{^rq%1$-jCHGP5tue&wt-XUS34myDC4FLFD;G zk;H*t$9d)jqN8|Gwu9fxAFl-43P9XaD>wM#?B5=d;UEMnM)m5G1pzZDdHdVyY!_wg zGWz2Xmq5EZJFA}xr3R9xeye#Hfdtm|t%WNswiQvlxszc5MFCfnrvWg3UhF`{4nIcJ zay(i`Ti|CzX&q%p4yeCIen|2y${ahN2Qw9jKi~F;*i0kHp_3bg4Mkm3@h0`^0<;#Z zn;t#2YV!Vg_|y#!)q*^PWbKyq`g_Tm*UVmq^+OlJfVyz1Gouf_i!! zAO5*6qB5<3aT_O5B{JrJ)YQpmo(*1_sA-ITNkJQQhUA+=U9`nbP5adaP09glNX3~X zZet%kBXIUwuR0{w7m#_i_si%dNu3JhE_X)mAoV1!YV6x4p>rV3BbO!{=1#J^$q4QZ z-fQl^(5S~LxhkR{-p0^CtRc}{iFzuJ@(fvrK>j1`r4#DG<2s6eL91Y0~ zJCVGMF_u!%PNv&9{4v^1Uj{ z3kRo|=}lvqpuU_`Uz*vg=qy+1j#pV0$)8ly`~=nkE|E9CgS;#BPxwkxKrXH3ctVzk zxZZm{5FTofa2*GK9@W0_J;2nCbiOj@7iD~p`5@&NY|sueFU1;5p}|LIE>$JplGVY4 zf`&>!QW}#L<6Q@dUsZ;z=v_arO~kVc$K;3qf92%`%HL1^^r|iorYa(7C)-UFXFI2C z^+QC==gtmZ?EtZPW0gVh?G60*0si}b-nGat|MBw+nPv(S5gC}Z7XGL2H0xxW6OegGMzlf1o}mXI{i4ynhmh3rR2vnx!`>qxUbEQ|VS z>=f>G@Qvd1Ms8OeD(GzW6RAfW3vHo_5z-ND7~K~&*}eD@1%6}R*w-irhZNqkrTrxu{RTcHRd0#c`30K+?zp}{tXn;UxM$t z10>0J7FK00G*ImGH0t&NJ}L4^S8Nm-rbZ-r>%EfiE`jgW#blf?5ALReRKUINl?b0s zK?74?#d#MbF*NUVBv!W>N-{|{3?mPwNw!mhieo_c+kw4I-Oz+WT~r_>k3lPY(fw^j z;Kr_hp$HRkdV&~@plQyD81E8Lca_?+9PNLN)4J*X+jw^wW%qNU?(?dy<_4to+KiZG zROQM2B}!lxSk_V%7y_I8F`B3P3=@so8R2qRKP3Ls{D?O*Li%-{#zF^x;Znk^z4pU2 z&e&Xpo1UiO!zL?%bSYl|+L5lGJj;ZCLmC}TSb5L)z|ep6sv1m^l;)SH{_6HKD-GHk zSnA19WZDI;A#%*Hh;El;(n8v>4swI;ly>YZ{erN=`AK-$z1H^O1nbw@@&5M9PfZ!B zmy;a^9{~xIJqBI@-;9UH2ABE2r8;M^QXMJFo=$L_OgjBO_8muvG-?Z=zl{ZUXP2T-xj#*mW{ z+{JW#H-5lqTC=-RMGnSIe#pX#1`O_|&ZEoNhOmS`BCNkD;-ozYwSR_vDww{GH#=b# z^s^@oJfAa|EWqT139Wo8a;Pq|RO4#ib1^d?U1^Ft^;m_?^kZ~v6R*jMwT4nG=5%Yv za5rG$u?%DHb85q5mEv?>TadKzlby1-A!)-28>H@QiDZY8Q9fEEd}}FEKNLc-8hc*S zZY+aA?Cn^9j?m>xOMj`_JJ=?pRnMz#v?;9Ou`SpB++p(P*iiIKZ`<1Z_|q8XqePIK z;|WEIU=740K4C&D&IBWL4RanPPXg?!zn%c6|7@uNnb zzt9WH23xH`Gs_b?et~-ssyG?nTD;QAvpF@`sNi7wKC!#)B%SgPS9KAFeD zPfXt2B=P?K(=T3;m$i(+DY%|w=vbNhkog<6u5xJx=K5Q2>nBxo(J2xy5wq&~Hlph3 zhul*h_`NIhL*bosx6}pK(hjBIMi~QW%3)f`Ky_muCx05UDnJKX4evI!Fvck&FZ81n z)H74s=bD^s2b{U8uMV5v*I>8>dsOL-($~RBCRFE+9MYkoE1tP@wz+Mk8WQRx#_a~( zWW%YuqGpTmwusrYUaP21!#=%JyI9?F7fQVp2SqzhJ{Wq1GN&8tT+ZgR!T7Mg5Vn0GYJl7)h;YEyQ8@mbdWZ|0i z(|Mnz55^-l+E_9QkqIHqp~=X-a^7Rq2pVS9o_Oim?F#+SSya>C=Uo<@OXF=AZO?y; zXwF-Md5=qx*E}K|CxGynX$aPO@4a^(t{Ry1_wjBIGcPT`+c_s}-9KB#xQtQr9Bm0T z7Jm)s4?ppkJqE9sk4!i5S5dP46!?X|iIcc~@}9k5pFd>YT?_`$7XF1NEUT!FLodC{ z^3cPkp$$Cx*Cx(n{5?G=eXwbwdJB*^;jJzSxdKQ4K2GS2P?Hi`OD-)FI55a~1c4X59eDJK*hmL4bQ8?IcKBspJ%j9e^}6EE1zK4%VQ+wPx0ZWWkO* zk_F^HmW6sIbmuY(?paV5F0+SAHid_Z=14CEHiBL*`0XsK&JwHRmDlrd{k}=M$NC2> z3uYGfpIit;c`#xINEeO719tE-qkm^Uxo^unZ6NCqjYy%RJpF z@?*jJ_bg0C91MAOMApPW3usBb05EPwTpa8ugTj>w?E;&Yc%1K2q?@@iU@ z*$Q13H#eoaX0(ovz^SeR?HTJzQTpCzdDdoHWp|nfQ>$vl8a=d3c>1GAZhv5k;AF7( zXE#kp2%p3dX15%`yj26HUh#cqOXzlh+dwh3;kUf(-Q#ZWey{TE5?;QtRp43cvg`W* zKKG+3UVDEDLl#q*`gc();AbBNciux@-dzIOzvo4?JtWB!I^015X?{=M_{@8VyuA;9 z_}(T$0eDrO9MFRcT>r%hkbfu4X$y0kV?Cg8-?9johy0L)Jahazh3Og0C0Gwe0ALNz z;qFuR1BADZ42{1-ct9GFkSU;bh;&Q{47cmBv3tMJzhJT>CJf(}yUzGx+Hf9;J>Kvb znZaoN;fmjOhB|4J4zxk59ND4+=Uk3%Rag9D1n*u4?)f-nCgNE8DSz`AZPAa(!)2Q4 zFp*`h%ul!WT{2tlTh*sOc9^ibsdme>>d31J8jswBQD(dOacXCAz#QE<95Cm`8$H@> zm@X~MiAP#iuDw_mWgb&Zf3Ei=*v%o|Q^McOkFPtJewr+lL*=K-0MCK1UNPs?!KEc@EtKnD}Oyl+|i295qG@N=?FYp3l8DBXu{Ur;3HR=x+^K%i#($NJ9L@a z)ZXiaIo61D1fJH-9DpZvGaGI@aKX77a7bM@kaedH;nI!!*GP5x?t|1b{G=}QZw$if zKK{(Z8TejEJE}ojmnPJK7%^NQ*WNXT?CbUO9SA*2csMzW*jy~BN77mis7mLN~lB8eW? z)F+2|Tid6u64WxeZ6Z(Js-3V`J+$@8raKzyT-~t{bpyRZ9yHOOR^mp-wX_4Cha1f` zm>J(HbtC3Sh<(#IRw{d_@YGw1@dYlB>^cdj>K!uj!+&%fFUVafGjooDR!S$-FdzAjarmuSLakOZmkM~o7Tt2+Zd#RlLcmQ~e5TnBqS z9lw8}+kIeR8s-lMXntj`I1s0&A|iZ$Fw}?>kvlSVrgbe~n4Bp0520WCmT^S3w-|Kh0=)M6)RvaBtOXdayk%MOKChU*kl!UV z46f)<$J}-eqpg2PYUXEoG>JszVBOCI{Z!!;6Mu65&6-^zXc#n{m`tH~YsJ;vN>f$) z=ESg;>y4hVEK;L$^Mbu*qS;s|%m9X5w=nqgq#9@&19Mz33vn7ZeopqDsYR#wDGH#5 z{+c`n?5r&w4|9)&{>L+gFf&`hA%Izp+63Oz57y{DE#okvKUmnb6AlIIWYv@++$g-} zB7eBXRX=+$w@@&*{J|cBzr`*NJ+Zj#-Kpgo$OtMx1~7VTRojn>bPkJr+?L%S;G@DU zxq?0(kb;!MUD?DaKkI@wJ)E(ayKa2c^Rp%T)eFQOcms`N@G~|WY2#S?8*#2%GU^F1 zZnd|j%weC#jyXu~;{w!jw#^3|Ab%X9s()USP1ilas-frgS*I{cz?iYSU<9$Ker0iBgC_aJboSa&rMCH9JhUhS4HP4h}TQJNfk{zXT>wI6aTSLY?lrhX=S!6%7zS79Jr0*Oc#lc$$&KQYJ8nb% z2F5d-0oPqf?LwEqe-x+}>%I0m+;)9U?ag_H*72%m!nWLx9LQWHP_>We+qzVjbifq? zD!by5H@3RSh1U9!Ej-iBrWRn(Ly354@gGI6QS?}3=)cQamdhs418(? z^M)H*V6ake7K+ez6+ARA*Xf`%^ITDfk>{gLu7HN6tk?1{@hvGUPq;at^?%``xwwl> zlcqd?;j&hhw5)G99@Y?C(z3$`)=jL2gEd@}kwsQoCJ_odmdC8_l-nDWp~@KP@)qA@ zT(0;PDAHMQA48*(A9c%4X*a4Ao>eHe$8Q1mnhQWD^Bq4jP)#8Ak)muFTjA+t^Hiw;xo zo=h_nb7$z@Yl2VN*%!9`cH7Cb9aNM-ZDJ;B5#Q)aFHF7`19d_J*K4|+GZni*ru*R44_wh+=}A#c!5n!x6m3in%SeTDSxo$J{-0;de$Ot&JWsq z$YHYv`JP*gfutdl=|7|MOdnGn+*{BYMon%(b3dXmizeKrpt7|ijeLtG*v-r}Mrrg# zOn4Ep_6jDt^zWF%wziuDd!NbBj+S0F@^<5~{7PgvN3is8`ZiOut7zOe)Lg)~u_FHE; znQ;v&d(1wL)Cz00BR86*t-nZbUJR*n@hPxId7Jc_C}&qmTH@9x-Pf(&pvFExGH{I= zzpHb?jb19}$os3L8E$}60vP07ZMW+6Ge)~YeE(zMJb%aVM@($*29I{k1aCczF;gD4 za~a2GVLzhbf!cy*i1>J1l)=H zX|!N&L5GrjI37)sPE>exSKGbzeqt9YCQs~IjhKDG2PSPWr%@SS;+GCRjqNJG63~?I zf?uq`?tlDLvt>`%8K?8_?h- zl>JJGb04}1gJ;#9FxX9>`Z-3=a^tlxDD-aILnD}K45?7- z4qfS@9=VB4{@w}}`ghFp8>PDFync?M5_@^eJFpB=7S)Kmg4YafohPbRW3Nhd|MtdM zJ%1d@RktIs+zz^)F!1!?UrQo=Qv&TEP`9tmINPTg2 zY19evnFTw0d~=Ozr9Jmih33V$+3n)6{bSgkZU|aYW!=qsZB$xkBi*RvPp~cSx*a}Z z8+>s4+hN<=ZM)l5Bz&COj31Y~pNDwITtz*EH9~K_dF%bwd{11Bt2UkHbCnx0lYi8P zPY60=!b}V5sB*MKdxvy}c?J#$IT*BKGIcu=-Hvi0TBpiz$~XNx6KKUGPmQrP zlVT&cKl0hoEuZlF8c8=Myq%|BtcK78VHM)|23#rz8M>VG{9|Eoh)UM2Acr_?Kkb9MRM*}HenXky*Wzp8_% zI#BjA4>TCO4c=UU$z$*i;pVJ6U|!8sL~<5WL4hKet=0@|E;LE?-~W5{Ki{#vf_WSK z9eTN|dbSdCRQ@TWxnZ;XK2Hv5^lrQ;l#d{J zmL7gq?Pbnl9wjF5XVzr`c6OE40X|-{foas&Y@_-$i@uU&CBO+5hC~5snhj+tmmrv; zW{idV^|FY=QRdR8+>$s=>_d6Iu?Kxdvb(!qR*PCK)Y!; gLd$(^huM=J8!eMS8w(DW^cB ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1e7..6a7c8001a 100644 +index 1d732f1e7..7e03673be 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -3395,7 +3395,7 @@ index 1d732f1e7..6a7c8001a 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -310,26 +341,32 @@ selinux_compute_create_context(passwd_t) +@@ -310,26 +341,34 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -3406,7 +3406,9 @@ index 1d732f1e7..6a7c8001a 100644 auth_run_chk_passwd(passwd_t, passwd_roles) +auth_manage_passwd(passwd_t) ++auth_map_passwd(passwd_t) auth_manage_shadow(passwd_t) ++auth_map_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) -auth_use_nsswitch(passwd_t) @@ -3432,7 +3434,7 @@ index 1d732f1e7..6a7c8001a 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -338,12 +375,11 @@ init_use_fds(passwd_t) +@@ -338,12 +377,11 @@ init_use_fds(passwd_t) logging_send_audit_msgs(passwd_t) logging_send_syslog_msg(passwd_t) @@ -3446,7 +3448,7 @@ index 1d732f1e7..6a7c8001a 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -352,6 +388,20 @@ userdom_read_user_tmp_files(passwd_t) +@@ -352,6 +390,20 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3467,7 +3469,7 @@ index 1d732f1e7..6a7c8001a 100644 optional_policy(` nscd_run(passwd_t, passwd_roles) -@@ -362,7 +412,7 @@ optional_policy(` +@@ -362,7 +414,7 @@ optional_policy(` # Password admin local policy # @@ -3476,7 +3478,7 @@ index 1d732f1e7..6a7c8001a 100644 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; -@@ -401,9 +451,10 @@ dev_read_urand(sysadm_passwd_t) +@@ -401,9 +453,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3489,7 +3491,7 @@ index 1d732f1e7..6a7c8001a 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -416,7 +467,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -416,7 +469,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -3497,7 +3499,7 @@ index 1d732f1e7..6a7c8001a 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -426,12 +476,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) +@@ -426,12 +478,9 @@ files_dontaudit_search_pids(sysadm_passwd_t) # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(sysadm_passwd_t) @@ -3510,7 +3512,7 @@ index 1d732f1e7..6a7c8001a 100644 userdom_use_unpriv_users_fds(sysadm_passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir -@@ -446,8 +493,10 @@ optional_policy(` +@@ -446,8 +495,10 @@ optional_policy(` # Useradd local policy # @@ -3523,7 +3525,7 @@ index 1d732f1e7..6a7c8001a 100644 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; allow useradd_t self:fd use; -@@ -461,6 +510,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; +@@ -461,6 +512,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -3534,7 +3536,7 @@ index 1d732f1e7..6a7c8001a 100644 # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) -@@ -468,29 +521,28 @@ corecmd_exec_shell(useradd_t) +@@ -468,29 +523,28 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3574,7 +3576,7 @@ index 1d732f1e7..6a7c8001a 100644 auth_run_chk_passwd(useradd_t, useradd_roles) auth_rw_lastlog(useradd_t) -@@ -498,45 +550,50 @@ auth_rw_faillog(useradd_t) +@@ -498,45 +552,50 @@ auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -3636,7 +3638,7 @@ index 1d732f1e7..6a7c8001a 100644 ') optional_policy(` -@@ -545,14 +602,27 @@ optional_policy(` +@@ -545,14 +604,27 @@ optional_policy(` ') optional_policy(` @@ -3664,7 +3666,7 @@ index 1d732f1e7..6a7c8001a 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -562,3 +632,12 @@ optional_policy(` +@@ -562,3 +634,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -33740,7 +33742,7 @@ index 247958765..890e1e293 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b669..3db526f84 100644 +index 3efd5b669..190c29841 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -34030,7 +34032,32 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',` +@@ -534,6 +629,24 @@ interface(`auth_dontaudit_getattr_shadow',` + + ######################################## + ## ++## Mmap the shadow passwords file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_map_shadow',` ++ gen_require(` ++ type shadow_t; ++ ') ++ ++ allow $1 shadow_t:file map; ++') ++ ++######################################## ++## + ## Read the shadow passwords file (/etc/shadow) + ## + ## +@@ -664,6 +777,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -34041,7 +34068,7 @@ index 3efd5b669..3db526f84 100644 ') ####################################### -@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +880,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -34093,7 +34120,7 @@ index 3efd5b669..3db526f84 100644 ') ####################################### -@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +984,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -34124,7 +34151,7 @@ index 3efd5b669..3db526f84 100644 ## ## ## -@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +1014,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -34155,7 +34182,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1049,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -34174,7 +34201,7 @@ index 3efd5b669..3db526f84 100644 ## ## ## -@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1070,33 @@ interface(`auth_signal_pam',` ## ## # @@ -34212,7 +34239,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1174,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -34246,7 +34273,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1276,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -34257,7 +34284,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1416,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -34265,7 +34292,7 @@ index 3efd5b669..3db526f84 100644 ') ####################################### -@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1817,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -34291,7 +34318,7 @@ index 3efd5b669..3db526f84 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1968,63 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1986,63 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -34359,7 +34386,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -1767,11 +2048,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +2066,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -34376,7 +34403,7 @@ index 3efd5b669..3db526f84 100644 ') ######################################## -@@ -1805,3 +2088,280 @@ interface(`auth_unconfined',` +@@ -1805,3 +2106,298 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -34492,6 +34519,24 @@ index 3efd5b669..3db526f84 100644 + +######################################## +## ++## Mmap the passwd passwords file (/etc/passwd) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_map_passwd',` ++ gen_require(` ++ type passwd_file_t; ++ ') ++ ++ allow $1 passwd_file_t:file map; ++') ++ ++######################################## ++## +## Do not audit attempts to read the passwd +## password file (/etc/passwd). +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 49936ddf..8e51ee1b 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -53630,7 +53630,7 @@ index 6194b806b..e27c53d6e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4fc..7d5d385a2 100644 +index 11ac8e4fc..3c24a12ef 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0) @@ -53750,7 +53750,7 @@ index 11ac8e4fc..7d5d385a2 100644 ######################################## # # Local policy -@@ -75,27 +109,30 @@ optional_policy(` +@@ -75,104 +109,101 @@ optional_policy(` allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; @@ -53794,10 +53794,10 @@ index 11ac8e4fc..7d5d385a2 100644 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -@@ -103,76 +140,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) + manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) - +- -allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; @@ -53805,7 +53805,8 @@ index 11ac8e4fc..7d5d385a2 100644 -stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t) - -can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t }) -- ++allow mozilla_plugin_t mozilla_tmpfs_t:file map; + kernel_read_kernel_sysctls(mozilla_t) kernel_read_network_state(mozilla_t) +# Access /proc, sysctl @@ -53902,7 +53903,7 @@ index 11ac8e4fc..7d5d385a2 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,56 +211,73 @@ auth_use_nsswitch(mozilla_t) +@@ -181,56 +212,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -54013,7 +54014,7 @@ index 11ac8e4fc..7d5d385a2 100644 ') optional_policy(` -@@ -244,19 +291,12 @@ optional_policy(` +@@ -244,19 +292,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -54035,7 +54036,7 @@ index 11ac8e4fc..7d5d385a2 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +305,32 @@ optional_policy(` +@@ -265,33 +306,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -54083,7 +54084,7 @@ index 11ac8e4fc..7d5d385a2 100644 ') optional_policy(` -@@ -300,259 +339,258 @@ optional_policy(` +@@ -300,259 +340,258 @@ optional_policy(` ######################################## # @@ -54488,7 +54489,7 @@ index 11ac8e4fc..7d5d385a2 100644 ') optional_policy(` -@@ -560,7 +598,11 @@ optional_policy(` +@@ -560,7 +599,11 @@ optional_policy(` ') optional_policy(` @@ -54501,7 +54502,7 @@ index 11ac8e4fc..7d5d385a2 100644 ') optional_policy(` -@@ -568,108 +610,144 @@ optional_policy(` +@@ -568,108 +611,144 @@ optional_policy(` ') optional_policy(` @@ -80891,10 +80892,10 @@ index 45843b55c..4d1adace5 100644 + ps_process_pattern($1, pulseaudio_t) ') diff --git a/pulseaudio.te b/pulseaudio.te -index 6643b49c2..dd0c3d371 100644 +index 6643b49c2..22214f676 100644 --- a/pulseaudio.te +++ b/pulseaudio.te -@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0) +@@ -8,61 +8,50 @@ policy_module(pulseaudio, 1.6.0) attribute pulseaudio_client; attribute pulseaudio_tmpfsfile; @@ -80970,10 +80971,11 @@ index 6643b49c2..dd0c3d371 100644 +# ~/.esd_auth - maybe we should label this pulseaudio_home_t? +userdom_read_user_home_content_files(pulseaudio_t) +userdom_search_admin_dir(pulseaudio_t) ++userdom_map_tmp_files(pulseaudio_t) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) -@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) +@@ -72,10 +61,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file }) manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) @@ -80985,7 +80987,7 @@ index 6643b49c2..dd0c3d371 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -85,62 +70,58 @@ kernel_read_kernel_sysctls(pulseaudio_t) +@@ -85,62 +71,58 @@ kernel_read_kernel_sysctls(pulseaudio_t) corecmd_exec_bin(pulseaudio_t) @@ -81067,7 +81069,7 @@ index 6643b49c2..dd0c3d371 100644 ') optional_policy(` -@@ -153,8 +134,9 @@ optional_policy(` +@@ -153,8 +135,9 @@ optional_policy(` optional_policy(` dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) @@ -81079,7 +81081,7 @@ index 6643b49c2..dd0c3d371 100644 optional_policy(` consolekit_dbus_chat(pulseaudio_t) -@@ -174,29 +156,49 @@ optional_policy(` +@@ -174,29 +157,49 @@ optional_policy(` ') optional_policy(` @@ -81131,7 +81133,7 @@ index 6643b49c2..dd0c3d371 100644 # # Client local policy # -@@ -210,8 +212,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi +@@ -210,8 +213,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi fs_getattr_tmpfs(pulseaudio_client) @@ -81140,7 +81142,7 @@ index 6643b49c2..dd0c3d371 100644 corenet_tcp_sendrecv_generic_if(pulseaudio_client) corenet_tcp_sendrecv_generic_node(pulseaudio_client) -@@ -220,38 +220,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) +@@ -220,38 +221,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) pulseaudio_stream_connect(pulseaudio_client) diff --git a/selinux-policy.spec b/selinux-policy.spec index 86361947..ee81507d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 282%{?dist} +Release: 283%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,11 @@ exit 0 %endif %changelog +* Tue Sep 12 2017 Lukas Vrabec - 3.13.1-283 +- Allow passwd_t domain mmap /etc/shadow and /etc/passwd +- Allow pulseaudio_t domain to map user tmp files +- Allow mozilla plugin to mmap mozilla tmpfs files + * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282 - Add new bunch of map rules - Merge pull request #25 from NetworkManager/nm-ovs