* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94

- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling. - Allow sendmail to create dead.letter. BZ(1165443) - Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active. - Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t. - Label sock file charon.vici as ipsec_var_run_t. BZ(1165065) - Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
2014-11-19 16:33:35 +01:00 · 2014-11-19 16:33:35 +01:00 · c88e657c3d
commit c88e657c3d
parent 24d43eb10d
3 changed files with 133 additions and 33 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -32228,7 +32228,7 @@ index 17eda24..d4113cc 100644
 +    ')
 + ')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..353c3b7 100644
+index 662e79b..ad9ef4e 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,25 @@
@ -32258,7 +32258,7 @@ index 662e79b..353c3b7 100644
 
 /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
-@@ -26,16 +37,26 @@
+@@ -26,16 +37,27 @@
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@ -32281,6 +32281,7 @@ index 662e79b..353c3b7 100644
 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
 +/var/run/charon\.ctl     -s  gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon\.vici    -s  gen_context(system_u:object_r:ipsec_var_run_t,s0)
 +/var/run/charon.*       --  gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
@ -37268,13 +37269,31 @@ index d43f3b1..870bc36 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..8686e0a 100644
+index 3822072..1b9a765 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
-@@ -135,6 +135,24 @@ interface(`seutil_exec_loadpolicy',`
+@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
 
 ########################################
 ## <summary>
+## Allow access check on load_policy.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_access_check_load_policy',`
+	gen_require(`
+		type load_policy_exec_t;
+	')
+
+    allow $1 load_policy_exec_t:file audit_access;
+')
+
+########################################
+## <summary>
 +## Dontaudit access check on load_policy.
 +## </summary>
 +## <param name="domain">
@ -37296,7 +37315,7 @@ index 3822072..8686e0a 100644
 ##	Read the load_policy program file.
 ## </summary>
 ## <param name="domain">
-@@ -192,11 +210,22 @@ interface(`seutil_domtrans_newrole',`
+@@ -192,11 +228,22 @@ interface(`seutil_domtrans_newrole',`
 #
 interface(`seutil_run_newrole',`
 	gen_require(`
@ -37321,7 +37340,7 @@ index 3822072..8686e0a 100644
 ')
 
 ########################################
-@@ -359,6 +388,27 @@ interface(`seutil_exec_restorecon',`
+@@ -359,6 +406,27 @@ interface(`seutil_exec_restorecon',`
 
 ########################################
 ## <summary>
@ -37349,7 +37368,7 @@ index 3822072..8686e0a 100644
 ##	Execute run_init in the run_init domain.
 ## </summary>
 ## <param name="domain">
-@@ -425,11 +475,20 @@ interface(`seutil_init_script_domtrans_runinit',`
+@@ -425,11 +493,20 @@ interface(`seutil_init_script_domtrans_runinit',`
 #
 interface(`seutil_run_runinit',`
 	gen_require(`
@ -37373,7 +37392,7 @@ index 3822072..8686e0a 100644
 ')
 
 ########################################
-@@ -461,11 +520,19 @@ interface(`seutil_run_runinit',`
+@@ -461,11 +538,19 @@ interface(`seutil_run_runinit',`
 #
 interface(`seutil_init_script_run_runinit',`
 	gen_require(`
@ -37396,7 +37415,7 @@ index 3822072..8686e0a 100644
 ')
 
 ########################################
-@@ -535,6 +602,53 @@ interface(`seutil_run_setfiles',`
+@@ -535,6 +620,53 @@ interface(`seutil_run_setfiles',`
 
 ########################################
 ## <summary>
@ -37450,10 +37469,28 @@ index 3822072..8686e0a 100644
 ##	Execute setfiles in the caller domain.
 ## </summary>
 ## <param name="domain">
-@@ -555,6 +669,24 @@ interface(`seutil_exec_setfiles',`
+@@ -555,6 +687,42 @@ interface(`seutil_exec_setfiles',`
 
 ########################################
 ## <summary>
+## Allow access check on setfiles.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_access_check_setfiles',`
+	gen_require(`
+		type setfiles_exec_t;
+	')
+
+    allow $1 setfiles_exec_t:file audit_access;
+')
+
+########################################
+## <summary>
 +## Dontaudit access check on setfiles.
 +## </summary>
 +## <param name="domain">
@ -37475,7 +37512,7 @@ index 3822072..8686e0a 100644
 ##	Do not audit attempts to search the SELinux
 ##	configuration directory (/etc/selinux).
 ## </summary>
-@@ -680,10 +812,115 @@ interface(`seutil_manage_config',`
+@@ -680,10 +848,115 @@ interface(`seutil_manage_config',`
 	')
 
 	files_search_etc($1)
@ -37591,7 +37628,7 @@ index 3822072..8686e0a 100644
 #######################################
 ## <summary>
 ##	Create, read, write, and delete
-@@ -694,15 +931,62 @@ interface(`seutil_manage_config',`
+@@ -694,15 +967,62 @@ interface(`seutil_manage_config',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -37657,7 +37694,7 @@ index 3822072..8686e0a 100644
 ')
 
 ########################################
-@@ -746,6 +1030,29 @@ interface(`seutil_read_default_contexts',`
+@@ -746,6 +1066,29 @@ interface(`seutil_read_default_contexts',`
 	read_files_pattern($1, default_context_t, default_context_t)
 ')
 
@ -37687,7 +37724,7 @@ index 3822072..8686e0a 100644
 ########################################
 ## <summary>
 ##	Create, read, write, and delete the default_contexts files.
-@@ -784,7 +1091,9 @@ interface(`seutil_read_file_contexts',`
+@@ -784,7 +1127,9 @@ interface(`seutil_read_file_contexts',`
 
 	files_search_etc($1)
 	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
@ -37697,7 +37734,7 @@ index 3822072..8686e0a 100644
 ')
 
 ########################################
-@@ -999,6 +1308,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1344,26 @@ interface(`seutil_domtrans_semanage',`
 
 ########################################
 ## <summary>
@ -37724,7 +37761,7 @@ index 3822072..8686e0a 100644
 ##	Execute semanage in the semanage domain, and
 ##	allow the specified role the semanage domain,
 ##	and use the caller's terminal.
-@@ -1017,11 +1346,67 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1382,87 @@ interface(`seutil_domtrans_semanage',`
 #
 interface(`seutil_run_semanage',`
 	gen_require(`
@ -37773,6 +37810,26 @@ index 3822072..8686e0a 100644
 +
 +########################################
 +## <summary>
+##	List of the semanage
+##	module store.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_access_check_module_store',`
+	gen_require(`
+		type semanage_store_t;
+	')
+
+	files_search_etc($1)
+    allow $1 semanage_store_t:dir_file_class_set audit_access;
+')
+
+########################################
+## <summary>
 +##	Full management of the semanage
 +##	module store.
 +## </summary>
@ -37794,7 +37851,7 @@ index 3822072..8686e0a 100644
 ')
 
 ########################################
-@@ -1043,7 +1428,11 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1484,11 @@ interface(`seutil_manage_module_store',`
 	files_search_etc($1)
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
@ -37806,10 +37863,28 @@ index 3822072..8686e0a 100644
 ')
 
 #######################################
-@@ -1067,6 +1456,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1512,42 @@ interface(`seutil_get_semanage_read_lock',`
 
 #######################################
 ## <summary>
+##	Allow access check on module store
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_access_check_semanage_read_lock',`
+	gen_require(`
+		type semanage_read_lock_t;
+	')
+
+    allow $1 semanage_read_lock_t:file audit_access;
+')
+
+#######################################
+## <summary>
 +##	Dontaudit access check on module store
 +## </summary>
 +## <param name="domain">
@ -37831,7 +37906,7 @@ index 3822072..8686e0a 100644
 ##	Get trans lock on module store
 ## </summary>
 ## <param name="domain">
-@@ -1137,3 +1544,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
 	selinux_dontaudit_get_fs_mount($1)
 	seutil_dontaudit_read_config($1)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -61915,7 +61915,7 @@ index 6837e9a..21e6dae 100644
 	domain_system_change_exemption($1)
 	role_transition $2 openvpn_initrc_exec_t system_r;
 diff --git a/openvpn.te b/openvpn.te
-index 63957a3..3eb9dc1 100644
+index 63957a3..ba34f72 100644
 --- a/openvpn.te
 +++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@ -62040,7 +62040,7 @@ index 63957a3..3eb9dc1 100644
 ')
 
 tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,6 +188,10 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +188,19 @@ tunable_policy(`openvpn_can_network_connect',`
 ')
 
 optional_policy(`
@ -62051,11 +62051,17 @@ index 63957a3..3eb9dc1 100644
 	daemontools_service_domain(openvpn_t, openvpn_exec_t)
 ')
 
-@@ -173,5 +201,30 @@ optional_policy(`
+ optional_policy(`
+    networkmanager_stream_connect(openvpn_t)
+    networkmanager_manage_pid_files(openvpn_t)
+')
+
+optional_policy(`
+ 	dbus_system_bus_client(openvpn_t)
+ 	dbus_connect_system_bus(openvpn_t)
 
- 	optional_policy(`
+@@ -175,3 +208,27 @@ optional_policy(`
 		networkmanager_dbus_chat(openvpn_t)
-+        networkmanager_stream_connect(openvpn_t)
 	')
 ')
 +
@ -92301,7 +92307,7 @@ index 35ad2a7..6b75e85 100644
 +	admin_pattern($1, mail_spool_t)
 ')
 diff --git a/sendmail.te b/sendmail.te
-index 12700b4..fde3c8d 100644
+index 12700b4..906b5db 100644
 --- a/sendmail.te
 +++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@ -92441,7 +92447,7 @@ index 12700b4..fde3c8d 100644
 ')
 
 optional_policy(`
-@@ -164,6 +168,10 @@ optional_policy(`
+@@ -164,14 +168,27 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -92452,7 +92458,12 @@ index 12700b4..fde3c8d 100644
 	milter_stream_connect_all(sendmail_t)
 ')
 
-@@ -172,6 +180,11 @@ optional_policy(`
+ optional_policy(`
+    mta_filetrans_home_content(sendmail_t)
+')
+
+optional_policy(`
+ 	munin_dontaudit_search_lib(sendmail_t)
 ')
 
 optional_policy(`
@ -92464,7 +92475,7 @@ index 12700b4..fde3c8d 100644
 	postfix_domtrans_postdrop(sendmail_t)
 	postfix_domtrans_master(sendmail_t)
 	postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +206,10 @@ optional_policy(`
+@@ -193,6 +210,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -92475,7 +92486,7 @@ index 12700b4..fde3c8d 100644
 	udev_read_db(sendmail_t)
 ')
 
-@@ -206,8 +223,8 @@ optional_policy(`
+@@ -206,8 +227,8 @@ optional_policy(`
 #
 
 optional_policy(`
@ -97481,7 +97492,7 @@ index a240455..f4d8c79 100644
 -	admin_pattern($1, sssd_log_t)
 ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..ababeba 100644
+index 2d8db1f..dbb5dd6 100644
 --- a/sssd.te
 +++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@ -97539,7 +97550,7 @@ index 2d8db1f..ababeba 100644
 
 corecmd_exec_bin(sssd_t)
 
-@@ -83,28 +79,30 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +79,36 @@ domain_read_all_domains_state(sssd_t)
 domain_obj_id_change_exemption(sssd_t)
 
 files_list_tmp(sssd_t)
@ -97559,6 +97570,12 @@ index 2d8db1f..ababeba 100644
 -# seutil_manage_login_config_files(sssd_t)
 +seutil_rw_login_config_dirs(sssd_t)
 +seutil_manage_login_config_files(sssd_t)
+
+seutil_access_check_module_store(sssd_t)
+
+seutil_access_check_load_policy(sssd_t)
+seutil_access_check_setfiles(sssd_t)
+seutil_access_check_semanage_read_lock(sssd_t)
 
 mls_file_read_to_clearance(sssd_t)
 mls_socket_read_to_clearance(sssd_t)
@ -97574,7 +97591,7 @@ index 2d8db1f..ababeba 100644
 
 init_read_utmp(sssd_t)
 
-@@ -112,18 +110,36 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +116,36 @@ logging_send_syslog_msg(sssd_t)
 logging_send_audit_msgs(sssd_t)
 
 miscfiles_read_generic_certs(sssd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 93%{?dist}
+Release: 94%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -604,6 +604,14 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
+- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
+- Allow sendmail to create dead.letter. BZ(1165443)
+- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active.
+- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
+- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
+- Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
+
 * Fri Nov 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-93
 - Allow bumblebee to use nsswitch. BZ(1155339)
 - Allow openvpn to stream connect to networkmanager. BZ(1164182)