- Add prosody policy written by Michael Scherer

- Allow nagios plugins to read /sys info
- ntpd needs to manage own log files
- Add support for HOME_DIR/.IBMERS
- Allow iptables commands to read firewalld config
- Allow consolekit_t to read utmp
- Fix filename transitions on .razor directory
- Add additional fixes to make DSPAM with LDA working
- Allow snort to read /etc/passwd
- Allow fail2ban to communicate with firewalld over dbus
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
- Allow nfsd to use mountd port
- Call th proper interface
- Allow openvswitch to read sys and execute plymouth
- Allow tmpwatch to read /var/spool/cups/tmp
- Add support for /usr/libexec/telepathy-rakia
- Add systemd support for zoneminder
- Allow mysql to create files/directories under /var/log/mysql
- Allow zoneminder apache scripts to rw zoneminder tmpfs
- Allow httpd to manage zoneminder lib files
- Add zoneminder_run_sudo boolean to allow to start zoneminder
- Allow zoneminder to send mails
- gssproxy_t sock_file can be under /var/lib
- Allow web domains to connect to whois port.
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
- We really need to add an interface to corenet to define what a web_client_domain i
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain at
- Update policy rules for pegasus_openlmi_logicalfile_t
- Add initial types for logicalfile/unconfined OpenLMI providers
- mailmanctl needs to read own log
- Allow logwatch manage own lock files
- Allow nrpe to read meminfo
- Allow httpd to read certs located in pki-ca
- Add pki_read_tomcat_cert() interface
- Add support for nagios openshift plugins
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
This commit is contained in:
Miroslav Grepl 2013-07-08 09:18:11 +02:00
parent 961ad881ae
commit d1027c54b9
4 changed files with 892 additions and 214 deletions

View File

@ -2250,3 +2250,10 @@ pesign = module
# Fast and lean authoritative DNS Name Server
#
nsd = module
# Layer: contrib
# Module: iodine
#
# Fast and lean authoritative DNS Name Server
#
iodine = module

View File

@ -5170,7 +5170,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 4edc40d..68176bb 100644
index 4edc40d..b48abbe 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@ -5400,7 +5400,7 @@ index 4edc40d..68176bb 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
@@ -214,38 +255,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@ -5415,6 +5415,7 @@ index 4edc40d..68176bb 100644
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
+network_port(time, tcp,37,s0, udp,37,s0)
+network_port(redis, tcp,6379,s0)
network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@ -5449,7 +5450,7 @@ index 4edc40d..68176bb 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
@@ -257,8 +303,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@ -5460,7 +5461,7 @@ index 4edc40d..68176bb 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0)
@@ -268,10 +315,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@ -5473,7 +5474,7 @@ index 4edc40d..68176bb 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0)
@@ -292,12 +339,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@ -5492,7 +5493,7 @@ index 4edc40d..68176bb 100644
########################################
#
@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
@@ -330,6 +381,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@ -5501,7 +5502,7 @@ index 4edc40d..68176bb 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
@@ -342,9 +395,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@ -33356,15 +33357,14 @@ index 3822072..1029e3b 100644
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ec01d0b..64db314 100644
index ec01d0b..e2b829b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@@ -11,14 +11,16 @@ gen_require(`
attribute can_write_binary_policy;
attribute can_relabelto_binary_policy;
+attribute setfiles_domain;
+attribute seutil_semanage_domain;
+attribute policy_manager_domain;
-attribute_role newrole_roles;
@ -33382,7 +33382,7 @@ index ec01d0b..64db314 100644
#
# selinux_config_t is the type applied to
@@ -28,7 +31,13 @@ roleattribute system_r semanage_roles;
@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles;
# in the domain_type interface
# (fix dup decl)
type selinux_config_t;
@ -33397,7 +33397,7 @@ index ec01d0b..64db314 100644
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
@@ -40,14 +49,14 @@ role system_r types checkpolicy_t;
@@ -40,14 +48,14 @@ role system_r types checkpolicy_t;
# /etc/selinux/*/contexts/*
#
type default_context_t;
@ -33414,7 +33414,7 @@ index ec01d0b..64db314 100644
type load_policy_t;
type load_policy_exec_t;
@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t)
domain_role_change_exemption(newrole_t)
domain_obj_id_change_exemption(newrole_t)
domain_interactive_fd(newrole_t)
@ -33438,7 +33438,7 @@ index ec01d0b..64db314 100644
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -83,7 +98,6 @@ type restorecond_t;
@@ -83,7 +97,6 @@ type restorecond_t;
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
@ -33446,7 +33446,7 @@ index ec01d0b..64db314 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
@@ -92,25 +106,32 @@ type run_init_t;
@@ -92,25 +105,32 @@ type run_init_t;
type run_init_exec_t;
application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
@ -33485,7 +33485,7 @@ index ec01d0b..64db314 100644
type semanage_var_lib_t;
files_type(semanage_var_lib_t)
@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
@ -33497,7 +33497,7 @@ index ec01d0b..64db314 100644
########################################
#
# Checkpolicy local policy
@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
@ -33505,7 +33505,7 @@ index ec01d0b..64db314 100644
domain_use_interactive_fds(checkpolicy_t)
@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
@ -33514,7 +33514,7 @@ index ec01d0b..64db314 100644
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
@@ -188,13 +215,13 @@ term_list_ptys(load_policy_t)
@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@ -33531,7 +33531,7 @@ index ec01d0b..64db314 100644
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -205,6 +232,7 @@ ifdef(`distro_ubuntu',`
@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',`
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
@ -33539,7 +33539,7 @@ index ec01d0b..64db314 100644
optional_policy(`
unconfined_dontaudit_read_pipes(load_policy_t)
@@ -215,12 +243,17 @@ optional_policy(`
@@ -215,12 +242,17 @@ optional_policy(`
portage_dontaudit_use_fds(load_policy_t)
')
@ -33558,7 +33558,7 @@ index ec01d0b..64db314 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms;
@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -33567,7 +33567,7 @@ index ec01d0b..64db314 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t)
@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@ -33575,7 +33575,7 @@ index ec01d0b..64db314 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t)
@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@ -33617,7 +33617,7 @@ index ec01d0b..64db314 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
@@ -309,7 +352,7 @@ if(secure_mode) {
@@ -309,7 +351,7 @@ if(secure_mode) {
userdom_spec_domtrans_all_users(newrole_t)
}
@ -33626,7 +33626,7 @@ index ec01d0b..64db314 100644
files_polyinstantiate_all(newrole_t)
')
@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t)
@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@ -33641,7 +33641,7 @@ index ec01d0b..64db314 100644
fs_list_inotifyfs(restorecond_t)
selinux_validate_context(restorecond_t)
@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t)
@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
@ -33661,7 +33661,7 @@ index ec01d0b..64db314 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
@@ -366,21 +414,24 @@ optional_policy(`
@@ -366,21 +413,24 @@ optional_policy(`
# Run_init local policy
#
@ -33688,7 +33688,7 @@ index ec01d0b..64db314 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t)
@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@ -33724,7 +33724,7 @@ index ec01d0b..64db314 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',`
@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@ -33744,7 +33744,7 @@ index ec01d0b..64db314 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
@@ -440,81 +511,87 @@ optional_policy(`
@@ -440,81 +510,87 @@ optional_policy(`
# semodule local policy
#
@ -33885,7 +33885,7 @@ index ec01d0b..64db314 100644
')
########################################
@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',`
@@ -522,108 +598,181 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@ -34151,7 +34151,7 @@ index ec01d0b..64db314 100644
+userdom_use_user_ptys(policy_manager_domain)
+
+files_rw_inherited_generic_pid_files(setfiles_domain)
+files_rw_inherited_generic_pid_files(seutil_semanage_domain)
+files_rw_inherited_generic_pid_files(policy_manager_domain)
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..06e2834 100644
--- a/policy/modules/system/setrans.fc
@ -38249,7 +38249,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3c5dba7..4f43578 100644
index 3c5dba7..4129aa6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -39192,7 +39192,7 @@ index 3c5dba7..4f43578 100644
+ allow $1_t self:process ~{ ptrace execmem execstack execheap };
+
+ tunable_policy(`selinuxuser_use_ssh_chroot',`
+ allow $1_t self:capability { setuid sys_chroot };
+ allow $1_t self:capability { setuid setgid sys_chroot };
+ ')
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 58%{?dist}
Release: 59%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -539,6 +539,47 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
- Add prosody policy written by Michael Scherer
- Allow nagios plugins to read /sys info
- ntpd needs to manage own log files
- Add support for HOME_DIR/.IBMERS
- Allow iptables commands to read firewalld config
- Allow consolekit_t to read utmp
- Fix filename transitions on .razor directory
- Add additional fixes to make DSPAM with LDA working
- Allow snort to read /etc/passwd
- Allow fail2ban to communicate with firewalld over dbus
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
- Allow nfsd to use mountd port
- Call th proper interface
- Allow openvswitch to read sys and execute plymouth
- Allow tmpwatch to read /var/spool/cups/tmp
- Add support for /usr/libexec/telepathy-rakia
- Add systemd support for zoneminder
- Allow mysql to create files/directories under /var/log/mysql
- Allow zoneminder apache scripts to rw zoneminder tmpfs
- Allow httpd to manage zoneminder lib files
- Add zoneminder_run_sudo boolean to allow to start zoneminder
- Allow zoneminder to send mails
- gssproxy_t sock_file can be under /var/lib
- Allow web domains to connect to whois port.
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
- We really need to add an interface to corenet to define what a web_client_domain is and
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
- Update policy rules for pegasus_openlmi_logicalfile_t
- Add initial types for logicalfile/unconfined OpenLMI providers
- mailmanctl needs to read own log
- Allow logwatch manage own lock files
- Allow nrpe to read meminfo
- Allow httpd to read certs located in pki-ca
- Add pki_read_tomcat_cert() interface
- Add support for nagios openshift plugins
- Add port definition for redis port
- fix selinuxuser_use_ssh_chroot boolean
* Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
- Allow bootloader to manage generic log files