rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177

Browse Source 
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
- Allow sending dbus msgs between firewalld and system_cronjob domains.
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
- Add support for systemd-gpt-auto-generator. rhbz#1314968
- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.
- Add support for systemd-hwdb daemon. rhbz#1306243
This commit is contained in:
Lukas Vrabec 2016-03-08 16:08:03 +01:00
parent d9322551de
commit d14d3706d7
4 changed files with 93 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docker-selinux.tgz
View File

Binary file not shown.

28
policy-rawhide-base.patch
View File

@ -43837,15 +43837,16 @@ index a392fc4..78fa512 100644
+') +')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644 new file mode 100644
index 0000000..849cdb8 index 0000000..19617c7
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,61 @@ @@ -0,0 +1,64 @@
+HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0)
+ +
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0)
+ +
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) +/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0) +/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
@ -43858,6 +43859,7 @@ index 0000000..849cdb8
+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0) +/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) +/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) +/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-hwdb -- gen_context(system_u:object_r:systemd_hwdb_exec_t,s0)
+ +
+/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0) +/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
@ -43866,6 +43868,7 @@ index 0000000..849cdb8
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0) +/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0) +/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0) +/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-hwdb.*\.service -- gen_context(system_u:object_r:systemd_hwdb_unit_file_t,s0)
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*hibernate.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0) +/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
@ -45588,10 +45591,10 @@ index 0000000..21f7c14
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..11d2aa1 index 0000000..551317f
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,843 @@ @@ -0,0 +1,860 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -45632,6 +45635,11 @@ index 0000000..11d2aa1
+type systemd_coredump_tmpfs_t; +type systemd_coredump_tmpfs_t;
+files_tmpfs_file(systemd_coredump_tmpfs_t) +files_tmpfs_file(systemd_coredump_tmpfs_t)
+ +
+systemd_domain_template(systemd_hwdb)
+
+type systemd_hwdb_unit_file_t;
+systemd_unit_file(systemd_hwdb_unit_file_t)
+
+systemd_domain_template(systemd_networkd) +systemd_domain_template(systemd_networkd)
+ +
+type systemd_networkd_unit_file_t; +type systemd_networkd_unit_file_t;
@ -45675,6 +45683,9 @@ index 0000000..11d2aa1
+type hostname_etc_t; +type hostname_etc_t;
+files_config_file(hostname_etc_t) +files_config_file(hostname_etc_t)
+ +
+type systemd_hwdb_etc_t;
+files_config_file(systemd_hwdb_etc_t)
+
+systemd_domain_template(systemd_rfkill) +systemd_domain_template(systemd_rfkill)
+ +
+type systemd_rfkill_unit_file_t; +type systemd_rfkill_unit_file_t;
@ -46396,6 +46407,15 @@ index 0000000..11d2aa1
+ unconfined_domain(systemd_coredump_t) + unconfined_domain(systemd_coredump_t)
+') +')
+ +
+#######################################
+#
+# systemd_hwdb domain
+#
+
+manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
+files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
+
+
+######################################## +########################################
+# +#
+# Common rules for systemd domains +# Common rules for systemd domains

78
policy-rawhide-contrib.patch
View File

@ -18885,7 +18885,7 @@ index 1303b30..759412f 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3) + logging_log_filetrans($1, cron_log_t, $2, $3)
') ')
diff --git a/cron.te b/cron.te diff --git a/cron.te b/cron.te
index 7de3859..9d2cd2d 100644 index 7de3859..1444c2f 100644
--- a/cron.te --- a/cron.te
+++ b/cron.te +++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(` @@ -11,46 +11,54 @@ gen_require(`
@ -19580,7 +19580,18 @@ index 7de3859..9d2cd2d 100644
') ')
optional_policy(` optional_policy(`
@@ -591,6 +602,7 @@ optional_policy(` @@ -567,6 +578,10 @@ optional_policy(`
')
optional_policy(`
+ firewalld_dbus_chat(system_cronjob_t)
+')
+
+optional_policy(`
ftp_read_log(system_cronjob_t)
')
@@ -591,6 +606,7 @@ optional_policy(`
optional_policy(` optional_policy(`
mta_read_config(system_cronjob_t) mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t) mta_send_mail(system_cronjob_t)
@ -19588,7 +19599,7 @@ index 7de3859..9d2cd2d 100644
') ')
optional_policy(` optional_policy(`
@@ -598,7 +610,23 @@ optional_policy(` @@ -598,7 +614,23 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -19612,7 +19623,7 @@ index 7de3859..9d2cd2d 100644
') ')
optional_policy(` optional_policy(`
@@ -607,7 +635,12 @@ optional_policy(` @@ -607,7 +639,12 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -19625,7 +19636,7 @@ index 7de3859..9d2cd2d 100644
') ')
optional_policy(` optional_policy(`
@@ -615,12 +648,27 @@ optional_policy(` @@ -615,12 +652,27 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -19655,7 +19666,7 @@ index 7de3859..9d2cd2d 100644
# #
allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:process { signal_perms setsched };
@@ -628,12 +676,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; @@ -628,12 +680,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms;
@ -19689,7 +19700,7 @@ index 7de3859..9d2cd2d 100644
corenet_all_recvfrom_netlabel(cronjob_t) corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t)
@@ -641,66 +709,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) @@ -641,66 +713,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t)
@ -99518,10 +99529,10 @@ index 0000000..ed76979
+ +
diff --git a/snapper.te b/snapper.te diff --git a/snapper.te b/snapper.te
new file mode 100644 new file mode 100644
index 0000000..243fc96 index 0000000..88805d7
--- /dev/null --- /dev/null
+++ b/snapper.te +++ b/snapper.te
@@ -0,0 +1,77 @@ @@ -0,0 +1,78 @@
+policy_module(snapper, 1.0.0) +policy_module(snapper, 1.0.0)
+ +
+######################################## +########################################
@ -99562,6 +99573,7 @@ index 0000000..243fc96
+manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) +manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) +manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) +manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
+allow snapperd_t snapperd_data_t:dir mounton;
+snapper_filetrans_named_content(snapperd_t) +snapper_filetrans_named_content(snapperd_t)
+ +
+domain_read_all_domains_state(snapperd_t) +domain_read_all_domains_state(snapperd_t)
@ -109173,7 +109185,7 @@ index 31c752e..ef52235 100644
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
diff --git a/vdagent.te b/vdagent.te diff --git a/vdagent.te b/vdagent.te
index 87da8a2..13f2f44 100644 index 87da8a2..4ca0271 100644
--- a/vdagent.te --- a/vdagent.te
+++ b/vdagent.te +++ b/vdagent.te
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@ -109184,7 +109196,7 @@ index 87da8a2..13f2f44 100644
allow vdagent_t self:fifo_file rw_fifo_file_perms; allow vdagent_t self:fifo_file rw_fifo_file_perms;
allow vdagent_t self:unix_stream_socket { accept listen }; allow vdagent_t self:unix_stream_socket { accept listen };
@@ -39,23 +40,26 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) @@ -39,23 +40,28 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
logging_log_filetrans(vdagent_t, vdagent_log_t, file) logging_log_filetrans(vdagent_t, vdagent_log_t, file)
@ -109196,7 +109208,8 @@ index 87da8a2..13f2f44 100644
dev_dontaudit_write_mtrr(vdagent_t) dev_dontaudit_write_mtrr(vdagent_t)
-files_read_etc_files(vdagent_t) -files_read_etc_files(vdagent_t)
- +fs_getattr_tmpfs(vdagent_t)
term_use_virtio_console(vdagent_t) term_use_virtio_console(vdagent_t)
init_read_state(vdagent_t) init_read_state(vdagent_t)
@ -117092,7 +117105,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t) - admin_pattern($1, zabbix_tmpfs_t)
') ')
diff --git a/zabbix.te b/zabbix.te diff --git a/zabbix.te b/zabbix.te
index 7f496c6..d594e47 100644 index 7f496c6..b23f29d 100644
--- a/zabbix.te --- a/zabbix.te
+++ b/zabbix.te +++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@ -117187,17 +117200,17 @@ index 7f496c6..d594e47 100644
-allow zabbix_t self:shm create_shm_perms; -allow zabbix_t self:shm create_shm_perms;
-allow zabbix_t self:tcp_socket create_stream_socket_perms; -allow zabbix_t self:tcp_socket create_stream_socket_perms;
+allow zabbix_t self:capability { dac_read_search dac_override }; +allow zabbix_t self:capability { dac_read_search dac_override };
+
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms; -allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) -setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
-logging_log_filetrans(zabbix_t, zabbix_log_t, file) -logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
+
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t) +manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@ -117310,7 +117323,34 @@ index 7f496c6..d594e47 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
@@ -177,21 +192,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) @@ -170,6 +185,26 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
corenet_tcp_connect_ssh_port(zabbix_agent_t)
corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
+corenet_sendrecv_ftp_client_packets(zabbix_agent_t)
+corenet_tcp_connect_ftp_port(zabbix_agent_t)
+corenet_tcp_sendrecv_ftp_port(zabbix_agent_t)
+
+corenet_sendrecv_http_client_packets(zabbix_agent_t)
+corenet_tcp_connect_http_port(zabbix_agent_t)
+corenet_tcp_sendrecv_http_port(zabbix_agent_t)
+
+corenet_sendrecv_innd_client_packets(zabbix_agent_t)
+corenet_tcp_connect_innd_port(zabbix_agent_t)
+corenet_tcp_sendrecv_innd_port(zabbix_agent_t)
+
+corenet_sendrecv_pop_client_packets(zabbix_agent_t)
+corenet_tcp_connect_pop_port(zabbix_agent_t)
+corenet_tcp_sendrecv_pop_port(zabbix_agent_t)
+
+corenet_sendrecv_smtp_client_packets(zabbix_agent_t)
+corenet_tcp_connect_smtp_port(zabbix_agent_t)
+corenet_tcp_sendrecv_smtp_port(zabbix_agent_t)
+
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
corenet_tcp_connect_zabbix_port(zabbix_agent_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
@@ -177,21 +212,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t)

11
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 176%{?dist} Release: 177%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -670,6 +670,15 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Mar 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-177
- Allow spice-vdagent to getattr on tmpfs_t filesystems Resolves: rhbz#1276251
- Allow sending dbus msgs between firewalld and system_cronjob domains.
- Allow zabbix-agentd to connect to following tcp sockets. One of zabbix-agentd functions is get service status of ftp,http,innd,pop,smtp protocols. rhbz#1315354
- Allow snapperd mounton permissions for snapperd_data_t. BZ(#1314972)
- Add support for systemd-gpt-auto-generator. rhbz#1314968
- Add interface dev_read_nvme() to allow reading Non-Volatile Memory Host Controller devices.
- Add support for systemd-hwdb daemon. rhbz#1306243
* Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176 * Thu Mar 03 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-176
- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba. - Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba.
- Merge pull request #105 from rhatdan/NO_NEW_PRIV - Merge pull request #105 from rhatdan/NO_NEW_PRIV