* Mon Mar 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-118
- docker watches for content in the /etc directory - Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib - Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling. - Allow docker to communicate with openvswitch - Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib - Allow docker to relablefrom/to sockets and docker_log_t - Allow journald to set loginuid. BZ(1190498) - Add cap. sys_admin for passwd_t. BZ(1185191) - Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
This commit is contained in:
Lukas Vrabec
parent
ed576d59f8
commit
e2a064a427
@ -2725,7 +2725,7 @@ index 99e3903..fa68362 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 1d732f1..4aef39e 100644
|
||||
index 1d732f1..0dbda7d 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -26,6 +26,7 @@ type chfn_exec_t;
|
||||
@ -2883,7 +2883,7 @@ index 1d732f1..4aef39e 100644
|
||||
#
|
||||
|
||||
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
|
||||
+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource };
|
||||
+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
|
||||
dontaudit passwd_t self:capability sys_tty_config;
|
||||
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow passwd_t self:process { setrlimit setfscreate };
|
||||
@ -17087,7 +17087,7 @@ index e100d88..f45a698 100644
|
||||
+ allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
|
||||
')
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index 8dbab4c..15230be 100644
|
||||
index 8dbab4c..96d9a91 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -25,6 +25,9 @@ attribute kern_unconfined;
|
||||
@ -17242,7 +17242,7 @@ index 8dbab4c..15230be 100644
|
||||
|
||||
corecmd_exec_shell(kernel_t)
|
||||
corecmd_list_bin(kernel_t)
|
||||
@@ -277,25 +314,49 @@ files_list_root(kernel_t)
|
||||
@@ -277,25 +314,53 @@ files_list_root(kernel_t)
|
||||
files_list_etc(kernel_t)
|
||||
files_list_home(kernel_t)
|
||||
files_read_usr_files(kernel_t)
|
||||
@ -17269,6 +17269,10 @@ index 8dbab4c..15230be 100644
|
||||
fs_rw_tmpfs_chr_files(kernel_t)
|
||||
')
|
||||
|
||||
+
|
||||
+optional_policy(`
|
||||
+ abrt_filetrans_named_content(kernel_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ apache_filetrans_home_content(kernel_t)
|
||||
@ -17292,7 +17296,7 @@ index 8dbab4c..15230be 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -305,6 +366,19 @@ optional_policy(`
|
||||
@@ -305,6 +370,19 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(kernel_t)
|
||||
@ -17312,7 +17316,7 @@ index 8dbab4c..15230be 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -312,6 +386,11 @@ optional_policy(`
|
||||
@@ -312,6 +390,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -17324,7 +17328,7 @@ index 8dbab4c..15230be 100644
|
||||
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
||||
# to just give it everything.
|
||||
allow kernel_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -332,9 +411,6 @@ optional_policy(`
|
||||
@@ -332,9 +415,6 @@ optional_policy(`
|
||||
|
||||
sysnet_read_config(kernel_t)
|
||||
|
||||
@ -17334,7 +17338,7 @@ index 8dbab4c..15230be 100644
|
||||
rpc_udp_rw_nfs_sockets(kernel_t)
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -343,9 +419,7 @@ optional_policy(`
|
||||
@@ -343,9 +423,7 @@ optional_policy(`
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
||||
@ -17345,7 +17349,7 @@ index 8dbab4c..15230be 100644
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_rw',`
|
||||
@@ -354,7 +428,7 @@ optional_policy(`
|
||||
@@ -354,7 +432,7 @@ optional_policy(`
|
||||
fs_read_noxattr_fs_files(kernel_t)
|
||||
fs_read_noxattr_fs_symlinks(kernel_t)
|
||||
|
||||
@ -17354,7 +17358,7 @@ index 8dbab4c..15230be 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -367,6 +441,15 @@ optional_policy(`
|
||||
@@ -367,6 +445,15 @@ optional_policy(`
|
||||
unconfined_domain_noaudit(kernel_t)
|
||||
')
|
||||
|
||||
@ -17370,7 +17374,7 @@ index 8dbab4c..15230be 100644
|
||||
########################################
|
||||
#
|
||||
# Unlabeled process local policy
|
||||
@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
||||
@@ -409,4 +496,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
|
||||
allow kern_unconfined unlabeled_t:filesystem *;
|
||||
allow kern_unconfined unlabeled_t:association *;
|
||||
allow kern_unconfined unlabeled_t:packet *;
|
||||
@ -34876,7 +34880,7 @@ index 4e94884..8c67cd0 100644
|
||||
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
|
||||
+')
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 59b04c1..df37453 100644
|
||||
index 59b04c1..9d8e11d 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
|
||||
@ -35218,13 +35222,14 @@ index 59b04c1..df37453 100644
|
||||
# for sending messages to logged in users
|
||||
init_read_utmp(syslogd_t)
|
||||
init_dontaudit_write_utmp(syslogd_t)
|
||||
@@ -466,11 +551,11 @@ init_use_fds(syslogd_t)
|
||||
@@ -466,11 +551,12 @@ init_use_fds(syslogd_t)
|
||||
|
||||
# cjp: this doesnt make sense
|
||||
logging_send_syslog_msg(syslogd_t)
|
||||
-
|
||||
-miscfiles_read_localization(syslogd_t)
|
||||
+logging_manage_all_logs(syslogd_t)
|
||||
+logging_set_loginuid(syslogd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
||||
-userdom_dontaudit_search_user_home_dirs(syslogd_t)
|
||||
@ -35233,7 +35238,7 @@ index 59b04c1..df37453 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
# default gentoo syslog-ng config appends kernel
|
||||
@@ -497,6 +582,7 @@ optional_policy(`
|
||||
@@ -497,6 +583,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
cron_manage_log_files(syslogd_t)
|
||||
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
|
||||
@ -35241,7 +35246,7 @@ index 59b04c1..df37453 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -507,15 +593,40 @@ optional_policy(`
|
||||
@@ -507,15 +594,40 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -35282,7 +35287,7 @@ index 59b04c1..df37453 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -526,3 +637,26 @@ optional_policy(`
|
||||
@@ -526,3 +638,26 @@ optional_policy(`
|
||||
# log to the xconsole
|
||||
xserver_rw_console(syslogd_t)
|
||||
')
|
||||
|
||||
@ -80,7 +80,7 @@ index 1a93dc5..f2b26f5 100644
|
||||
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
|
||||
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
|
||||
diff --git a/abrt.if b/abrt.if
|
||||
index 058d908..1e92177 100644
|
||||
index 058d908..158acba 100644
|
||||
--- a/abrt.if
|
||||
+++ b/abrt.if
|
||||
@@ -1,4 +1,26 @@
|
||||
@ -537,7 +537,7 @@ index 058d908..1e92177 100644
|
||||
+ type abrt_var_run_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
|
||||
+ files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt")
|
||||
+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
|
||||
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
|
||||
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
|
||||
@ -3036,7 +3036,7 @@ index 0000000..36251b9
|
||||
+')
|
||||
diff --git a/antivirus.te b/antivirus.te
|
||||
new file mode 100644
|
||||
index 0000000..cb58319
|
||||
index 0000000..253a684
|
||||
--- /dev/null
|
||||
+++ b/antivirus.te
|
||||
@@ -0,0 +1,270 @@
|
||||
@ -3305,9 +3305,9 @@ index 0000000..cb58319
|
||||
+
|
||||
+optional_policy(`
|
||||
+ spamd_stream_connect(clamd_t)
|
||||
+ spamassassin_exec(antivirus_domain)
|
||||
+ spamassassin_exec_client(antivirus_domain)
|
||||
+ spamassassin_read_lib_files(antivirus_domain)
|
||||
+ spamassassin_exec(antivirus_domain)
|
||||
+ spamassassin_exec_client(antivirus_domain)
|
||||
+ spamassassin_read_lib_files(antivirus_domain)
|
||||
+ spamassassin_read_pid_files(antivirus_domain)
|
||||
+')
|
||||
diff --git a/apache.fc b/apache.fc
|
||||
@ -25334,10 +25334,10 @@ index 0000000..1542da8
|
||||
+
|
||||
diff --git a/docker.te b/docker.te
|
||||
new file mode 100644
|
||||
index 0000000..df9e6ce
|
||||
index 0000000..0a03a30
|
||||
--- /dev/null
|
||||
+++ b/docker.te
|
||||
@@ -0,0 +1,318 @@
|
||||
@@ -0,0 +1,325 @@
|
||||
+policy_module(docker, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -25425,6 +25425,7 @@ index 0000000..df9e6ce
|
||||
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
|
||||
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
|
||||
+logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
|
||||
+allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto };
|
||||
+
|
||||
+manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
|
||||
+manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
|
||||
@ -25492,7 +25493,7 @@ index 0000000..df9e6ce
|
||||
+corenet_udp_bind_generic_node(docker_t)
|
||||
+corenet_udp_bind_all_ports(docker_t)
|
||||
+
|
||||
+files_read_etc_files(docker_t)
|
||||
+files_read_config_files(docker_t)
|
||||
+
|
||||
+fs_read_cgroup_files(docker_t)
|
||||
+fs_read_tmpfs_symlinks(docker_t)
|
||||
@ -25502,6 +25503,7 @@ index 0000000..df9e6ce
|
||||
+storage_raw_rw_fixed_disk(docker_t)
|
||||
+
|
||||
+auth_use_nsswitch(docker_t)
|
||||
+auth_dontaudit_getattr_shadow(docker_t)
|
||||
+
|
||||
+init_read_state(docker_t)
|
||||
+init_status(docker_t)
|
||||
@ -25527,6 +25529,10 @@ index 0000000..df9e6ce
|
||||
+ iptables_domtrans(docker_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ openvswitch_stream_connect(docker_t)
|
||||
+')
|
||||
+
|
||||
+#
|
||||
+# lxc rules
|
||||
+#
|
||||
@ -25648,6 +25654,7 @@ index 0000000..df9e6ce
|
||||
+domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
|
||||
+allow docker_t spc_t:process { setsched signal_perms };
|
||||
+ps_process_pattern(docker_t, spc_t)
|
||||
+allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_domain_noaudit(spc_t)
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 117%{?dist}
|
||||
Release: 118%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -602,6 +602,17 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Mar 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-118
|
||||
- docker watches for content in the /etc directory
|
||||
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
|
||||
- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
|
||||
- Allow docker to communicate with openvswitch
|
||||
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
|
||||
- Allow docker to relablefrom/to sockets and docker_log_t
|
||||
- Allow journald to set loginuid. BZ(1190498)
|
||||
- Add cap. sys_admin for passwd_t. BZ(1185191)
|
||||
- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
|
||||
|
||||
* Fri Mar 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-117
|
||||
- Allow spamc read spamd_etc_t files. BZ(1199339).
|
||||
- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user