rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Mar 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-118

Browse Source 
- docker watches for content in the /etc directory
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
- Allow docker to communicate with openvswitch
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Allow docker to relablefrom/to sockets and docker_log_t
- Allow journald to set loginuid. BZ(1190498)
- Add cap. sys_admin for passwd_t. BZ(1185191)
- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
This commit is contained in:
Lukas Vrabec 2015-03-16 18:04:20 +01:00
parent ed576d59f8
commit e2a064a427
3 changed files with 49 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
policy-rawhide-base.patch
View File

@ -2725,7 +2725,7 @@ index 99e3903..fa68362 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1..4aef39e 100644
index 1d732f1..0dbda7d 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@ -2883,7 +2883,7 @@ index 1d732f1..4aef39e 100644
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource };
+allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
@ -17087,7 +17087,7 @@ index e100d88..f45a698 100644
+ allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..15230be 100644
index 8dbab4c..96d9a91 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -17242,7 +17242,7 @@ index 8dbab4c..15230be 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
@@ -277,25 +314,49 @@ files_list_root(kernel_t)
@@ -277,25 +314,53 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@ -17269,6 +17269,10 @@ index 8dbab4c..15230be 100644
fs_rw_tmpfs_chr_files(kernel_t)
')
+
+optional_policy(`
+ abrt_filetrans_named_content(kernel_t)
+')
+
+optional_policy(`
+ apache_filetrans_home_content(kernel_t)
@ -17292,7 +17296,7 @@ index 8dbab4c..15230be 100644
')
optional_policy(`
@@ -305,6 +366,19 @@ optional_policy(`
@@ -305,6 +370,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@ -17312,7 +17316,7 @@ index 8dbab4c..15230be 100644
')
optional_policy(`
@@ -312,6 +386,11 @@ optional_policy(`
@@ -312,6 +390,11 @@ optional_policy(`
')
optional_policy(`
@ -17324,7 +17328,7 @@ index 8dbab4c..15230be 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -332,9 +411,6 @@ optional_policy(`
@@ -332,9 +415,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@ -17334,7 +17338,7 @@ index 8dbab4c..15230be 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
@@ -343,9 +419,7 @@ optional_policy(`
@@ -343,9 +423,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@ -17345,7 +17349,7 @@ index 8dbab4c..15230be 100644
')
tunable_policy(`nfs_export_all_rw',`
@@ -354,7 +428,7 @@ optional_policy(`
@@ -354,7 +432,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@ -17354,7 +17358,7 @@ index 8dbab4c..15230be 100644
')
')
@@ -367,6 +441,15 @@ optional_policy(`
@@ -367,6 +445,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@ -17370,7 +17374,7 @@ index 8dbab4c..15230be 100644
########################################
#
# Unlabeled process local policy
@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
@@ -409,4 +496,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@ -34876,7 +34880,7 @@ index 4e94884..8c67cd0 100644
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1..df37453 100644
index 59b04c1..9d8e11d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@ -35218,13 +35222,14 @@ index 59b04c1..df37453 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
@@ -466,11 +551,11 @@ init_use_fds(syslogd_t)
@@ -466,11 +551,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
-
-miscfiles_read_localization(syslogd_t)
+logging_manage_all_logs(syslogd_t)
+logging_set_loginuid(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-userdom_dontaudit_search_user_home_dirs(syslogd_t)
@ -35233,7 +35238,7 @@ index 59b04c1..df37453 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
@@ -497,6 +582,7 @@ optional_policy(`
@@ -497,6 +583,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -35241,7 +35246,7 @@ index 59b04c1..df37453 100644
')
optional_policy(`
@@ -507,15 +593,40 @@ optional_policy(`
@@ -507,15 +594,40 @@ optional_policy(`
')
optional_policy(`
@ -35282,7 +35287,7 @@ index 59b04c1..df37453 100644
')
optional_policy(`
@@ -526,3 +637,26 @@ optional_policy(`
@@ -526,3 +638,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')

19
policy-rawhide-contrib.patch
View File

@ -80,7 +80,7 @@ index 1a93dc5..f2b26f5 100644
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
index 058d908..1e92177 100644
index 058d908..158acba 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@ -537,7 +537,7 @@ index 058d908..1e92177 100644
+ type abrt_var_run_t;
+ ')
+
+ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
+ files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
@ -3036,7 +3036,7 @@ index 0000000..36251b9
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
index 0000000..cb58319
index 0000000..253a684
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,270 @@
@ -25334,10 +25334,10 @@ index 0000000..1542da8
+
diff --git a/docker.te b/docker.te
new file mode 100644
index 0000000..df9e6ce
index 0000000..0a03a30
--- /dev/null
+++ b/docker.te
@@ -0,0 +1,318 @@
@@ -0,0 +1,325 @@
+policy_module(docker, 1.0.0)
+
+########################################
@ -25425,6 +25425,7 @@ index 0000000..df9e6ce
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
+logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
+allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto };
+
+manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
@ -25492,7 +25493,7 @@ index 0000000..df9e6ce
+corenet_udp_bind_generic_node(docker_t)
+corenet_udp_bind_all_ports(docker_t)
+
+files_read_etc_files(docker_t)
+files_read_config_files(docker_t)
+
+fs_read_cgroup_files(docker_t)
+fs_read_tmpfs_symlinks(docker_t)
@ -25502,6 +25503,7 @@ index 0000000..df9e6ce
+storage_raw_rw_fixed_disk(docker_t)
+
+auth_use_nsswitch(docker_t)
+auth_dontaudit_getattr_shadow(docker_t)
+
+init_read_state(docker_t)
+init_status(docker_t)
@ -25527,6 +25529,10 @@ index 0000000..df9e6ce
+ iptables_domtrans(docker_t)
+')
+
+optional_policy(`
+ openvswitch_stream_connect(docker_t)
+')
+
+#
+# lxc rules
+#
@ -25648,6 +25654,7 @@ index 0000000..df9e6ce
+domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
+allow docker_t spc_t:process { setsched signal_perms };
+ps_process_pattern(docker_t, spc_t)
+allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
+
+optional_policy(`
+ unconfined_domain_noaudit(spc_t)

13
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 117%{?dist}
Release: 118%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -602,6 +602,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Mar 16 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-118
- docker watches for content in the /etc directory
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.
- Allow docker to communicate with openvswitch
- Merge branch 'rawhide-contrib' of github.com:selinux-policy/selinux-policy into rawhide-contrib
- Allow docker to relablefrom/to sockets and docker_log_t
- Allow journald to set loginuid. BZ(1190498)
- Add cap. sys_admin for passwd_t. BZ(1185191)
- Allow abrt-hook-ccpp running as kernel_t to allow create /var/tmp/abrt with correct labeling.
* Fri Mar 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-117
- Allow spamc read spamd_etc_t files. BZ(1199339).
- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)