* Fri Nov 27 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-97

- Allow reading of symlinks in /etc/puppet - Added TAGS to gitignore - I guess there can be content under /var/lib/lockdown #1167502 - Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working. - Allow keystone to send a generic signal to own process. - Allow radius to bind tcp/1812 radius port. - Dontaudit list user_tmp files for system_mail_t - label virt-who as virtd_exec_t - Allow rhsmcertd to send a null signal to virt-who running as virtd_t - Add virt_signull() interface - Add missing alias for _content_rw_t - Allow .snapshots to be created in other directories, on all mountpoints - Allow spamd to access razor-agent.log - Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104) - Allow .snapshots to be created in other directories, on all mountpoints - Label tcp port 5280 as ejabberd port. BZ(1059930) - Make /usr/bin/vncserver running as unconfined_service_t - Label /etc/docker/certs.d as cert_t - Allow all systemd domains to search file systems
2014-11-28 15:28:22 +01:00 · 2014-11-28 15:28:22 +01:00 · e4d7a4020d
commit e4d7a4020d
parent 48f969d319
3 changed files with 422 additions and 285 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5481,7 +5481,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..2f2f2b9 100644
+index b191055..87df0ad 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5659,12 +5659,13 @@ index b191055..2f2f2b9 100644
 network_port(iscsi, tcp,3260,s0)
 network_port(isns, tcp,3205,s0, udp,3205,s0)
 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
- network_port(jabber_interserver, tcp,5269,s0)
+-network_port(jabber_interserver, tcp,5269,s0)
 -network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
 -network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 -network_port(kismet, tcp,2501,s0)
+network_port(jabber_interserver, tcp,5269,s0, tcp,5280,s0)
 +network_port(jabber_router, tcp,5347,s0)
 +network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
 +network_port(jboss_debug, tcp,8787,s0, udp,8787,s0)
@ -8755,7 +8756,7 @@ index 0b1a871..f260e6f 100644
 +allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
 +allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..1b9b0b5 100644
+index 6a1e4d1..7ac2831 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@ -8830,7 +8831,33 @@ index 6a1e4d1..1b9b0b5 100644
 ##	Send a stop signal to all domains.
 ## </summary>
 ## <param name="domain">
-@@ -631,7 +626,7 @@ interface(`domain_read_all_domains_state',`
+@@ -571,6 +566,25 @@ interface(`domain_kill_all_domains',`
+ 
+ ########################################
+ ## <summary>
+##	Destroy all domains semaphores
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_destroy_all_semaphores',`
+	gen_require(`
+		attribute domain;
+	')
+
+	allow $1 domain:sem destroy;
+')
+
+########################################
+## <summary>
+ ##	Search the process state directory (/proc/pid) of all domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -631,7 +645,7 @@ interface(`domain_read_all_domains_state',`
 
 ########################################
 ## <summary>
@ -8839,7 +8866,7 @@ index 6a1e4d1..1b9b0b5 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -655,7 +650,7 @@ interface(`domain_getattr_all_domains',`
+@@ -655,7 +669,7 @@ interface(`domain_getattr_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -8848,7 +8875,7 @@ index 6a1e4d1..1b9b0b5 100644
 ##	</summary>
 ## </param>
 #
-@@ -1356,6 +1351,24 @@ interface(`domain_manage_all_entry_files',`
+@@ -1356,6 +1370,24 @@ interface(`domain_manage_all_entry_files',`
 
 ########################################
 ## <summary>
@ -8873,7 +8900,7 @@ index 6a1e4d1..1b9b0b5 100644
 ##	Relabel to and from all entry point
 ##	file types.
 ## </summary>
-@@ -1421,7 +1434,7 @@ interface(`domain_entry_file_spec_domtrans',`
+@@ -1421,7 +1453,7 @@ interface(`domain_entry_file_spec_domtrans',`
 ## <summary>
 ##	Ability to mmap a low area of the address
 ##	space conditionally, as configured by
@ -8882,7 +8909,7 @@ index 6a1e4d1..1b9b0b5 100644
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
-@@ -1448,7 +1461,7 @@ interface(`domain_mmap_low',`
+@@ -1448,7 +1480,7 @@ interface(`domain_mmap_low',`
 ## <summary>
 ##	Ability to mmap a low area of the address
 ##	space unconditionally, as configured
@ -8891,7 +8918,7 @@ index 6a1e4d1..1b9b0b5 100644
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
-@@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',`
+@@ -1508,6 +1540,24 @@ interface(`domain_unconfined_signal',`
 
 ########################################
 ## <summary>
@ -8916,7 +8943,7 @@ index 6a1e4d1..1b9b0b5 100644
 ##	Unconfined access to domains.
 ## </summary>
 ## <param name="domain">
-@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1580,63 @@ interface(`domain_unconfined',`
 	typeattribute $1 can_change_object_identity;
 	typeattribute $1 set_curr_context;
 	typeattribute $1 process_uncond_exempt;
@ -8981,7 +9008,7 @@ index 6a1e4d1..1b9b0b5 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..c2776d0 100644
+index cf04cb5..a0d747a 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -9130,7 +9157,7 @@ index cf04cb5..c2776d0 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,352 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,356 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
@ -9159,6 +9186,10 @@ index cf04cb5..c2776d0 100644
 +')
 +
 +optional_policy(`
+	snapper_filetrans_named_content(named_filetrans_domain)
+')
+
+optional_policy(`
 +	seutil_filetrans_named_content(named_filetrans_domain)
 +')
 +
@ -20428,7 +20459,7 @@ index 0000000..63bc797
 +logging_stream_connect_syslog(sysadm_t)
 diff --git a/policy/modules/roles/unconfineduser.fc b/policy/modules/roles/unconfineduser.fc
 new file mode 100644
-index 0000000..0e8654b
+index 0000000..b680867
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.fc
@@ -0,0 +1,8 @@
@ -20436,7 +20467,7 @@ index 0000000..0e8654b
 +# e.g.:
 +# /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 +# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-+/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
+#/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 +
 +/usr/sbin/xrdp   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
@ -27255,7 +27286,7 @@ index 2479587..890e1e2 100644
 /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..f645c21 100644
+index 3efd5b6..9e85ea0 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@ -27317,7 +27348,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -95,69 +117,68 @@ interface(`auth_use_pam',`
+@@ -95,69 +117,67 @@ interface(`auth_use_pam',`
 interface(`auth_login_pgm_domain',`
 	gen_require(`
 		type var_auth_t, auth_cache_t;
@ -27375,7 +27406,6 @@ index 3efd5b6..f645c21 100644
 	mls_file_downgrade($1)
 	mls_process_set_level($1)
 +    mls_process_write_to_clearance($1)
-+    mls_process_write_all_levels($1)
 	mls_fd_share_all_levels($1)
 
 	auth_use_pam($1)
@ -27427,7 +27457,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -231,6 +252,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',`
 
 ########################################
 ## <summary>
@ -27453,7 +27483,7 @@ index 3efd5b6..f645c21 100644
 ##	Execute a login_program in the target domain,
 ##	with a range transition.
 ## </summary>
-@@ -322,6 +362,24 @@ interface(`auth_rw_cache',`
+@@ -322,6 +361,24 @@ interface(`auth_rw_cache',`
 
 ########################################
 ## <summary>
@ -27478,7 +27508,7 @@ index 3efd5b6..f645c21 100644
 ##	Manage authentication cache
 ## </summary>
 ## <param name="domain">
-@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',`
 	optional_policy(`
 		samba_stream_connect_winbind($1)
 	')
@ -27487,7 +27517,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',`
 
 ########################################
 ## <summary>
@ -27512,7 +27542,7 @@ index 3efd5b6..f645c21 100644
 ##	Execute chkpwd programs in the chkpwd domain.
 ## </summary>
 ## <param name="domain">
-@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',`
 
 	auth_domtrans_chk_passwd($1)
 	role $2 types chkpwd_t;
@ -27538,7 +27568,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',`
 
 	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
 	auth_dontaudit_read_shadow($1)
@ -27546,7 +27576,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -664,6 +760,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',`
 
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -27557,7 +27587,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 #######################################
-@@ -763,7 +863,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',`
 	')
 
 	logging_search_logs($1)
@ -27609,7 +27639,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 #######################################
-@@ -824,9 +967,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',`
 	allow $1 lastlog_t:file { rw_file_perms lock setattr };
 ')
 
@ -27640,7 +27670,7 @@ index 3efd5b6..f645c21 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -834,12 +997,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',`
 ##	</summary>
 ## </param>
 #
@ -27671,7 +27701,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -854,15 +1032,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',`
 #
 interface(`auth_signal_pam',`
 	gen_require(`
@ -27690,7 +27720,7 @@ index 3efd5b6..f645c21 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -875,13 +1053,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',`
 ##	</summary>
 ## </param>
 #
@ -27728,7 +27758,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -959,9 +1157,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',`
 	')
 
 	files_search_var($1)
@ -27762,7 +27792,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -1040,6 +1259,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',`
 	files_search_pids($1)
 	allow $1 pam_var_run_t:dir manage_dir_perms;
 	allow $1 pam_var_run_t:file manage_file_perms;
@ -27773,7 +27803,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -1176,6 +1399,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',`
 	files_search_pids($1)
 	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
 	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@ -27781,7 +27811,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 #######################################
-@@ -1576,6 +1800,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',`
 
 ########################################
 ## <summary>
@ -27807,7 +27837,7 @@ index 3efd5b6..f645c21 100644
 ##	Read login records files (/var/log/wtmp).
 ## </summary>
 ## <param name="domain">
-@@ -1726,24 +1969,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
 
 	logging_rw_generic_log_dirs($1)
 	allow $1 wtmp_t:file manage_file_perms;
@ -27833,7 +27863,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -1767,11 +1993,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
 ## <infoflow type="both" weight="10"/>
 #
 interface(`auth_use_nsswitch',`
@ -27850,7 +27880,7 @@ index 3efd5b6..f645c21 100644
 ')
 
 ########################################
-@@ -1805,3 +2033,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -35546,15 +35576,16 @@ index 79048c4..ce6f0ce 100644
 	udev_read_pid_files(lvm_t)
 ')
 diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..83acb32 100644
+index 9fe8e01..3d71062 100644
 --- a/policy/modules/system/miscfiles.fc
 +++ b/policy/modules/system/miscfiles.fc
-@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
+@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
 # /etc
 #
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 -/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 -/etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
+/etc/docker/certs\.d(/.*)?          gen_context(system_u:object_r:cert_t,s0)
 +/etc/httpd/alias(/.*)?	        gen_context(system_u:object_r:cert_t,s0)
 +/etc/localtime			gen_context(system_u:object_r:locale_t,s0)
 +/etc/locale.conf	--	gen_context(system_u:object_r:locale_t,s0)
@ -35565,7 +35596,7 @@ index 9fe8e01..83acb32 100644
 
 ifdef(`distro_redhat',`
 /etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)
-@@ -37,24 +39,20 @@ ifdef(`distro_redhat',`
+@@ -37,24 +40,20 @@ ifdef(`distro_redhat',`
 
 /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
 
@ -35595,7 +35626,7 @@ index 9fe8e01..83acb32 100644
 
 /usr/X11R6/lib/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 
-@@ -77,7 +75,7 @@ ifdef(`distro_redhat',`
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
 
 /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
 /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
@ -35604,7 +35635,7 @@ index 9fe8e01..83acb32 100644
 
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
 
-@@ -90,6 +88,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_redhat',`
@ -41338,10 +41369,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..a75ffd3
+index 0000000..769e942
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,700 @@
+@@ -0,0 +1,703 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -41482,6 +41513,7 @@ index 0000000..a75ffd3
 +domain_signal_all_domains(systemd_logind_t)
 +domain_signull_all_domains(systemd_logind_t)
 +domain_kill_all_domains(systemd_logind_t)
+domain_destroy_all_semaphores(systemd_logind_t)
 +
 +# /etc/udev/udev.conf should probably have a private type if only for confined administration
 +# /etc/nsswitch.conf
@ -42016,6 +42048,8 @@ index 0000000..a75ffd3
 +
 +dev_read_urand(systemd_domain)
 +
+fs_search_all(systemd_domain)
+
 +files_read_etc_files(systemd_domain)
 +files_read_etc_runtime_files(systemd_domain)
 +files_read_usr_files(systemd_domain)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 96%{?dist}
+Release: 97%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -604,6 +604,27 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Fri Nov 27 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-97
+- Allow reading of symlinks in /etc/puppet
+- Added TAGS to gitignore
+- I guess there can be content under /var/lib/lockdown #1167502
+- Allow rhev-agentd to read /dev/.udev/db to make deploying hosted engine via iSCSI working.
+- Allow keystone to send a generic signal to own process.
+- Allow radius to bind tcp/1812 radius port.
+- Dontaudit list user_tmp files for system_mail_t
+- label virt-who as virtd_exec_t
+- Allow rhsmcertd to send a null signal to virt-who running as virtd_t
+- Add virt_signull() interface
+- Add missing alias for _content_rw_t
+- Allow .snapshots to be created in other directories, on all mountpoints
+- Allow spamd to access razor-agent.log
+- Add fixes for sfcb from libvirt-cim TestOnly bug. (#1152104)
+- Allow .snapshots to be created in other directories, on all mountpoints
+- Label tcp port 5280 as ejabberd port. BZ(1059930)
+- Make /usr/bin/vncserver running as unconfined_service_t
+- Label /etc/docker/certs.d as cert_t
+- Allow all systemd domains to search file systems
+
 * Thu Nov 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-96
 - Allow NetworkManager stream connect on openvpn. BZ(1165110)