diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index cf980cac..81fba317 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9698,7 +9698,7 @@ index cf04cb5..ed54d58 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..6bfb954 100644 +index b876c48..a351aff 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9908,7 +9908,7 @@ index b876c48..6bfb954 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +243,7 @@ ifndef(`distro_redhat',` +@@ -229,19 +243,34 @@ ifndef(`distro_redhat',` # # /var # @@ -9917,7 +9917,8 @@ index b876c48..6bfb954 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +251,25 @@ ifndef(`distro_redhat',` ++/var/db(/.*)? gen_context(system_u:object_r:system_db_t,s0) + /var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0) /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9944,7 +9945,7 @@ index b876c48..6bfb954 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +284,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +285,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9959,7 +9960,7 @@ index b876c48..6bfb954 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +301,5 @@ ifdef(`distro_debian',` +@@ -271,3 +302,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 583900da..9331a4ca 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5208,7 +5208,7 @@ index f6eb485..164501c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..4516b9a 100644 +index 6649962..e98b712 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -5896,7 +5896,7 @@ index 6649962..4516b9a 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,14 +529,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,13 +529,20 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5908,16 +5908,16 @@ index 6649962..4516b9a 100644 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -+allow httpd_t httpd_suexec_exec_t:process { signal signull }; - allow httpd_t httpd_suexec_exec_t:file read_file_perms; - +-allow httpd_t httpd_suexec_exec_t:file read_file_perms; ++allow httpd_t httpd_suexec_t:process { signal signull }; ++allow httpd_t httpd_suexec_t:file read_file_perms; ++ +allow httpd_t httpd_sys_content_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) -+ + allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; - manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -450,140 +574,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -19712,7 +19712,7 @@ index b25b01d..6b7d687 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..28bb02c 100644 +index 001b502..4a84c8b 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -19799,17 +19799,20 @@ index 001b502..28bb02c 100644 optional_policy(` consoletype_exec(ctdbd_t) ') -@@ -106,9 +129,13 @@ optional_policy(` +@@ -106,9 +129,16 @@ optional_policy(` ') optional_policy(` -+ samba_winbind_signull(ctdbd_t) -+ samba_unconfined_net_signull(ctdbd_t) + samba_signull_smbd(ctdbd_t) samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) samba_rw_var_files(ctdbd_t) + samba_systemctl(ctdbd_t) ++') ++ ++optional_policy(` ++ samba_signull_winbind(ctdbd_t) ++ samba_signull_unconfined_net(ctdbd_t) ') optional_policy(` @@ -30297,7 +30300,7 @@ index 9eacb2c..7b19ad2 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index 5cd0909..cdba87f 100644 +index 5cd0909..bd3c3d2 100644 --- a/glance.te +++ b/glance.te @@ -5,10 +5,31 @@ policy_module(glance, 1.1.0) @@ -30432,7 +30435,7 @@ index 5cd0909..cdba87f 100644 logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +157,37 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +157,38 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -30474,6 +30477,7 @@ index 5cd0909..cdba87f 100644 +# Scrubber local policy +# + ++corenet_tcp_connect_commplex_main_port(glance_scrubber_t) +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 @@ -30750,10 +30754,10 @@ index 0000000..fc9bf19 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..918eb52 +index 0000000..bd8ad23 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,277 @@ +@@ -0,0 +1,286 @@ +policy_module(glusterfs, 1.1.2) + +## @@ -31023,6 +31027,15 @@ index 0000000..918eb52 +') + +optional_policy(` ++ rpc_systemctl_nfsd(glusterd_t) ++ rpc_systemctl_rpcd(glusterd_t) ++ ++ rpc_domtrans_nfsd(glusterd_t) ++ rpc_domtrans_rpcd(glusterd_t) ++ rpc_manage_nfs_state_data(glusterd_t) ++') ++ ++optional_policy(` + rhcs_dbus_chat_cluster(glusterd_t) + rhcs_domtrans_cluster(glusterd_t) + rhcs_systemctl_cluster(glusterd_t) @@ -37266,7 +37279,7 @@ index ca020fa..d4ed777 100644 + kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t) +') diff --git a/isns.te b/isns.te -index bc11034..07e6310 100644 +index bc11034..183c526 100644 --- a/isns.te +++ b/isns.te @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) @@ -37277,7 +37290,17 @@ index bc11034..07e6310 100644 allow isnsd_t self:udp_socket { accept listen }; allow isnsd_t self:unix_stream_socket { accept listen }; -@@ -46,10 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t) +@@ -37,6 +38,9 @@ manage_sock_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) + manage_files_pattern(isnsd_t, isnsd_var_run_t, isnsd_var_run_t) + files_pid_filetrans(isnsd_t, isnsd_var_run_t, { file sock_file }) + ++kernel_read_system_state(isnsd_t) ++kernel_read_network_state(isnsd_t) ++ + corenet_all_recvfrom_unlabeled(isnsd_t) + corenet_all_recvfrom_netlabel(isnsd_t) + corenet_tcp_sendrecv_generic_if(isnsd_t) +@@ -46,10 +50,6 @@ corenet_tcp_bind_generic_node(isnsd_t) corenet_sendrecv_isns_server_packets(isnsd_t) corenet_tcp_bind_isns_port(isnsd_t) @@ -39279,10 +39302,10 @@ index 0000000..bd7e7fa +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..1a78c67 +index 0000000..20adcb3 --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,89 @@ +@@ -0,0 +1,90 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -39320,6 +39343,7 @@ index 0000000..1a78c67 + +kernel_read_system_state(keepalived_t) +kernel_read_network_state(keepalived_t) ++kernel_request_load_module(keepalived_t) + +auth_use_nsswitch(keepalived_t) + @@ -39373,10 +39397,10 @@ index 0000000..1a78c67 + ') +') diff --git a/kerberos.fc b/kerberos.fc -index 4fe75fd..b05128a 100644 +index 4fe75fd..b9f07ae 100644 --- a/kerberos.fc +++ b/kerberos.fc -@@ -1,52 +1,50 @@ +@@ -1,52 +1,52 @@ -HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -39414,33 +39438,25 @@ index 4fe75fd..b05128a 100644 -/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) - +- -/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -+/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) - +- -/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) -+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) - +- -/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) --/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0) - +- -/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) --/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) --/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) + /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) - -/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) @@ -39455,7 +39471,18 @@ index 4fe75fd..b05128a 100644 -/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++ ++/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) ++/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) ++ ++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++ ++/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0) ++ +/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/kadmin_0 -- gen_context(system_u:object_r:kadmind_tmp_t,s0) ++/var/tmp/kiprop_0 -- gen_context(system_u:object_r:krb5kdc_tmp_t,s0) +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) @@ -40175,7 +40202,7 @@ index f6c00d8..7b777ab 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d59..61910d0 100644 +index 8833d59..462e466 100644 --- a/kerberos.te +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -40226,7 +40253,7 @@ index 8833d59..61910d0 100644 type krb5kdc_principal_t; files_type(krb5kdc_principal_t) -@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t) +@@ -74,28 +78,33 @@ files_pid_file(krb5kdc_var_run_t) # kadmind local policy # @@ -40259,12 +40286,14 @@ index 8833d59..61910d0 100644 allow kadmind_t krb5kdc_principal_t:file manage_file_perms; filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file) ++allow kadmind_t krb5_keytab_t:file read_file_perms; ++ +can_exec(kadmind_t, kadmind_exec_t) + manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t) files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) -@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) +@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir }) manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t) files_pid_filetrans(kadmind_t, kadmind_var_run_t, file) @@ -40283,7 +40312,7 @@ index 8833d59..61910d0 100644 corenet_all_recvfrom_netlabel(kadmind_t) corenet_tcp_sendrecv_generic_if(kadmind_t) corenet_udp_sendrecv_generic_if(kadmind_t) -@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) +@@ -119,31 +130,44 @@ corenet_tcp_sendrecv_all_ports(kadmind_t) corenet_udp_sendrecv_all_ports(kadmind_t) corenet_tcp_bind_generic_node(kadmind_t) corenet_udp_bind_generic_node(kadmind_t) @@ -40297,6 +40326,7 @@ index 8833d59..61910d0 100644 +corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) +corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) +corenet_sendrecv_kerberos_password_server_packets(kadmind_t) ++corenet_tcp_bind_kprop_port(kadmind_t) +corenet_tcp_connect_kprop_port(kadmind_t) dev_read_sysfs(kadmind_t) @@ -40309,7 +40339,7 @@ index 8833d59..61910d0 100644 domain_use_interactive_fds(kadmind_t) --files_read_etc_files(kadmind_t) + files_read_etc_files(kadmind_t) -files_read_usr_files(kadmind_t) +files_read_usr_symlinks(kadmind_t) files_read_var_files(kadmind_t) @@ -40320,8 +40350,8 @@ index 8833d59..61910d0 100644 + logging_send_syslog_msg(kadmind_t) --miscfiles_read_localization(kadmind_t) +miscfiles_read_generic_certs(kadmind_t) + miscfiles_read_localization(kadmind_t) +seutil_read_config(kadmind_t) seutil_read_file_contexts(kadmind_t) @@ -40330,7 +40360,7 @@ index 8833d59..61910d0 100644 sysnet_use_ldap(kadmind_t) userdom_dontaudit_use_unpriv_user_fds(kadmind_t) -@@ -154,11 +173,16 @@ optional_policy(` +@@ -154,11 +178,16 @@ optional_policy(` ') optional_policy(` @@ -40347,7 +40377,7 @@ index 8833d59..61910d0 100644 ') optional_policy(` -@@ -174,24 +198,27 @@ optional_policy(` +@@ -174,24 +203,27 @@ optional_policy(` # Krb5kdc local policy # @@ -40379,7 +40409,7 @@ index 8833d59..61910d0 100644 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -201,71 +228,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +@@ -201,71 +233,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) @@ -40471,7 +40501,7 @@ index 8833d59..61910d0 100644 ') optional_policy(` -@@ -273,6 +305,10 @@ optional_policy(` +@@ -273,6 +310,10 @@ optional_policy(` ') optional_policy(` @@ -40482,7 +40512,7 @@ index 8833d59..61910d0 100644 udev_read_db(krb5kdc_t) ') -@@ -281,10 +317,12 @@ optional_policy(` +@@ -281,10 +322,12 @@ optional_policy(` # kpropd local policy # @@ -40498,7 +40528,7 @@ index 8833d59..61910d0 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -301,27 +339,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +@@ -301,27 +344,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) @@ -43322,7 +43352,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..2de18e1 100644 +index be0ab84..ce57aac 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -43541,7 +43571,7 @@ index be0ab84..2de18e1 100644 ') optional_policy(` -@@ -198,21 +250,26 @@ optional_policy(` +@@ -198,17 +250,18 @@ optional_policy(` ') optional_policy(` @@ -43559,20 +43589,26 @@ index be0ab84..2de18e1 100644 optional_policy(` - polipo_log_filetrans_log(logrotate_t, file, "polipo") -+ psad_domtrans(logrotate_t) ++ prosody_stream_connect(logrotate_t) + ') + + optional_policy(` +@@ -216,6 +269,14 @@ optional_policy(` ') optional_policy(` -- psad_domtrans(logrotate_t) + rabbitmq_domtrans(logrotate_t) +') + +optional_policy(` + raid_domtrans_mdadm(logrotate_t) ++') ++ ++optional_policy(` + samba_exec_log(logrotate_t) ') - optional_policy(` -@@ -228,26 +285,43 @@ optional_policy(` +@@ -228,26 +289,43 @@ optional_policy(` ') optional_policy(` @@ -44200,7 +44236,7 @@ index d314333..27ede09 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..03b7f8b 100644 +index 4ec0eea..0c195ed 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -44235,10 +44271,12 @@ index 4ec0eea..03b7f8b 100644 ######################################## # # Local policy -@@ -26,4 +44,59 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,61 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) ++auth_use_nsswitch(lsmd_t) ++ +corecmd_exec_bin(lsmd_t) +corecmd_getattr_all_executables(lsmd_t) + @@ -56077,7 +56115,7 @@ index 86dc29d..7380935 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..35ca860 100644 +index 55f2009..e6182a2 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -56461,7 +56499,7 @@ index 55f2009..35ca860 100644 ') optional_policy(` -@@ -320,14 +401,20 @@ optional_policy(` +@@ -320,14 +401,21 @@ optional_policy(` ') optional_policy(` @@ -56471,6 +56509,7 @@ index 55f2009..35ca860 100644 + systemd_write_inhibit_pipes(NetworkManager_t) + systemd_read_logind_sessions_files(NetworkManager_t) + systemd_dbus_chat_logind(NetworkManager_t) ++ systemd_dbus_chat_hostnamed(NetworkManager_t) + systemd_hostnamed_manage_config(NetworkManager_t) ') @@ -56487,7 +56526,7 @@ index 55f2009..35ca860 100644 ') optional_policy(` -@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -61967,10 +62006,10 @@ index 0000000..c20cac3 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..69697c7 +index 0000000..c8e810c --- /dev/null +++ b/openshift.te -@@ -0,0 +1,630 @@ +@@ -0,0 +1,634 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -62111,6 +62150,10 @@ index 0000000..69697c7 +init_domtrans_script(openshift_initrc_t) +init_initrc_domain(openshift_initrc_t) + ++optional_policy(` ++ firewalld_dbus_chat(openshift_initrc_t) ++') ++ +####################################################### +# +# Policy for all openshift domains @@ -65423,14 +65466,15 @@ index 1fb1964..5212cd2 100644 +') + diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..d40433a 100644 +index dfd46e4..747aa2a 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,32 @@ +@@ -1,15 +1,33 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) /etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0) ++/etc/mdadm\.conf\.anacbak gen_context(system_u:object_r:pegasus_conf_t,s0) -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) @@ -65569,7 +65613,7 @@ index d2fc677..86dce34 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..251160b 100644 +index 608f454..3e3fd3d 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -65588,7 +65632,7 @@ index 608f454..251160b 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,326 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,337 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -65745,9 +65789,13 @@ index 608f454..251160b 100644 + +kernel_read_network_state(pegasus_openlmi_system_t) + ++auth_use_nsswitch(pegasus_openlmi_system_t) ++ +dev_rw_sysfs(pegasus_openlmi_system_t) +dev_read_urand(pegasus_openlmi_system_t) + ++fs_getattr_all_fs(pegasus_openlmi_system_t) ++ +init_read_utmp(pegasus_openlmi_system_t) + +systemd_config_power_services(pegasus_openlmi_system_t) @@ -65819,6 +65867,9 @@ index 608f454..251160b 100644 +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t) +files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage") + ++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_conf_t, pegasus_conf_t) ++files_etc_filetrans(pegasus_openlmi_storage_t, pegasus_conf_t, file, "mdadm.conf.anacbak" ) ++ +kernel_read_all_sysctls(pegasus_openlmi_storage_t) +kernel_read_network_state(pegasus_openlmi_storage_t) +kernel_get_sysvipc_info(pegasus_openlmi_storage_t) @@ -65860,6 +65911,10 @@ index 608f454..251160b 100644 +') + +optional_policy(` ++ gnome_dontaudit_search_config(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` + fstools_domtrans(pegasus_openlmi_storage_t) +') + @@ -65920,7 +65975,7 @@ index 608f454..251160b 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +359,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +370,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -65951,7 +66006,7 @@ index 608f454..251160b 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +385,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +396,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -65984,7 +66039,7 @@ index 608f454..251160b 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +413,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +424,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -65996,7 +66051,7 @@ index 608f454..251160b 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +429,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +440,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -66014,10 +66069,7 @@ index 608f454..251160b 100644 - dbus_connect_system_bus(pegasus_t) + dmidecode_domtrans(pegasus_t) +') - -- optional_policy(` -- networkmanager_dbus_chat(pegasus_t) -- ') ++ +optional_policy(` + dbus_system_bus_client(pegasus_t) + dbus_connect_system_bus(pegasus_t) @@ -66026,13 +66078,16 @@ index 608f454..251160b 100644 + networkmanager_dbus_chat(pegasus_t) + ') +') -+ + +- optional_policy(` +- networkmanager_dbus_chat(pegasus_t) +- ') +optional_policy(` + rhcs_stream_connect_cluster(pegasus_t) ') optional_policy(` -@@ -151,16 +463,24 @@ optional_policy(` +@@ -151,16 +474,24 @@ optional_policy(` ') optional_policy(` @@ -66061,7 +66116,7 @@ index 608f454..251160b 100644 ') optional_policy(` -@@ -168,7 +488,7 @@ optional_policy(` +@@ -168,7 +499,7 @@ optional_policy(` ') optional_policy(` @@ -66070,7 +66125,7 @@ index 608f454..251160b 100644 ') optional_policy(` -@@ -180,6 +500,7 @@ optional_policy(` +@@ -180,6 +511,7 @@ optional_policy(` ') optional_policy(` @@ -73436,10 +73491,10 @@ index 0000000..c056a2f +/var/log/prosody(/.*)? gen_context(system_u:object_r:prosody_log_t,s0) diff --git a/prosody.if b/prosody.if new file mode 100644 -index 0000000..44ed5ad +index 0000000..8231f4f --- /dev/null +++ b/prosody.if -@@ -0,0 +1,235 @@ +@@ -0,0 +1,255 @@ + +## policy for prosody + @@ -73609,6 +73664,26 @@ index 0000000..44ed5ad + roleattribute $2 prosody_roles; +') + ++###################################### ++## ++## Connect to prosody with a unix ++## domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`prosody_stream_connect',` ++ gen_require(` ++ type prosody_t, prosody_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, prosody_var_run_t, prosody_var_run_t, prosody_t) ++') ++ +######################################## +## +## Role access for prosody @@ -73677,10 +73752,10 @@ index 0000000..44ed5ad +') diff --git a/prosody.te b/prosody.te new file mode 100644 -index 0000000..f48f1b9 +index 0000000..d531fa5 --- /dev/null +++ b/prosody.te -@@ -0,0 +1,85 @@ +@@ -0,0 +1,92 @@ +policy_module(prosody, 1.0.0) + +######################################## @@ -73709,6 +73784,9 @@ index 0000000..f48f1b9 +type prosody_var_run_t; +files_pid_file(prosody_var_run_t) + ++type prosody_tmp_t; ++files_tmp_file(prosody_tmp_t) ++ +type prosody_unit_file_t; +systemd_unit_file(prosody_unit_file_t) + @@ -73735,6 +73813,10 @@ index 0000000..f48f1b9 +setattr_files_pattern(prosody_t, prosody_log_t, prosody_log_t) +logging_log_filetrans(prosody_t, prosody_log_t, { file dir }) + ++manage_dirs_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t) ++manage_files_pattern(prosody_t, prosody_tmp_t, prosody_tmp_t) ++files_tmp_filetrans(prosody_t, prosody_tmp_t, { dir file }) ++ +can_exec(prosody_t, prosody_exec_t) + +kernel_read_system_state(prosody_t) @@ -77705,7 +77787,7 @@ index fe2adf8..f7e9c70 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 83eb09e..fc17eee 100644 +index 83eb09e..9f4739c 100644 --- a/qpid.te +++ b/qpid.te @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) @@ -77718,7 +77800,7 @@ index 83eb09e..fc17eee 100644 type qpidd_tmpfs_t; files_tmpfs_file(qpidd_tmpfs_t) -@@ -33,41 +36,54 @@ allow qpidd_t self:shm create_shm_perms; +@@ -33,41 +36,55 @@ allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket { accept listen }; allow qpidd_t self:unix_stream_socket { accept listen }; @@ -77743,10 +77825,11 @@ index 83eb09e..fc17eee 100644 files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) kernel_read_system_state(qpidd_t) ++kernel_read_network_state(qpidd_t) ++ ++auth_read_passwd(qpidd_t) -corenet_all_recvfrom_unlabeled(qpidd_t) -+auth_read_passwd(qpidd_t) -+ corenet_all_recvfrom_netlabel(qpidd_t) +corenet_tcp_bind_generic_node(qpidd_t) corenet_tcp_sendrecv_generic_if(qpidd_t) @@ -78849,7 +78932,7 @@ index 2c3d338..7d49554 100644 init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..d8858d1 100644 +index dc3b0ed..b0ae2c6 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2) @@ -78883,7 +78966,7 @@ index dc3b0ed..d8858d1 100644 type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -@@ -27,98 +31,92 @@ files_pid_file(rabbitmq_var_run_t) +@@ -27,98 +31,93 @@ files_pid_file(rabbitmq_var_run_t) ###################################### # @@ -79029,6 +79112,7 @@ index dc3b0ed..d8858d1 100644 +corenet_tcp_bind_jabber_client_port(rabbitmq_t) +corenet_tcp_bind_jabber_interserver_port(rabbitmq_t) +corenet_tcp_bind_rabbitmq_port(rabbitmq_t) ++corenet_tcp_connect_amqp_port(rabbitmq_t) +corenet_tcp_connect_epmd_port(rabbitmq_t) +corenet_tcp_connect_jabber_interserver_port(rabbitmq_t) +corenet_tcp_sendrecv_epmd_port(rabbitmq_t) @@ -88900,7 +88984,7 @@ index b8b66ff..a93346e 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 50d07fb..3ca1c49 100644 +index 50d07fb..337a3e7 100644 --- a/samba.if +++ b/samba.if @@ -1,8 +1,12 @@ @@ -89418,54 +89502,44 @@ index 50d07fb..3ca1c49 100644 ## ## ## -@@ -562,47 +713,63 @@ interface(`samba_rw_smbmount_tcp_sockets',` +@@ -560,49 +711,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` + allow $1 smbmount_t:tcp_socket { read write }; + ') - ######################################## +-######################################## ++####################################### ## -## Execute winbind helper in the -## winbind helper domain. -+## Allow send signull to winbind ++## Allow to getattr on winbind binary. ## ## - ## +-## -## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`samba_domtrans_winbind_helper',` -+interface(`samba_winbind_signull',` - gen_require(` -- type winbind_helper_t, winbind_helper_exec_t; -+ type winbind_t; - ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -+ allow $1 winbind_t:process signull; - ') - - ####################################### - ## --## Get attributes of winbind executable files. -+## Allow to getattr on winbind binary. -+## -+## +-## +## +## Domain allowed to transition. +## -+## -+# + ## + # +-interface(`samba_domtrans_winbind_helper',` +- gen_require(` +- type winbind_helper_t, winbind_helper_exec_t; +- ') +interface(`samba_getattr_winbind',` + gen_require(` + type winbind_exec_t; + ') -+ + +- corecmd_search_bin($1) +- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) + allow $1 winbind_exec_t:file getattr; -+') -+ + ') + +-####################################### +######################################## -+## + ## +-## Get attributes of winbind executable files. +## Execute winbind_helper in the winbind_helper domain. ## ## @@ -89497,7 +89571,7 @@ index 50d07fb..3ca1c49 100644 ## ## ## -@@ -618,16 +785,16 @@ interface(`samba_getattr_winbind_exec',` +@@ -618,16 +767,16 @@ interface(`samba_getattr_winbind_exec',` # interface(`samba_run_winbind_helper',` gen_require(` @@ -89517,18 +89591,72 @@ index 50d07fb..3ca1c49 100644 ## ## ## -@@ -637,17 +804,16 @@ interface(`samba_run_winbind_helper',` +@@ -637,17 +786,71 @@ interface(`samba_run_winbind_helper',` # interface(`samba_read_winbind_pid',` gen_require(` - type winbind_var_run_t, smbd_var_run_t; + type winbind_var_run_t; - ') - -- files_search_pids($1) -- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) ++ ') ++ + samba_search_pid($1) + allow $1 winbind_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Manage winbind PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_manage_winbind_pid',` ++ gen_require(` ++ type winbind_var_run_t; + ') + + files_search_pids($1) +- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) ++ manage_dirs_pattern($1, winbind_var_run_t, winbind_var_run_t) ++ manage_files_pattern($1, winbin_var_run_t, winbind_var_run_t) ++ manage_sock_files_pattern($1, winbind_var_run_t, winbind_var_run_t) ++') ++ ++###################################### ++## ++## Allow domain to signull winbind ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_signull_winbind',` ++ gen_require(` ++ type winbind_t; ++ ') ++ allow $1 winbind_t:process signull; ++') ++ ++###################################### ++## ++## Allow domain to signull samba_unconfined_net ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`samba_signull_unconfined_net',` ++ gen_require(` ++ type samba_unconfined_net_t; ++ ') ++ allow $1 samba_unconfined_net_t:process signull; ') ######################################## @@ -89539,7 +89667,7 @@ index 50d07fb..3ca1c49 100644 ## ## ## -@@ -657,17 +823,79 @@ interface(`samba_read_winbind_pid',` +@@ -657,17 +860,61 @@ interface(`samba_read_winbind_pid',` # interface(`samba_stream_connect_winbind',` gen_require(` @@ -89601,30 +89729,12 @@ index 50d07fb..3ca1c49 100644 + +######################################## +## -+## Allow send signull to samba_unconfined_net -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`samba_unconfined_net_signull',` -+ gen_require(` -+ type samba_uncofined_net_t; -+ ') -+ -+ allow $1 samba_uncofined_net_t:process signull; -+') -+ -+######################################## -+## +## All of the rules required to administrate +## an samba environment ## ## ## -@@ -676,7 +904,7 @@ interface(`samba_stream_connect_winbind',` +@@ -676,7 +923,7 @@ interface(`samba_stream_connect_winbind',` ## ## ## @@ -89633,7 +89743,7 @@ index 50d07fb..3ca1c49 100644 ## ## ## -@@ -689,11 +917,30 @@ interface(`samba_admin',` +@@ -689,11 +936,30 @@ interface(`samba_admin',` type samba_etc_t, samba_share_t, samba_initrc_exec_t; type swat_var_run_t, swat_tmp_t, winbind_log_t; type winbind_var_run_t, winbind_tmp_t; @@ -89667,7 +89777,7 @@ index 50d07fb..3ca1c49 100644 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) -@@ -703,23 +950,34 @@ interface(`samba_admin',` +@@ -703,23 +969,34 @@ interface(`samba_admin',` files_list_etc($1) admin_pattern($1, { samba_etc_t smbd_keytab_t }) @@ -89678,11 +89788,11 @@ index 50d07fb..3ca1c49 100644 - files_list_var($1) - admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) + admin_pattern($1, samba_secrets_t) -+ -+ admin_pattern($1, samba_share_t) - files_list_spool($1) - admin_pattern($1, smbd_spool_t) ++ admin_pattern($1, samba_share_t) ++ + admin_pattern($1, samba_var_t) + files_list_var($1) diff --git a/selinux-policy.spec b/selinux-policy.spec index 07b4d0c0..268c9859 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -645,6 +645,38 @@ exit 0 %endif %changelog +* Mon Jul 20 2015 Lukas Vrabec 3.13.1-138 +- Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. +- Prepare selinux-policy package for SELinux store migration +- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te +- Allow glusterd to manage nfsd and rpcd services. +- Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs. +- Add samba_manage_winbind_pid() interface +- Allow networkmanager to communicate via dbus with systemd_hostanmed. +- Allow stream connect logrotate to prosody. +- Add prosody_stream_connect() interface. +- httpd should be able to send signal/signull to httpd_suexec_t, instead of httpd_suexec_exec_t. +- Allow prosody to create own tmp files/dirs. +- Allow keepalived request kernel load module +- kadmind should not read generic files in /usr +- Allow kadmind_t access to /etc/krb5.keytab +- Add more fixes to kerberos.te +- Add labeling for /var/tmp/kadmin_0 and /var/tmp/kiprop_0 +- Add lsmd_t to nsswitch_domain. +- Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc. +- Add fixes to pegasus_openlmi_domain +- Allow Glance Scrubber to connect to commplex_main port +- Allow RabbitMQ to connect to amqp port +- Allow isnsd read access on the file /proc/net/unix +- Allow qpidd access to /proc//net/psched +- Allow openshift_initrc_t to communicate with firewalld over dbus. +- Allow ctdbd_t send signull to samba_unconfined_net_t. +- Add samba_signull_unconfined_net() +- Add samba_signull_winbind() +- Revert "Add interfaces winbind_signull(), samba_unconfined_net_signull()." +- Fix ctdb policy +- Label /var/db/ as system_db_t. + * Wed Jul 15 2015 Lukas Vrabec 3.13.1-137 - inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t - Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.