* Fri Sep 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-290

- Allow virtlogd_t domain to write inhibit systemd pipes.
- Add dac_override capability to openvpn_t domain
- Add dac_override capability to xdm_t domain
- Allow dac_override to groupadd_t domain BZ(1497081)
- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166)
This commit is contained in:
Lukas Vrabec 2017-09-29 14:22:40 +02:00
parent 233534cc51
commit e8dfe68ada
4 changed files with 307 additions and 280 deletions

Binary file not shown.

View File

@ -3190,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1e7..ae2fa67f8 100644
index 1d732f1e7..fc127e1d7 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@ -3519,7 +3519,7 @@ index 1d732f1e7..ae2fa67f8 100644
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+allow useradd_t self:capability { dac_read_search chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
+dontaudit useradd_t self:cap_userns { sys_ptrace };
@ -32017,7 +32017,7 @@ index 6bf0ecc2d..75b2f31f9 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b403774f..fe21bfc46 100644
index 8b403774f..7eb9dade6 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@ -32382,7 +32382,7 @@ index 8b403774f..fe21bfc46 100644
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search dac_override fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
+allow xdm_t self:cap_userns { kill };
+dontaudit xdm_t self:capability sys_admin;
@ -37885,7 +37885,7 @@ index 79a45f62e..6ed0c399a 100644
+ allow $1 init_var_lib_t:dir search_dir_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda2480..7d76c87ce 100644
index 17eda2480..f049f18e3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -38294,17 +38294,16 @@ index 17eda2480..7d76c87ce 100644
+optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
')
optional_policy(`
- auth_rw_login_records(init_t)
+')
+
+optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_config(init_t)
+ mta_manage_aliases(init_t)
')
optional_policy(`
+')
+
+optional_policy(`
+ systemd_allow_mount_dir(init_t)
+')
+
@ -38465,13 +38464,14 @@ index 17eda2480..7d76c87ce 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
+')
+
+optional_policy(`
')
optional_policy(`
- auth_rw_login_records(init_t)
+ lldpad_relabel_tmpfs(init_t)
+')
+
+optional_policy(`
')
optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@ -38491,10 +38491,9 @@ index 17eda2480..7d76c87ce 100644
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
')
optional_policy(`
- nscd_use(init_t)
+')
+
+optional_policy(`
+ networkmanager_stream_connect(init_t)
+ networkmanager_stream_connect(initrc_t)
+')
@ -38503,14 +38502,15 @@ index 17eda2480..7d76c87ce 100644
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
+ plymouthd_filetrans_named_content(init_t)
+')
+
+optional_policy(`
')
optional_policy(`
- nscd_use(init_t)
+ ssh_getattr_server_keys(init_t)
')
optional_policy(`
@@ -216,7 +641,30 @@ optional_policy(`
@@ -216,7 +641,34 @@ optional_policy(`
')
optional_policy(`
@ -38524,6 +38524,10 @@ index 17eda2480..7d76c87ce 100644
+')
+
+optional_policy(`
+ sysnet_filetrans_cloud_net_conf(init_t)
+')
+
+optional_policy(`
+ udev_read_db(init_t)
+ udev_relabelto_db(init_t)
+ udev_create_kobject_uevent_socket(init_t)
@ -38542,7 +38546,7 @@ index 17eda2480..7d76c87ce 100644
')
########################################
@@ -225,9 +673,9 @@ optional_policy(`
@@ -225,9 +677,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -38554,7 +38558,7 @@ index 17eda2480..7d76c87ce 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -258,12 +706,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
@@ -258,12 +710,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -38571,7 +38575,7 @@ index 17eda2480..7d76c87ce 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +731,36 @@ kernel_change_ring_buffer_level(initrc_t)
@@ -279,23 +735,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@ -38614,7 +38618,7 @@ index 17eda2480..7d76c87ce 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +768,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
@@ -303,9 +772,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@ -38626,7 +38630,7 @@ index 17eda2480..7d76c87ce 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -313,8 +780,10 @@ dev_write_framebuffer(initrc_t)
@@ -313,8 +784,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@ -38637,7 +38641,7 @@ index 17eda2480..7d76c87ce 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -322,8 +791,7 @@ dev_manage_generic_files(initrc_t)
@@ -322,8 +795,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@ -38647,7 +38651,7 @@ index 17eda2480..7d76c87ce 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
@@ -332,7 +800,6 @@ domain_sigstop_all_domains(initrc_t)
@@ -332,7 +804,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@ -38655,7 +38659,7 @@ index 17eda2480..7d76c87ce 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
@@ -340,6 +807,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
@@ -340,6 +811,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@ -38663,7 +38667,7 @@ index 17eda2480..7d76c87ce 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -347,14 +815,15 @@ files_getattr_all_symlinks(initrc_t)
@@ -347,14 +819,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@ -38681,7 +38685,7 @@ index 17eda2480..7d76c87ce 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
@@ -364,8 +833,12 @@ files_list_isid_type_dirs(initrc_t)
@@ -364,8 +837,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@ -38695,7 +38699,7 @@ index 17eda2480..7d76c87ce 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -375,10 +848,11 @@ fs_mount_all_fs(initrc_t)
@@ -375,10 +852,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@ -38709,7 +38713,7 @@ index 17eda2480..7d76c87ce 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
@@ -387,8 +861,10 @@ mls_process_read_up(initrc_t)
@@ -387,8 +865,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@ -38720,7 +38724,7 @@ index 17eda2480..7d76c87ce 100644
storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +874,7 @@ term_use_all_terms(initrc_t)
@@ -398,6 +878,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@ -38728,7 +38732,7 @@ index 17eda2480..7d76c87ce 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
@@ -416,20 +893,18 @@ logging_read_all_logs(initrc_t)
@@ -416,20 +897,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@ -38752,7 +38756,7 @@ index 17eda2480..7d76c87ce 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +926,6 @@ ifdef(`distro_gentoo',`
@@ -451,7 +930,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@ -38760,7 +38764,7 @@ index 17eda2480..7d76c87ce 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
@@ -486,6 +960,10 @@ ifdef(`distro_gentoo',`
@@ -486,6 +964,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@ -38771,7 +38775,7 @@ index 17eda2480..7d76c87ce 100644
alsa_read_lib(initrc_t)
')
@@ -506,7 +984,7 @@ ifdef(`distro_redhat',`
@@ -506,7 +988,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -38780,7 +38784,7 @@ index 17eda2480..7d76c87ce 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -521,6 +999,7 @@ ifdef(`distro_redhat',`
@@ -521,6 +1003,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@ -38788,7 +38792,7 @@ index 17eda2480..7d76c87ce 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
@@ -541,6 +1020,7 @@ ifdef(`distro_redhat',`
@@ -541,6 +1024,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@ -38796,7 +38800,7 @@ index 17eda2480..7d76c87ce 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
@@ -550,8 +1030,44 @@ ifdef(`distro_redhat',`
@@ -550,8 +1034,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@ -38841,7 +38845,7 @@ index 17eda2480..7d76c87ce 100644
')
optional_policy(`
@@ -559,14 +1075,31 @@ ifdef(`distro_redhat',`
@@ -559,14 +1079,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -38873,7 +38877,7 @@ index 17eda2480..7d76c87ce 100644
')
')
@@ -577,6 +1110,39 @@ ifdef(`distro_suse',`
@@ -577,6 +1114,39 @@ ifdef(`distro_suse',`
')
')
@ -38913,7 +38917,7 @@ index 17eda2480..7d76c87ce 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1155,8 @@ optional_policy(`
@@ -589,6 +1159,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -38922,7 +38926,7 @@ index 17eda2480..7d76c87ce 100644
')
optional_policy(`
@@ -610,6 +1178,7 @@ optional_policy(`
@@ -610,6 +1182,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@ -38930,7 +38934,7 @@ index 17eda2480..7d76c87ce 100644
')
optional_policy(`
@@ -626,6 +1195,17 @@ optional_policy(`
@@ -626,6 +1199,17 @@ optional_policy(`
')
optional_policy(`
@ -38948,7 +38952,7 @@ index 17eda2480..7d76c87ce 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -642,9 +1222,13 @@ optional_policy(`
@@ -642,9 +1226,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@ -38962,7 +38966,7 @@ index 17eda2480..7d76c87ce 100644
')
optional_policy(`
@@ -657,15 +1241,11 @@ optional_policy(`
@@ -657,15 +1245,11 @@ optional_policy(`
')
optional_policy(`
@ -38980,7 +38984,7 @@ index 17eda2480..7d76c87ce 100644
')
optional_policy(`
@@ -686,6 +1266,15 @@ optional_policy(`
@@ -686,6 +1270,15 @@ optional_policy(`
')
optional_policy(`
@ -38996,7 +39000,7 @@ index 17eda2480..7d76c87ce 100644
inn_exec_config(initrc_t)
')
@@ -726,6 +1315,7 @@ optional_policy(`
@@ -726,6 +1319,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@ -39004,7 +39008,7 @@ index 17eda2480..7d76c87ce 100644
')
optional_policy(`
@@ -743,7 +1333,13 @@ optional_policy(`
@@ -743,7 +1337,13 @@ optional_policy(`
')
optional_policy(`
@ -39019,7 +39023,7 @@ index 17eda2480..7d76c87ce 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -766,6 +1362,10 @@ optional_policy(`
@@ -766,6 +1366,10 @@ optional_policy(`
')
optional_policy(`
@ -39030,7 +39034,7 @@ index 17eda2480..7d76c87ce 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -775,10 +1375,20 @@ optional_policy(`
@@ -775,10 +1379,20 @@ optional_policy(`
')
optional_policy(`
@ -39051,7 +39055,7 @@ index 17eda2480..7d76c87ce 100644
quota_manage_flags(initrc_t)
')
@@ -787,6 +1397,10 @@ optional_policy(`
@@ -787,6 +1401,10 @@ optional_policy(`
')
optional_policy(`
@ -39062,7 +39066,7 @@ index 17eda2480..7d76c87ce 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -808,8 +1422,6 @@ optional_policy(`
@@ -808,8 +1426,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -39071,7 +39075,7 @@ index 17eda2480..7d76c87ce 100644
')
optional_policy(`
@@ -818,6 +1430,10 @@ optional_policy(`
@@ -818,6 +1434,10 @@ optional_policy(`
')
optional_policy(`
@ -39082,7 +39086,7 @@ index 17eda2480..7d76c87ce 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
@@ -827,10 +1443,12 @@ optional_policy(`
@@ -827,10 +1447,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@ -39095,7 +39099,7 @@ index 17eda2480..7d76c87ce 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1475,62 @@ optional_policy(`
@@ -857,21 +1479,62 @@ optional_policy(`
')
optional_policy(`
@ -39159,7 +39163,7 @@ index 17eda2480..7d76c87ce 100644
')
optional_policy(`
@@ -887,6 +1546,10 @@ optional_policy(`
@@ -887,6 +1550,10 @@ optional_policy(`
')
optional_policy(`
@ -39170,7 +39174,7 @@ index 17eda2480..7d76c87ce 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1560,218 @@ optional_policy(`
@@ -897,3 +1564,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@ -47059,10 +47063,10 @@ index 1447687d5..0b1da4d3e 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 40edc18ab..95f4458d2 100644
index 40edc18ab..be7317733 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -17,23 +17,29 @@ ifdef(`distro_debian',`
@@ -17,23 +17,31 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@ -47094,10 +47098,12 @@ index 40edc18ab..95f4458d2 100644
+/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
')
+/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+
+/var/run/cloud-init(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
#
# /sbin
@@ -44,6 +50,7 @@ ifdef(`distro_redhat',`
@@ -44,6 +52,7 @@ ifdef(`distro_redhat',`
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
@ -47105,7 +47111,7 @@ index 40edc18ab..95f4458d2 100644
/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -55,6 +62,21 @@ ifdef(`distro_redhat',`
@@ -55,6 +64,21 @@ ifdef(`distro_redhat',`
#
# /usr
#
@ -47127,7 +47133,7 @@ index 40edc18ab..95f4458d2 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
@@ -77,3 +99,6 @@ ifdef(`distro_debian',`
@@ -77,3 +101,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
@ -47135,7 +47141,7 @@ index 40edc18ab..95f4458d2 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 2cea692c0..e3cb4f2ef 100644
index 2cea692c0..853ddefe4 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@ -47562,7 +47568,7 @@ index 2cea692c0..e3cb4f2ef 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
@@ -796,3 +1057,144 @@ interface(`sysnet_use_portmap',`
@@ -796,3 +1057,162 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@ -47707,6 +47713,24 @@ index 2cea692c0..e3cb4f2ef 100644
+
+ files_etc_filetrans($1, net_conf_t, file)
+')
+
+########################################
+## <summary>
+## Transition to cloud-init named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_filetrans_cloud_net_conf',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_pid_filetrans($1, net_conf_t, dir, "cloud-init")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4bc..d29b7f6fb 100644
--- a/policy/modules/system/sysnetwork.te

View File

@ -68669,7 +68669,7 @@ index 6837e9a2b..8d6e33b00 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
index 63957a362..1a037b974 100644
index 63957a362..91dead6e7 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@ -68710,7 +68710,7 @@ index 63957a362..1a037b974 100644
#
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_read_search ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
@ -97220,7 +97220,7 @@ index 50d07fb2e..a34db489c 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
index 2b7c441e7..8f17d3b19 100644
index 2b7c441e7..6d5786b06 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@ -97590,10 +97590,12 @@ index 2b7c441e7..8f17d3b19 100644
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
allow smbd_t samba_share_t:filesystem { getattr quotaget };
@@ -298,65 +322,72 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
@@ -297,66 +321,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
+allow smbd_t samba_var_t:file { map } ;
+
+manage_dirs_pattern(smbd_t, samba_spool_t, samba_spool_t)
+manage_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
+manage_lnk_files_pattern(smbd_t, samba_spool_t, samba_spool_t)
@ -97602,7 +97604,7 @@ index 2b7c441e7..8f17d3b19 100644
+
+allow smbd_t smbcontrol_t:process { signal signull };
+allow smbd_t smbcontrol_t:unix_dgram_socket sendto;
+
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
@ -97687,7 +97689,7 @@ index 2b7c441e7..8f17d3b19 100644
fs_getattr_all_fs(smbd_t)
fs_getattr_all_dirs(smbd_t)
@@ -366,44 +397,53 @@ fs_getattr_rpc_dirs(smbd_t)
@@ -366,44 +398,53 @@ fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)
fs_get_all_fs_quotas(smbd_t)
@ -97753,7 +97755,7 @@ index 2b7c441e7..8f17d3b19 100644
')
tunable_policy(`samba_domain_controller',`
@@ -419,20 +459,16 @@ tunable_policy(`samba_domain_controller',`
@@ -419,20 +460,16 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@ -97780,7 +97782,7 @@ index 2b7c441e7..8f17d3b19 100644
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -441,6 +477,7 @@ tunable_policy(`samba_share_nfs',`
@@ -441,6 +478,7 @@ tunable_policy(`samba_share_nfs',`
fs_manage_nfs_named_sockets(smbd_t)
')
@ -97788,7 +97790,7 @@ index 2b7c441e7..8f17d3b19 100644
tunable_policy(`samba_share_fusefs',`
fs_manage_fusefs_dirs(smbd_t)
fs_manage_fusefs_files(smbd_t)
@@ -448,15 +485,10 @@ tunable_policy(`samba_share_fusefs',`
@@ -448,15 +486,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@ -97808,7 +97810,7 @@ index 2b7c441e7..8f17d3b19 100644
')
optional_policy(`
@@ -466,6 +498,7 @@ optional_policy(`
@@ -466,6 +499,7 @@ optional_policy(`
optional_policy(`
ctdbd_stream_connect(smbd_t)
ctdbd_manage_lib_files(smbd_t)
@ -97816,7 +97818,7 @@ index 2b7c441e7..8f17d3b19 100644
')
optional_policy(`
@@ -474,11 +507,31 @@ optional_policy(`
@@ -474,11 +508,31 @@ optional_policy(`
')
optional_policy(`
@ -97848,7 +97850,7 @@ index 2b7c441e7..8f17d3b19 100644
lpd_exec_lpr(smbd_t)
')
@@ -488,6 +541,10 @@ optional_policy(`
@@ -488,6 +542,10 @@ optional_policy(`
')
optional_policy(`
@ -97859,7 +97861,7 @@ index 2b7c441e7..8f17d3b19 100644
rpc_search_nfs_state_data(smbd_t)
')
@@ -499,12 +556,53 @@ optional_policy(`
@@ -499,12 +557,53 @@ optional_policy(`
udev_read_db(smbd_t)
')
@ -97914,7 +97916,7 @@ index 2b7c441e7..8f17d3b19 100644
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
@@ -512,9 +610,11 @@ allow nmbd_t self:msg { send receive };
@@ -512,9 +611,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@ -97929,7 +97931,7 @@ index 2b7c441e7..8f17d3b19 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
@@ -526,20 +626,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@@ -526,20 +627,16 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -97954,7 +97956,7 @@ index 2b7c441e7..8f17d3b19 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
@@ -547,53 +643,44 @@ kernel_read_kernel_sysctls(nmbd_t)
@@ -547,53 +644,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@ -98023,7 +98025,7 @@ index 2b7c441e7..8f17d3b19 100644
')
optional_policy(`
@@ -606,18 +693,29 @@ optional_policy(`
@@ -606,18 +694,29 @@ optional_policy(`
########################################
#
@ -98059,7 +98061,7 @@ index 2b7c441e7..8f17d3b19 100644
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
@@ -627,39 +725,38 @@ domain_use_interactive_fds(smbcontrol_t)
@@ -627,39 +726,38 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@ -98111,7 +98113,7 @@ index 2b7c441e7..8f17d3b19 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -668,26 +765,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
@@ -668,26 +766,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@ -98147,7 +98149,7 @@ index 2b7c441e7..8f17d3b19 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
@@ -699,58 +792,77 @@ fs_read_cifs_files(smbmount_t)
@@ -699,58 +793,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@ -98240,7 +98242,7 @@ index 2b7c441e7..8f17d3b19 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
@@ -759,17 +871,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
@@ -759,17 +872,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@ -98264,7 +98266,7 @@ index 2b7c441e7..8f17d3b19 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -777,36 +885,25 @@ kernel_read_network_state(swat_t)
@@ -777,36 +886,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@ -98307,7 +98309,7 @@ index 2b7c441e7..8f17d3b19 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
@@ -818,10 +915,11 @@ logging_send_syslog_msg(swat_t)
@@ -818,10 +916,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@ -98321,7 +98323,7 @@ index 2b7c441e7..8f17d3b19 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
@@ -840,17 +938,20 @@ optional_policy(`
@@ -840,17 +939,20 @@ optional_policy(`
# Winbind local policy
#
@ -98348,7 +98350,7 @@ index 2b7c441e7..8f17d3b19 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
@@ -860,9 +961,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
@@ -860,9 +962,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -98359,7 +98361,7 @@ index 2b7c441e7..8f17d3b19 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
@@ -871,40 +970,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
@@ -871,40 +971,44 @@ manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
@ -98416,7 +98418,7 @@ index 2b7c441e7..8f17d3b19 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -912,38 +1015,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -912,38 +1016,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@ -98475,7 +98477,7 @@ index 2b7c441e7..8f17d3b19 100644
')
optional_policy(`
@@ -959,31 +1076,36 @@ optional_policy(`
@@ -959,31 +1077,36 @@ optional_policy(`
# Winbind helper local policy
#
@ -98519,7 +98521,7 @@ index 2b7c441e7..8f17d3b19 100644
optional_policy(`
apache_append_log(winbind_helper_t)
@@ -997,25 +1119,38 @@ optional_policy(`
@@ -997,25 +1120,38 @@ optional_policy(`
########################################
#
@ -117240,7 +117242,7 @@ index facdee8b3..2a619ba9e 100644
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
diff --git a/virt.te b/virt.te
index f03dcf567..6b27ef4c9 100644
index f03dcf567..a287ebdf0 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,424 @@
@ -117478,11 +117480,11 @@ index f03dcf567..6b27ef4c9 100644
-virt_domain_template(svirt_prot_exec)
+role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
-type virt_cache_t alias svirt_cache_t;
+
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
+
-type virt_cache_t alias svirt_cache_t;
+type qemu_exec_t, virt_file_type;
+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
@ -117845,37 +117847,37 @@ index f03dcf567..6b27ef4c9 100644
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+allow svirt_t self:process ptrace;
-
-dontaudit svirt_t virt_content_t:file write_file_perms;
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
+allow svirt_t self:process ptrace;
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
-
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
corenet_udp_bind_generic_node(svirt_t)
-
-corenet_all_recvfrom_unlabeled(svirt_t)
-corenet_all_recvfrom_netlabel(svirt_t)
-corenet_tcp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_udp_sendrecv_generic_if(svirt_t)
-corenet_tcp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_udp_sendrecv_generic_node(svirt_t)
-corenet_tcp_sendrecv_all_ports(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_udp_sendrecv_all_ports(svirt_t)
-corenet_tcp_bind_generic_node(svirt_t)
corenet_udp_bind_generic_node(svirt_t)
-corenet_udp_bind_generic_node(svirt_t)
-
-corenet_sendrecv_all_server_packets(svirt_t)
corenet_udp_bind_all_ports(svirt_t)
@ -118040,12 +118042,12 @@ index f03dcf567..6b27ef4c9 100644
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
-
-can_exec(virtd_t, virt_tmp_t)
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
-can_exec(virtd_t, virt_tmp_t)
-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@ -118145,13 +118147,13 @@ index f03dcf567..6b27ef4c9 100644
+sysnet_read_config(virtd_t)
-userdom_read_all_users_state(virtd_t)
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
-
-ifdef(`hide_broken_symptoms',`
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
-')
-
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
-tunable_policy(`virt_use_fusefs',`
- fs_manage_fusefs_dirs(virtd_t)
- fs_manage_fusefs_files(virtd_t)
@ -118205,7 +118207,7 @@ index f03dcf567..6b27ef4c9 100644
')
optional_policy(`
@@ -691,99 +653,433 @@ optional_policy(`
@@ -691,99 +653,437 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_signull(virtd_t)
dnsmasq_create_pid_dirs(virtd_t)
@ -118349,6 +118351,10 @@ index f03dcf567..6b27ef4c9 100644
+ fs_append_nfs_files(virtlogd_t)
+')
+
+optional_policy(`
+ systemd_write_inhibit_pipes(virtlogd_t)
+')
+
+########################################
+#
+# virtual domains common policy
@ -118536,18 +118542,16 @@ index f03dcf567..6b27ef4c9 100644
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
')
optional_policy(`
- lvm_domtrans(virtd_t)
+')
+
+optional_policy(`
+ tunable_policy(`virt_use_glusterd',`
+ glusterd_manage_pid(virt_domain)
+ ')
')
-optional_policy(`
- mount_domtrans(virtd_t)
- mount_signal(virtd_t)
- lvm_domtrans(virtd_t)
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
@ -118557,9 +118561,8 @@ index f03dcf567..6b27ef4c9 100644
')
-optional_policy(`
- policykit_domtrans_auth(virtd_t)
- policykit_domtrans_resolve(virtd_t)
- policykit_read_lib(virtd_t)
- mount_domtrans(virtd_t)
- mount_signal(virtd_t)
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
@ -118569,7 +118572,9 @@ index f03dcf567..6b27ef4c9 100644
')
-optional_policy(`
- qemu_exec(virtd_t)
- policykit_domtrans_auth(virtd_t)
- policykit_domtrans_resolve(virtd_t)
- policykit_read_lib(virtd_t)
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
@ -118580,20 +118585,23 @@ index f03dcf567..6b27ef4c9 100644
')
optional_policy(`
- sasl_connect(virtd_t)
- qemu_exec(virtd_t)
+ tunable_policy(`virt_use_pcscd',`
+ pcscd_stream_connect(virt_domain)
+ ')
')
optional_policy(`
- kernel_read_xen_state(virtd_t)
- kernel_write_xen_state(virtd_t)
- sasl_connect(virtd_t)
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
+')
')
-optional_policy(`
- kernel_read_xen_state(virtd_t)
- kernel_write_xen_state(virtd_t)
-
- xen_exec(virtd_t)
- xen_stream_connect(virtd_t)
- xen_stream_connect_xenstore(virtd_t)
@ -118688,7 +118696,7 @@ index f03dcf567..6b27ef4c9 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
@@ -794,25 +1090,18 @@ kernel_write_xen_state(virsh_t)
@@ -794,25 +1094,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@ -118715,7 +118723,7 @@ index f03dcf567..6b27ef4c9 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
@@ -821,23 +1110,25 @@ fs_search_auto_mountpoints(virsh_t)
@@ -821,23 +1114,25 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@ -118749,7 +118757,7 @@ index f03dcf567..6b27ef4c9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
@@ -856,14 +1147,20 @@ optional_policy(`
@@ -856,14 +1151,20 @@ optional_policy(`
')
optional_policy(`
@ -118771,7 +118779,7 @@ index f03dcf567..6b27ef4c9 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
@@ -888,49 +1185,66 @@ optional_policy(`
@@ -888,49 +1189,66 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@ -118856,7 +118864,7 @@ index f03dcf567..6b27ef4c9 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
@@ -942,17 +1256,16 @@ dev_read_urand(virtd_lxc_t)
@@ -942,17 +1260,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@ -118876,7 +118884,7 @@ index f03dcf567..6b27ef4c9 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
@@ -964,8 +1277,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
@@ -964,15 +1281,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@ -118884,72 +118892,125 @@ index f03dcf567..6b27ef4c9 100644
+
selinux_mount_fs(virtd_lxc_t)
selinux_unmount_fs(virtd_lxc_t)
-selinux_get_enforce_mode(virtd_lxc_t)
-selinux_get_fs_mount(virtd_lxc_t)
-selinux_validate_context(virtd_lxc_t)
-selinux_compute_access_vector(virtd_lxc_t)
-selinux_compute_create_context(virtd_lxc_t)
-selinux_compute_relabel_context(virtd_lxc_t)
-selinux_compute_user_contexts(virtd_lxc_t)
+seutil_read_config(virtd_lxc_t)
+
+term_use_generic_ptys(virtd_lxc_t)
+term_use_ptmx(virtd_lxc_t)
+term_relabel_pty_fs(virtd_lxc_t)
+
+auth_use_nsswitch(virtd_lxc_t)
+
+logging_send_syslog_msg(virtd_lxc_t)
+
+seutil_domtrans_setfiles(virtd_lxc_t)
+seutil_read_default_contexts(virtd_lxc_t)
+
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1302,296 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
-term_use_generic_ptys(virtd_lxc_t)
-term_use_ptmx(virtd_lxc_t)
-term_relabel_pty_fs(virtd_lxc_t)
+sysnet_exec_ifconfig(virtd_lxc_t)
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
@@ -982,186 +1295,307 @@ auth_use_nsswitch(virtd_lxc_t)
-auth_use_nsswitch(virtd_lxc_t)
+systemd_dbus_chat_machined(virtd_lxc_t)
-logging_send_syslog_msg(virtd_lxc_t)
+userdom_read_admin_home_files(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
-miscfiles_read_localization(virtd_lxc_t)
-
seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
seutil_read_default_contexts(virtd_lxc_t)
-sysnet_domtrans_ifconfig(virtd_lxc_t)
-
-########################################
-#
-# Common virt lxc domain local policy
-#
-
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
-allow svirt_lxc_domain self:sem create_sem_perms;
-allow svirt_lxc_domain self:shm create_shm_perms;
-allow svirt_lxc_domain self:msgq create_msgq_perms;
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+selinux_get_enforce_mode(virtd_lxc_t)
+selinux_get_fs_mount(virtd_lxc_t)
+selinux_validate_context(virtd_lxc_t)
+selinux_compute_access_vector(virtd_lxc_t)
+selinux_compute_create_context(virtd_lxc_t)
+selinux_compute_relabel_context(virtd_lxc_t)
+selinux_compute_user_contexts(virtd_lxc_t)
-allow svirt_lxc_domain virtd_lxc_t:fd use;
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
+sysnet_exec_ifconfig(virtd_lxc_t)
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+systemd_dbus_chat_machined(virtd_lxc_t)
-allow svirt_lxc_domain virsh_t:fd use;
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virsh_t:process sigchld;
+userdom_read_admin_home_files(virtd_lxc_t)
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
-seutil_domtrans_setfiles(virtd_lxc_t)
-seutil_read_config(virtd_lxc_t)
-seutil_read_default_contexts(virtd_lxc_t)
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+ optional_policy(`
+ hal_dbus_chat(virtd_lxc_t)
+ ')
+')
-sysnet_domtrans_ifconfig(virtd_lxc_t)
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
+
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
+
-kernel_getattr_proc(svirt_lxc_domain)
-kernel_list_all_proc(svirt_lxc_domain)
-kernel_read_kernel_sysctls(svirt_lxc_domain)
-kernel_rw_net_sysctls(svirt_lxc_domain)
-kernel_read_system_state(svirt_lxc_domain)
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
+
-corecmd_exec_all_executables(svirt_lxc_domain)
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
########################################
#
-# Common virt lxc domain local policy
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
-# files_entrypoint_all_files(svirt_lxc_domain)
-files_list_var(svirt_lxc_domain)
-files_list_var_lib(svirt_lxc_domain)
-files_search_all(svirt_lxc_domain)
-files_read_config_files(svirt_lxc_domain)
-files_read_usr_files(svirt_lxc_domain)
-files_read_usr_symlinks(svirt_lxc_domain)
+########################################
+#
+# svirt_sandbox_domain local policy
#
+#
+allow svirt_sandbox_domain self:key manage_key_perms;
+dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search;
+
@ -118973,7 +119034,9 @@ index f03dcf567..6b27ef4c9 100644
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
+
-fs_getattr_all_fs(svirt_lxc_domain)
-fs_list_inotifyfs(svirt_lxc_domain)
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
@ -119063,113 +119126,43 @@ index f03dcf567..6b27ef4c9 100644
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
+
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
+optional_policy(`
+tunable_policy(`virt_sandbox_share_apache_content',`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+ ')
+')
+
-auth_dontaudit_read_login_records(svirt_lxc_domain)
-auth_dontaudit_write_login_records(svirt_lxc_domain)
-auth_search_pam_console_data(svirt_lxc_domain)
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
-allow svirt_lxc_domain self:sem create_sem_perms;
-allow svirt_lxc_domain self:shm create_shm_perms;
-allow svirt_lxc_domain self:msgq create_msgq_perms;
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
-
-allow svirt_lxc_domain virtd_lxc_t:fd use;
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-
-allow svirt_lxc_domain virsh_t:fd use;
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
-allow svirt_lxc_domain virsh_t:process sigchld;
-
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
-
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
-
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
-
-kernel_getattr_proc(svirt_lxc_domain)
-kernel_list_all_proc(svirt_lxc_domain)
-kernel_read_kernel_sysctls(svirt_lxc_domain)
-kernel_rw_net_sysctls(svirt_lxc_domain)
-kernel_read_system_state(svirt_lxc_domain)
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
-
-corecmd_exec_all_executables(svirt_lxc_domain)
-
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
-# files_entrypoint_all_files(svirt_lxc_domain)
-files_list_var(svirt_lxc_domain)
-files_list_var_lib(svirt_lxc_domain)
-files_search_all(svirt_lxc_domain)
-files_read_config_files(svirt_lxc_domain)
-files_read_usr_files(svirt_lxc_domain)
-files_read_usr_symlinks(svirt_lxc_domain)
-
-fs_getattr_all_fs(svirt_lxc_domain)
-fs_list_inotifyfs(svirt_lxc_domain)
-
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
-
-auth_dontaudit_read_login_records(svirt_lxc_domain)
-auth_dontaudit_write_login_records(svirt_lxc_domain)
-auth_search_pam_console_data(svirt_lxc_domain)
-
-clock_read_adjtime(svirt_lxc_domain)
-
-init_read_utmp(svirt_lxc_domain)
-init_dontaudit_write_utmp(svirt_lxc_domain)
-
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
-
-miscfiles_read_localization(svirt_lxc_domain)
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
-miscfiles_read_fonts(svirt_lxc_domain)
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
+
-init_read_utmp(svirt_lxc_domain)
-init_dontaudit_write_utmp(svirt_lxc_domain)
+optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
-miscfiles_read_localization(svirt_lxc_domain)
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
-miscfiles_read_fonts(svirt_lxc_domain)
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_sandbox_domain)
+ fs_manage_nfs_files(svirt_sandbox_domain)
@ -119180,7 +119173,8 @@ index f03dcf567..6b27ef4c9 100644
+ fs_exec_nfs_files(svirt_sandbox_domain)
+ kernel_rw_fs_sysctls(svirt_sandbox_domain)
+')
+
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files(svirt_sandbox_domain)
+ fs_manage_cifs_dirs(svirt_sandbox_domain)
@ -119188,7 +119182,9 @@ index f03dcf567..6b27ef4c9 100644
+ fs_manage_cifs_symlinks(svirt_sandbox_domain)
+ fs_exec_cifs_files(svirt_sandbox_domain)
+')
+
-optional_policy(`
- udev_read_pid_files(svirt_lxc_domain)
+tunable_policy(`virt_sandbox_use_fusefs',`
+ fs_manage_fusefs_dirs(svirt_sandbox_domain)
+ fs_manage_fusefs_files(svirt_sandbox_domain)
@ -119344,7 +119340,7 @@ index f03dcf567..6b27ef4c9 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1604,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1608,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -119359,7 +119355,7 @@ index f03dcf567..6b27ef4c9 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,7 +1622,7 @@ optional_policy(`
@@ -1192,7 +1626,7 @@ optional_policy(`
########################################
#
@ -119368,7 +119364,7 @@ index f03dcf567..6b27ef4c9 100644
#
allow virt_bridgehelper_t self:process { setcap getcap };
@@ -1201,11 +1631,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1201,11 +1635,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 289%{?dist}
Release: 290%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -682,6 +682,13 @@ exit 0
%endif
%changelog
* Fri Sep 29 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-290
- Allow virtlogd_t domain to write inhibit systemd pipes.
- Add dac_override capability to openvpn_t domain
- Add dac_override capability to xdm_t domain
- Allow dac_override to groupadd_t domain BZ(1497081)
- Allow cloud-init to create /var/run/cloud-init dir with net_conf_t SELinux label.BZ(1489166)
* Wed Sep 27 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-289
- Allow tlp_t domain stream connect to sssd_t domain
- Add missing dac_override capability