rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146

Browse Source 
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
- Label mdadm.conf.anackbak as mdadm_conf_t file.
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
- Allow blueman to create own tmp files in /tmp. (#1234647)
- Add new audit_read access vector in capability2 class
- Add "binder" security class and access vectors
- Update netlink socket classes.
- Allow getty to read network state. BZ(#1255177)
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
This commit is contained in:
Lukas Vrabec 2015-09-01 18:25:49 +02:00
parent 0d70340b72
commit f1ab24fa93
3 changed files with 479 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

250
policy-rawhide-base.patch
View File

@ -801,7 +801,7 @@ index 5061a5f..0000000
-.SH "SEE ALSO"
-selinux(8), ypbind(8), chcon(1), setsebool(8)
diff --git a/policy/constraints b/policy/constraints
index 3a45f23..f4754f0 100644
index 3a45f23..ee7d7b3 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -105,6 +105,18 @@ constrain process { transition dyntransition noatsecure siginh rlimitinh }
@ -823,8 +823,23 @@ index 3a45f23..f4754f0 100644
# These permissions do not have ubac constraints:
# fork
# setexec
@@ -150,6 +162,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
exempted_ubac_constraint(appletalk_socket, ubacsock)
exempted_ubac_constraint(dccp_socket, ubacsock)
exempted_ubac_constraint(tun_socket, ubacsock)
+exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
+exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
+exempted_ubac_constraint(netlink_connector_socket, ubacsock)
+exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
+exempted_ubac_constraint(netlink_generic_socket, ubacsock)
+exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
+exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
+exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
constrain socket_class_set { create relabelto relabelfrom }
(
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a94b169..1afd77b 100644
index a94b169..2e137e6 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@ -849,7 +864,7 @@ index a94b169..1afd77b 100644
}
#
@@ -443,10 +451,12 @@ class capability
@@ -443,10 +451,13 @@ class capability
class capability2
{
mac_override # unused by SELinux
@ -860,10 +875,11 @@ index a94b169..1afd77b 100644
+ epolwakeup
block_suspend
+ compromise_kernel
+ audit_read
}
#
@@ -690,6 +700,8 @@ class nscd
@@ -690,6 +701,8 @@ class nscd
shmemhost
getserv
shmemserv
@ -872,7 +888,46 @@ index a94b169..1afd77b 100644
}
# Define the access vector interpretation for controlling
@@ -865,3 +877,18 @@ inherits database
@@ -831,6 +844,38 @@ inherits socket
attach_queue
}
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
class x_pointer
inherits x_device
@@ -865,3 +910,18 @@ inherits database
implement
execute
}
@ -892,10 +947,29 @@ index a94b169..1afd77b 100644
+ read
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 14a4799..db2e4a0 100644
index 14a4799..9bb9aa4 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -131,4 +131,11 @@ class db_view # userspace
@@ -121,6 +121,18 @@ class kernel_service
class tun_socket
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
# Still More SE-X Windows stuff
class x_pointer # userspace
class x_keyboard # userspace
@@ -131,4 +143,11 @@ class db_view # userspace
class db_sequence # userspace
class db_language # userspace
@ -1174,10 +1248,10 @@ index 216b3d1..064ec83 100644
+
') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
index f11e5e2..9e0c245 100644
index f11e5e2..2d2ab83 100644
--- a/policy/mls
+++ b/policy/mls
@@ -156,9 +156,6 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
@@ -156,15 +156,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
# these access vectors have no MLS restrictions
# filesystem { transition associate }
@ -1187,7 +1261,28 @@ index f11e5e2..9e0c245 100644
#
# MLS policy for the socket classes
#
@@ -195,7 +192,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
# new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
( h1 dom h2 );
# the socket "read+write" ops
@@ -180,7 +177,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -191,11 +188,12 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
( t1 == mlsnetread ));
# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
@ -1802,7 +1897,7 @@ index c6ca761..0c86bfd 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c44c359..e679c18 100644
index c44c359..5210ca5 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@ -1818,7 +1913,7 @@ index c44c359..e679c18 100644
type netutils_t;
type netutils_exec_t;
@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
@@ -33,25 +33,28 @@ init_system_domain(traceroute_t, traceroute_exec_t)
#
# Perform network administration operations and have raw access to the network.
@ -1827,7 +1922,10 @@ index c44c359..e679c18 100644
dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
+# For tcpdump.
+allow netutils_t self:netlink_netfilter_socket create_socket_perms;
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
allow netutils_t self:socket create_socket_perms;
@ -1847,7 +1945,7 @@ index c44c359..e679c18 100644
corenet_all_recvfrom_netlabel(netutils_t)
corenet_tcp_sendrecv_generic_if(netutils_t)
corenet_raw_sendrecv_generic_if(netutils_t)
@@ -66,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
@@ -66,6 +69,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
dev_read_sysfs(netutils_t)
@ -1857,7 +1955,7 @@ index c44c359..e679c18 100644
fs_getattr_xattr_fs(netutils_t)
@@ -80,12 +84,12 @@ init_use_script_ptys(netutils_t)
@@ -80,12 +86,12 @@ init_use_script_ptys(netutils_t)
auth_use_nsswitch(netutils_t)
@ -1873,7 +1971,7 @@ index c44c359..e679c18 100644
userdom_use_all_users_fds(netutils_t)
optional_policy(`
@@ -110,11 +114,10 @@ allow ping_t self:capability { setuid net_raw };
@@ -110,11 +116,10 @@ allow ping_t self:capability { setuid net_raw };
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
@ -1887,7 +1985,7 @@ index c44c359..e679c18 100644
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
@@ -124,6 +127,9 @@ corenet_raw_bind_generic_node(ping_t)
@@ -124,6 +129,9 @@ corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
@ -1897,7 +1995,7 @@ index c44c359..e679c18 100644
domain_use_interactive_fds(ping_t)
@@ -131,14 +137,13 @@ files_read_etc_files(ping_t)
@@ -131,14 +139,13 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
@ -1915,7 +2013,7 @@ index c44c359..e679c18 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
@@ -149,11 +154,25 @@ ifdef(`hide_broken_symptoms',`
@@ -149,11 +156,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@ -1941,7 +2039,7 @@ index c44c359..e679c18 100644
pcmcia_use_cardmgr_fds(ping_t)
')
@@ -161,6 +180,15 @@ optional_policy(`
@@ -161,6 +182,15 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@ -1957,7 +2055,7 @@ index c44c359..e679c18 100644
########################################
#
# Traceroute local policy
@@ -174,7 +202,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
@@ -174,7 +204,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@ -1965,7 +2063,7 @@ index c44c359..e679c18 100644
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
@@ -198,6 +225,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
@@ -198,6 +227,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@ -1973,7 +2071,7 @@ index c44c359..e679c18 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
@@ -206,11 +234,17 @@ auth_use_nsswitch(traceroute_t)
@@ -206,11 +236,17 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
@ -10507,7 +10605,7 @@ index cf04cb5..e8da15e 100644
+ unconfined_server_stream_connect(domain)
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index b876c48..a351aff 100644
index b876c48..03f9342 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -10717,7 +10815,7 @@ index b876c48..a351aff 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
@@ -229,19 +243,34 @@ ifndef(`distro_redhat',`
@@ -229,19 +243,33 @@ ifndef(`distro_redhat',`
#
# /var
#
@ -10726,8 +10824,8 @@ index b876c48..a351aff 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
+/var/db(/.*)? gen_context(system_u:object_r:system_db_t,s0)
/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@ -10754,7 +10852,7 @@ index b876c48..a351aff 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
@@ -256,12 +285,14 @@ ifndef(`distro_redhat',`
@@ -256,12 +284,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@ -10769,7 +10867,7 @@ index b876c48..a351aff 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
@@ -271,3 +302,5 @@ ifdef(`distro_debian',`
@@ -271,3 +301,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@ -31758,7 +31856,7 @@ index e4376aa..2c98c56 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index f6743ea..77a3b65 100644
index f6743ea..22425f5 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
@ -31779,7 +31877,15 @@ index f6743ea..77a3b65 100644
########################################
#
# Getty local policy
@@ -83,8 +94,11 @@ term_use_unallocated_ttys(getty_t)
@@ -56,6 +67,7 @@ manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
files_pid_filetrans(getty_t, getty_var_run_t, file)
kernel_read_system_state(getty_t)
+kernel_read_network_state(getty_t)
# these two needed for receiving faxes
corecmd_exec_bin(getty_t)
@@ -83,8 +95,11 @@ term_use_unallocated_ttys(getty_t)
term_setattr_all_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
@ -31791,7 +31897,7 @@ index f6743ea..77a3b65 100644
init_rw_utmp(getty_t)
init_use_script_ptys(getty_t)
@@ -94,7 +108,6 @@ locallogin_domtrans(getty_t)
@@ -94,7 +109,6 @@ locallogin_domtrans(getty_t)
logging_send_syslog_msg(getty_t)
@ -31799,7 +31905,7 @@ index f6743ea..77a3b65 100644
ifdef(`distro_gentoo',`
# Gentoo default /etc/issue makes agetty
@@ -113,7 +126,7 @@ ifdef(`distro_ubuntu',`
@@ -113,7 +127,7 @@ ifdef(`distro_ubuntu',`
')
')
@ -31808,7 +31914,7 @@ index f6743ea..77a3b65 100644
# Support logging in from /dev/console
term_use_console(getty_t)
',`
@@ -121,11 +134,19 @@ tunable_policy(`console_login',`
@@ -121,11 +135,19 @@ tunable_policy(`console_login',`
')
optional_policy(`
@ -35677,7 +35783,7 @@ index c42fbc3..277fe6c 100644
## <summary>
## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e..e93440e 100644
index be8ed1e..3c2729f 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -16,15 +16,18 @@ role iptables_roles types iptables_t;
@ -35702,8 +35808,11 @@ index be8ed1e..e93440e 100644
########################################
#
# Iptables local policy
@@ -37,23 +40,29 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
@@ -35,25 +38,32 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
+allow iptables_t self:netlink_netfilter_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
@ -35735,7 +35844,7 @@ index be8ed1e..e93440e 100644
kernel_use_fds(iptables_t)
# needed by ipvsadm
@@ -64,6 +73,8 @@ corenet_relabelto_all_packets(iptables_t)
@@ -64,6 +74,8 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@ -35744,7 +35853,7 @@ index be8ed1e..e93440e 100644
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
@@ -72,11 +83,12 @@ fs_list_inotifyfs(iptables_t)
@@ -72,11 +84,12 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@ -35759,7 +35868,7 @@ index be8ed1e..e93440e 100644
auth_use_nsswitch(iptables_t)
@@ -85,15 +97,14 @@ init_use_script_ptys(iptables_t)
@@ -85,15 +98,14 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@ -35777,7 +35886,7 @@ index be8ed1e..e93440e 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
@@ -102,6 +113,9 @@ ifdef(`hide_broken_symptoms',`
@@ -102,6 +114,9 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@ -35787,7 +35896,7 @@ index be8ed1e..e93440e 100644
')
optional_policy(`
@@ -110,6 +124,11 @@ optional_policy(`
@@ -110,6 +125,11 @@ optional_policy(`
')
optional_policy(`
@ -35799,7 +35908,7 @@ index be8ed1e..e93440e 100644
modutils_run_insmod(iptables_t, iptables_roles)
')
@@ -124,6 +143,16 @@ optional_policy(`
@@ -124,6 +144,16 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@ -35816,7 +35925,7 @@ index be8ed1e..e93440e 100644
')
optional_policy(`
@@ -135,9 +164,9 @@ optional_policy(`
@@ -135,9 +165,9 @@ optional_policy(`
')
optional_policy(`
@ -40225,7 +40334,7 @@ index b263a8a..15576ab 100644
+/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
+/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index cbbda4a..b569d5f 100644
index cbbda4a..d7c67bc 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0)
@ -40242,12 +40351,14 @@ index cbbda4a..b569d5f 100644
########################################
#
# NetLabel Management Tools Local policy
@@ -19,10 +23,21 @@ role system_r types netlabel_mgmt_t;
@@ -18,11 +22,23 @@ role system_r types netlabel_mgmt_t;
# modify the network subsystem configuration
allow netlabel_mgmt_t self:capability net_admin;
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
+allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
+
+can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
kernel_read_network_state(netlabel_mgmt_t)
+kernel_read_system_state(netlabel_mgmt_t)
+
@ -42585,7 +42696,7 @@ index 2cea692..57c9025 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..bf8b888 100644
index a392fc4..30cf590 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@ -42814,7 +42925,7 @@ index a392fc4..bf8b888 100644
vmware_append_log(dhcpc_t)
')
@@ -264,12 +308,24 @@ allow ifconfig_t self:msgq create_msgq_perms;
@@ -264,12 +308,25 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@ -42822,6 +42933,7 @@ index a392fc4..bf8b888 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
+allow ifconfig_t self:netlink_socket create_socket_perms;
+allow ifconfig_t self:netlink_generic_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms };
@ -42839,7 +42951,7 @@ index a392fc4..bf8b888 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
@@ -279,14 +335,32 @@ kernel_rw_net_sysctls(ifconfig_t)
@@ -279,14 +336,32 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@ -42872,7 +42984,7 @@ index a392fc4..bf8b888 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -299,33 +373,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
@@ -299,33 +374,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@ -42930,7 +43042,7 @@ index a392fc4..bf8b888 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
@@ -336,7 +428,11 @@ ifdef(`hide_broken_symptoms',`
@@ -336,7 +429,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@ -42943,7 +43055,7 @@ index a392fc4..bf8b888 100644
')
optional_policy(`
@@ -350,7 +446,16 @@ optional_policy(`
@@ -350,7 +447,16 @@ optional_policy(`
')
optional_policy(`
@ -42961,7 +43073,7 @@ index a392fc4..bf8b888 100644
')
optional_policy(`
@@ -371,3 +476,13 @@ optional_policy(`
@@ -371,3 +477,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@ -45562,7 +45674,7 @@ index 9a1650d..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 39f185f..703b804 100644
index 39f185f..125f7fe 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -45600,15 +45712,17 @@ index 39f185f..703b804 100644
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
@@ -54,6 +55,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -53,7 +54,9 @@ allow udev_t self:unix_stream_socket { listen accept };
allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udev_t self:netlink_generic_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
+allow udev_t self:netlink_socket create_socket_perms;
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
@@ -64,31 +66,39 @@ can_exec(udev_t, udev_helper_exec_t)
@@ -64,31 +67,39 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@ -45655,7 +45769,7 @@ index 39f185f..703b804 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
@@ -99,6 +109,7 @@ corecmd_exec_all_executables(udev_t)
@@ -99,6 +110,7 @@ corecmd_exec_all_executables(udev_t)
dev_rw_sysfs(udev_t)
dev_manage_all_dev_nodes(udev_t)
@ -45663,7 +45777,7 @@ index 39f185f..703b804 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
@@ -107,23 +118,31 @@ dev_relabel_all_dev_nodes(udev_t)
@@ -107,23 +119,31 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@ -45699,7 +45813,7 @@ index 39f185f..703b804 100644
mls_file_read_all_levels(udev_t)
mls_file_write_all_levels(udev_t)
@@ -145,17 +164,20 @@ auth_use_nsswitch(udev_t)
@@ -145,17 +165,20 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@ -45721,7 +45835,7 @@ index 39f185f..703b804 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
@@ -169,9 +191,13 @@ sysnet_read_dhcpc_pid(udev_t)
@@ -169,9 +192,13 @@ sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
@ -45736,7 +45850,7 @@ index 39f185f..703b804 100644
ifdef(`distro_debian',`
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',`
@@ -195,16 +222,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@ -45755,7 +45869,7 @@ index 39f185f..703b804 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
@@ -242,6 +261,7 @@ optional_policy(`
@@ -242,6 +262,7 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@ -45763,7 +45877,7 @@ index 39f185f..703b804 100644
')
optional_policy(`
@@ -249,17 +269,31 @@ optional_policy(`
@@ -249,17 +270,31 @@ optional_policy(`
dbus_use_system_bus_fds(udev_t)
optional_policy(`
@ -45797,7 +45911,7 @@ index 39f185f..703b804 100644
')
optional_policy(`
@@ -289,6 +323,10 @@ optional_policy(`
@@ -289,6 +324,10 @@ optional_policy(`
')
optional_policy(`
@ -45808,7 +45922,7 @@ index 39f185f..703b804 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
@@ -303,6 +341,15 @@ optional_policy(`
@@ -303,6 +342,15 @@ optional_policy(`
')
optional_policy(`
@ -45824,7 +45938,7 @@ index 39f185f..703b804 100644
unconfined_signal(udev_t)
')
@@ -315,6 +362,7 @@ optional_policy(`
@@ -315,6 +363,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@ -52190,7 +52304,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 6e91317..8fc985f 100644
index 6e91317..b80ffcb 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@ -52199,7 +52313,7 @@ index 6e91317..8fc985f 100644
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
-
+define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
#
# Datagram socket classes.

343
policy-rawhide-contrib.patch
View File

@ -3394,10 +3394,10 @@ index 0000000..6183b21
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
index 7caefc3..239cefa 100644
index 7caefc3..77e26bf 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,162 +1,211 @@
@@ -1,162 +1,210 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -3456,25 +3456,22 @@ index 7caefc3..239cefa 100644
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/thttpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
@ -3485,7 +3482,9 @@ index 7caefc3..239cefa 100644
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+
+/usr/share/joomla(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
@ -9937,7 +9936,7 @@ index 16ec525..1dd4059 100644
########################################
diff --git a/blueman.te b/blueman.te
index 3a5032e..7987a21 100644
index 3a5032e..3facb71 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
@ -9949,7 +9948,16 @@ index 3a5032e..7987a21 100644
type blueman_var_lib_t;
files_type(blueman_var_lib_t)
@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
@@ -15,13 +15,17 @@ files_type(blueman_var_lib_t)
type blueman_var_run_t;
files_pid_file(blueman_var_run_t)
+type blueman_tmp_t;
+files_tmp_file(blueman_tmp_t)
+
########################################
#
# Local policy
#
allow blueman_t self:capability { net_admin sys_nice };
@ -9959,16 +9967,21 @@ index 3a5032e..7987a21 100644
allow blueman_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
@@ -32,7 +36,12 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
-kernel_read_net_sysctls(blueman_t)
+manage_dirs_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
+manage_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
+exec_files_pattern(blueman_t, blueman_tmp_t, blueman_tmp_t)
+files_tmp_filetrans(blueman_t, blueman_tmp_t, { file dir })
+
+kernel_rw_net_sysctls(blueman_t)
kernel_read_system_state(blueman_t)
kernel_request_load_module(blueman_t)
@@ -41,29 +42,45 @@ corecmd_exec_bin(blueman_t)
@@ -41,29 +50,45 @@ corecmd_exec_bin(blueman_t)
dev_read_rand(blueman_t)
dev_read_urand(blueman_t)
dev_rw_wireless(blueman_t)
@ -25517,10 +25530,10 @@ index 0000000..d22ed69
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
index 0000000..225fcfd
index 0000000..bfa9ff5
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,82 @@
@@ -0,0 +1,86 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@ -25545,7 +25558,7 @@ index 0000000..225fcfd
+#
+# dnssec_trigger local policy
+#
+allow dnssec_trigger_t self:capability { net_admin linux_immutable };
+allow dnssec_trigger_t self:capability { net_admin linux_immutable sys_ptrace };
+allow dnssec_trigger_t self:process signal;
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
@ -25565,6 +25578,7 @@ index 0000000..225fcfd
+
+corecmd_exec_bin(dnssec_trigger_t)
+corecmd_exec_shell(dnssec_trigger_t)
+corecmd_read_all_executables(dnssec_trigger_t)
+
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
@ -25574,6 +25588,7 @@ index 0000000..225fcfd
+dev_read_urand(dnssec_trigger_t)
+
+domain_use_interactive_fds(dnssec_trigger_t)
+domain_read_all_domains_state(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
+files_dontaudit_list_tmp(dnssec_trigger_t)
@ -25585,6 +25600,8 @@ index 0000000..225fcfd
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
+sysnet_filetrans_named_content(dnssec_trigger_t)
+sysnet_relabelfrom_net_conf(dnssec_trigger_t)
+sysnet_relabelto_net_conf(dnssec_trigger_t)
+
+optional_policy(`
+ dbus_system_bus_client(dnssec_trigger_t)
@ -38655,27 +38672,68 @@ index a7ae153..6341e31 100644
libs_legacy_use_shared_libs(java_domain)
diff --git a/jetty.fc b/jetty.fc
new file mode 100644
index 0000000..1725b7e
index 0000000..c7c4fba
--- /dev/null
+++ b/jetty.fc
@@ -0,0 +1,9 @@
@@ -0,0 +1,12 @@
+
+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
+/usr/lib/systemd/system/jetty\.service -- gen_context(system_u:object_r:jetty_unit_file_t,s0)
+
+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
+/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:jetty_exec_t,s0)
+
+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
+
+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
+
+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
+
+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
diff --git a/jetty.if b/jetty.if
new file mode 100644
index 0000000..2abc285
index 0000000..6679a02
--- /dev/null
+++ b/jetty.if
@@ -0,0 +1,268 @@
@@ -0,0 +1,415 @@
+
+## <summary>policy for jetty</summary>
+## <summary>Jetty - HTTP server and Servlet container</summary>
+
+########################################
+## <summary>
+## Execute jetty_exec_t in the jetty domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jetty_domtrans',`
+ gen_require(`
+ type jetty_t, jetty_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, jetty_exec_t, jetty_t)
+')
+
+######################################
+## <summary>
+## Execute jetty in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_exec',`
+ gen_require(`
+ type jetty_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, jetty_exec_t)
+')
+
+########################################
+## <summary>
@ -38816,6 +38874,65 @@ index 0000000..2abc285
+
+########################################
+## <summary>
+## Do not audit attempts to read,
+## jetty tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`jetty_dontaudit_read_tmp_files',`
+ gen_require(`
+ type jetty_tmp_t;
+ ')
+
+ dontaudit $1 jetty_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read jetty tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_read_tmp_files',`
+ gen_require(`
+ type jetty_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage jetty tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`jetty_manage_tmp',`
+ gen_require(`
+ type jetty_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_dirs_pattern($1, jetty_tmp_t, jetty_tmp_t)
+ manage_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
+ manage_lnk_files_pattern($1, jetty_tmp_t, jetty_tmp_t)
+')
+
+########################################
+## <summary>
+## Search jetty lib directories.
+## </summary>
+## <param name="domain">
@ -38906,7 +39023,31 @@ index 0000000..2abc285
+ ')
+
+ files_search_pids($1)
+ allow $1 jetty_var_run_t:file read_file_perms;
+ read_files_pattern($1, jetty_var_run_t, jetty_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute jetty server in the jetty domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`jetty_systemctl',`
+ gen_require(`
+ type jetty_t;
+ type jetty_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 jetty_unit_file_t:file read_file_perms;
+ allow $1 jetty_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, jetty_t)
+')
+
+
@ -38920,34 +39061,60 @@ index 0000000..2abc285
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`jetty_admin',`
+ gen_require(`
+ type jetty_t;
+ type jetty_cache_t;
+ type jetty_log_t;
+ type jetty_tmp_t;
+ type jetty_var_lib_t;
+ type jetty_var_run_t;
+ type jetty_unit_file_t;
+ ')
+
+ allow $1 jetty_t:process { signal_perms };
+ ps_process_pattern($1, jetty_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 jetty_t:process ptrace;
+ ')
+
+ files_search_var($1)
+ admin_pattern($1, jetty_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, jetty_log_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, jetty_tmp_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, jetty_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, jetty_var_run_t)
+
+ jetty_systemctl($1)
+ admin_pattern($1, jetty_unit_file_t)
+ allow $1 jetty_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/jetty.te b/jetty.te
new file mode 100644
index 0000000..af510ea
index 0000000..71325e5
--- /dev/null
+++ b/jetty.te
@@ -0,0 +1,25 @@
@@ -0,0 +1,78 @@
+policy_module(jetty, 1.0.0)
+
+########################################
@ -38955,24 +39122,77 @@ index 0000000..af510ea
+# Declarations
+#
+
+type jetty_t;
+type jetty_exec_t;
+init_daemon_domain(jetty_t, jetty_exec_t)
+
+type jetty_cache_t;
+files_type(jetty_cache_t)
+
+type jetty_log_t;
+logging_log_file(jetty_log_t)
+
+type jetty_tmp_t;
+files_tmp_file(jetty_tmp_t)
+
+type jetty_var_lib_t;
+files_type(jetty_var_lib_t)
+
+type jetty_var_run_t;
+files_pid_file(jetty_var_run_t)
+
+type jetty_unit_file_t;
+systemd_unit_file(jetty_unit_file_t)
+
+########################################
+#
+# jetty local policy
+#
+
+# No local policy. This module just contains type definitions
+allow jetty_t self:process execmem;
+allow jetty_t self:process { signal signull };
+
+allow jetty_t self:fifo_file rw_fifo_file_perms;
+allow jetty_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(jetty_t, jetty_cache_t, jetty_cache_t)
+manage_files_pattern(jetty_t, jetty_cache_t, jetty_cache_t)
+files_var_filetrans(jetty_t, jetty_cache_t, dir)
+
+manage_dirs_pattern(jetty_t, jetty_log_t, jetty_log_t)
+manage_files_pattern(jetty_t, jetty_log_t, jetty_log_t)
+logging_log_filetrans(jetty_t, jetty_log_t, dir)
+
+manage_dirs_pattern(jetty_t, jetty_tmp_t, jetty_tmp_t)
+manage_files_pattern(jetty_t, jetty_tmp_t, jetty_tmp_t)
+files_tmp_filetrans(jetty_t, jetty_tmp_t, { dir file })
+
+manage_dirs_pattern(jetty_t, jetty_var_lib_t, jetty_var_lib_t)
+manage_files_pattern(jetty_t, jetty_var_lib_t, jetty_var_lib_t)
+files_var_lib_filetrans(jetty_t, jetty_var_lib_t, dir)
+
+manage_dirs_pattern(jetty_t, jetty_var_run_t, jetty_var_run_t)
+manage_files_pattern(jetty_t, jetty_var_run_t, jetty_var_run_t)
+files_pid_filetrans(jetty_t, jetty_var_run_t, dir)
+
+kernel_read_system_state(jetty_t)
+kernel_read_network_state(jetty_t)
+
+corecmd_exec_bin(jetty_t)
+corecmd_exec_shell(jetty_t)
+
+corenet_tcp_bind_http_cache_port(jetty_t)
+
+dev_read_rand(jetty_t)
+dev_read_sysfs(jetty_t)
+dev_read_urand(jetty_t)
+
+auth_use_nsswitch(jetty_t)
+
+optional_policy(`
+ #allow access to /etc/abrt/plugins/java.conf
+ abrt_read_config(jetty_t)
+')
diff --git a/jockey.if b/jockey.if
index 2fb7a20..c6ba007 100644
--- a/jockey.if
@ -65712,7 +65932,7 @@ index bf59ef7..0e33327 100644
+')
+
diff --git a/passenger.te b/passenger.te
index 08ec33b..56fba2e 100644
index 08ec33b..3b92c4d 100644
--- a/passenger.te
+++ b/passenger.te
@@ -14,6 +14,9 @@ role system_r types passenger_t;
@ -65786,7 +66006,7 @@ index 08ec33b..56fba2e 100644
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
@@ -68,8 +75,6 @@ dev_read_urand(passenger_t)
@@ -68,10 +75,10 @@ dev_read_urand(passenger_t)
domain_read_all_domains_state(passenger_t)
@ -65794,8 +66014,12 @@ index 08ec33b..56fba2e 100644
-
auth_use_nsswitch(passenger_t)
+fs_getattr_xattr_fs(passenger_t)
+
logging_send_syslog_msg(passenger_t)
@@ -83,6 +88,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
miscfiles_read_localization(passenger_t)
@@ -83,6 +90,7 @@ userdom_dontaudit_use_user_terminals(passenger_t)
optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
@ -65803,7 +66027,7 @@ index 08ec33b..56fba2e 100644
')
optional_policy(`
@@ -94,14 +100,21 @@ optional_policy(`
@@ -94,14 +102,21 @@ optional_policy(`
')
optional_policy(`
@ -66602,15 +66826,14 @@ index 0000000..509d898
+ ')
+')
diff --git a/pegasus.fc b/pegasus.fc
index dfd46e4..747aa2a 100644
index dfd46e4..d40433a 100644
--- a/pegasus.fc
+++ b/pegasus.fc
@@ -1,15 +1,33 @@
@@ -1,15 +1,32 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
+/etc/mdadm\.conf\.anacbak gen_context(system_u:object_r:pegasus_conf_t,s0)
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
@ -66749,7 +66972,7 @@ index d2fc677..86dce34 100644
')
+
diff --git a/pegasus.te b/pegasus.te
index 608f454..3e3fd3d 100644
index 608f454..0aa43fc 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@ -66768,7 +66991,7 @@ index 608f454..3e3fd3d 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
@@ -30,20 +29,337 @@ files_type(pegasus_mof_t)
@@ -30,20 +29,334 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@ -67003,9 +67226,6 @@ index 608f454..3e3fd3d 100644
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
+files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
+
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_conf_t, pegasus_conf_t)
+files_etc_filetrans(pegasus_openlmi_storage_t, pegasus_conf_t, file, "mdadm.conf.anacbak" )
+
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+kernel_read_network_state(pegasus_openlmi_storage_t)
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
@ -67111,7 +67331,7 @@ index 608f454..3e3fd3d 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
@@ -54,22 +370,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
@@ -54,22 +367,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@ -67142,7 +67362,7 @@ index 608f454..3e3fd3d 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
@@ -80,27 +396,21 @@ kernel_read_net_sysctls(pegasus_t)
@@ -80,27 +393,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@ -67175,7 +67395,7 @@ index 608f454..3e3fd3d 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
@@ -114,9 +424,11 @@ files_getattr_all_dirs(pegasus_t)
@@ -114,9 +421,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@ -67187,7 +67407,7 @@ index 608f454..3e3fd3d 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
@@ -128,18 +440,29 @@ init_stream_connect_script(pegasus_t)
@@ -128,18 +437,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@ -67223,7 +67443,7 @@ index 608f454..3e3fd3d 100644
')
optional_policy(`
@@ -151,16 +474,24 @@ optional_policy(`
@@ -151,16 +471,24 @@ optional_policy(`
')
optional_policy(`
@ -67252,7 +67472,7 @@ index 608f454..3e3fd3d 100644
')
optional_policy(`
@@ -168,7 +499,7 @@ optional_policy(`
@@ -168,7 +496,7 @@ optional_policy(`
')
optional_policy(`
@ -67261,7 +67481,7 @@ index 608f454..3e3fd3d 100644
')
optional_policy(`
@@ -180,6 +511,7 @@ optional_policy(`
@@ -180,6 +508,7 @@ optional_policy(`
')
optional_policy(`
@ -80533,14 +80753,15 @@ index 6d162e4..9027807 100644
userdom_dontaudit_search_user_home_dirs(radvd_t)
diff --git a/raid.fc b/raid.fc
index 5806046..8bce88f 100644
index 5806046..2a4769f 100644
--- a/raid.fc
+++ b/raid.fc
@@ -3,6 +3,11 @@
@@ -3,6 +3,12 @@
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
+/etc/mdadm\.conf -- gen_context(system_u:object_r:mdadm_conf_t,s0)
+/etc/mdadm\.conf\.anacbak -- gen_context(system_u:object_r:mdadm_conf_t,s0)
+
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
@ -80548,7 +80769,7 @@ index 5806046..8bce88f 100644
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -16,6 +21,10 @@
@@ -16,6 +22,10 @@
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
@ -80560,7 +80781,7 @@ index 5806046..8bce88f 100644
+
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/raid.if b/raid.if
index 951db7f..04b6dde 100644
index 951db7f..00e699d 100644
--- a/raid.if
+++ b/raid.if
@@ -1,9 +1,8 @@
@ -80642,7 +80863,7 @@ index 951db7f..04b6dde 100644
## </summary>
## <param name="domain">
## <summary>
@@ -57,47 +79,112 @@ interface(`raid_run_mdadm',`
@@ -57,47 +79,113 @@ interface(`raid_run_mdadm',`
## </summary>
## </param>
#
@ -80773,12 +80994,13 @@ index 951db7f..04b6dde 100644
- raid_run_mdadm($2, $1)
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
')
diff --git a/raid.te b/raid.te
index c99753f..f6bd1c6 100644
index c99753f..1c950ed 100644
--- a/raid.te
+++ b/raid.te
@@ -15,54 +15,100 @@ role mdadm_roles types mdadm_t;
@@ -15,54 +15,101 @@ role mdadm_roles types mdadm_t;
type mdadm_initrc_exec_t;
init_script_file(mdadm_initrc_exec_t)
@ -80817,6 +81039,7 @@ index c99753f..f6bd1c6 100644
+
+manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t)
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf")
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf.anacbak")
+
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
@ -80888,7 +81111,7 @@ index c99753f..f6bd1c6 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
@@ -71,15 +117,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
@@ -71,15 +118,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@ -80912,7 +81135,7 @@ index c99753f..f6bd1c6 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
@@ -90,17 +143,38 @@ optional_policy(`
@@ -90,17 +144,38 @@ optional_policy(`
')
optional_policy(`

15
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 145%{?dist}
Release: 146%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -647,6 +647,19 @@ exit 0
%endif
%changelog
* Tue Sep 01 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-146
- Allow passenger to getattr filesystem xattr
- Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."
- Label mdadm.conf.anackbak as mdadm_conf_t file.
- Allow dnssec-ttrigger to relabel net_conf_t files. BZ(1251765)
- Allow dnssec-trigger to exec pidof. BZ(#1256737)
- Allow blueman to create own tmp files in /tmp. (#1234647)
- Add new audit_read access vector in capability2 class
- Add "binder" security class and access vectors
- Update netlink socket classes.
- Allow getty to read network state. BZ(#1255177)
- Remove labeling for /var/db/.*\.db as etc_t to label db files as system_db_t.
* Sun Aug 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-145
- Allow watchdog execute fenced python script.
- Added inferface watchdog_unconfined_exec_read_lnk_files()