diff --git a/docker-selinux.tgz b/docker-selinux.tgz index f1022abd..fd92246e 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 736b123d..26f2fe8c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -40564,7 +40564,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 446fa99..22f539c 100644 +index 446fa99..d66491c 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -40588,7 +40588,7 @@ index 446fa99..22f539c 100644 +') + +ifdef(`enable_mls',` -+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh) ++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mls_systemhigh) +') + ######################################## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 522ac0cc..ff08db52 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2275,7 +2275,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..0f871e6 100644 +index 519051c..69a4c66 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2313,7 +2313,15 @@ index 519051c..0f871e6 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; + + manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) + manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) ++files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir) + + manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) + manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) +@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2330,7 +2338,7 @@ index 519051c..0f871e6 100644 corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) +@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) @@ -2338,7 +2346,7 @@ index 519051c..0f871e6 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -130,6 +137,7 @@ fs_list_all(amanda_t) +@@ -130,6 +138,7 @@ fs_list_all(amanda_t) storage_raw_read_fixed_disk(amanda_t) storage_read_tape(amanda_t) storage_write_tape(amanda_t) @@ -2346,7 +2354,7 @@ index 519051c..0f871e6 100644 auth_use_nsswitch(amanda_t) auth_read_shadow(amanda_t) -@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2354,7 +2362,7 @@ index 519051c..0f871e6 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -37938,10 +37946,18 @@ index fbb54e7..05c3777 100644 ######################################## diff --git a/inetd.te b/inetd.te -index c6450df..6304b00 100644 +index c6450df..ed6af79 100644 --- a/inetd.te +++ b/inetd.te -@@ -37,9 +37,9 @@ ifdef(`enable_mcs',` +@@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t) + type inetd_child_t; + type inetd_child_exec_t; + inetd_service_domain(inetd_child_t, inetd_child_exec_t) ++init_daemon_domain(inetd_child_t, inetd_child_exec_t) + + type inetd_child_tmp_t; + files_tmp_file(inetd_child_tmp_t) +@@ -37,9 +38,9 @@ ifdef(`enable_mcs',` # Local policy # @@ -37953,7 +37969,7 @@ index c6450df..6304b00 100644 allow inetd_t self:fifo_file rw_fifo_file_perms; allow inetd_t self:tcp_socket { accept listen }; allow inetd_t self:fd use; -@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t) +@@ -61,6 +62,7 @@ kernel_read_system_state(inetd_t) kernel_tcp_recvfrom_unlabeled(inetd_t) corecmd_bin_domtrans(inetd_t, inetd_child_t) @@ -37961,7 +37977,7 @@ index c6450df..6304b00 100644 corenet_all_recvfrom_unlabeled(inetd_t) corenet_all_recvfrom_netlabel(inetd_t) -@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) +@@ -98,6 +100,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) @@ -37973,7 +37989,7 @@ index c6450df..6304b00 100644 corenet_sendrecv_ircd_server_packets(inetd_t) corenet_tcp_bind_ircd_port(inetd_t) -@@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t) +@@ -141,6 +148,9 @@ corenet_sendrecv_git_server_packets(inetd_t) corenet_tcp_bind_git_port(inetd_t) corenet_udp_bind_git_port(inetd_t) @@ -37983,7 +37999,7 @@ index c6450df..6304b00 100644 dev_read_sysfs(inetd_t) domain_use_interactive_fds(inetd_t) -@@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t) +@@ -157,8 +167,6 @@ auth_use_nsswitch(inetd_t) logging_send_syslog_msg(inetd_t) @@ -37992,7 +38008,7 @@ index c6450df..6304b00 100644 mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) -@@ -188,17 +195,13 @@ optional_policy(` +@@ -188,17 +196,13 @@ optional_policy(` ') optional_policy(` @@ -38011,7 +38027,7 @@ index c6450df..6304b00 100644 ######################################## # # Child local policy -@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t) +@@ -220,6 +224,16 @@ kernel_read_kernel_sysctls(inetd_child_t) kernel_read_network_state(inetd_child_t) kernel_read_system_state(inetd_child_t) @@ -38028,7 +38044,7 @@ index c6450df..6304b00 100644 dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) -@@ -230,7 +243,15 @@ auth_use_nsswitch(inetd_child_t) +@@ -230,7 +244,15 @@ auth_use_nsswitch(inetd_child_t) logging_send_syslog_msg(inetd_child_t) @@ -79153,10 +79169,10 @@ index 6643b49..dd0c3d3 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..2542f5a 100644 +index d68e26d..3b08cfd 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,18 +1,22 @@ +@@ -1,18 +1,23 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) @@ -79178,6 +79194,7 @@ index d68e26d..2542f5a 100644 -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) ++/usr/bin/puppet -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) @@ -93000,10 +93017,10 @@ index f1140ef..642e062 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302..6836678 100644 +index abeb302..b27a479 100644 --- a/rsync.te +++ b/rsync.te -@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0) +@@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0) # ## @@ -93076,11 +93093,11 @@ index abeb302..6836678 100644 type rsync_t; type rsync_exec_t; --init_daemon_domain(rsync_t, rsync_exec_t) --application_domain(rsync_t, rsync_exec_t) --role rsync_roles types rsync_t; +application_executable_file(rsync_exec_t) +role system_r types rsync_t; + init_daemon_domain(rsync_t, rsync_exec_t) +-application_domain(rsync_t, rsync_exec_t) +-role rsync_roles types rsync_t; type rsync_etc_t; files_config_file(rsync_etc_t) @@ -93090,7 +93107,7 @@ index abeb302..6836678 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t) +@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; @@ -93121,7 +93138,7 @@ index abeb302..6836678 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,46 +96,55 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,46 +97,55 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -93195,7 +93212,7 @@ index abeb302..6836678 100644 ') tunable_policy(`rsync_export_all_ro',` -@@ -161,38 +158,24 @@ tunable_policy(`rsync_export_all_ro',` +@@ -161,38 +159,24 @@ tunable_policy(`rsync_export_all_ro',` auth_tunable_read_shadow(rsync_t) ') @@ -111608,10 +111625,10 @@ index 3d11c6a..b19a117 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..f3d5b04 100644 +index a4f20bc..17edb35 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,111 @@ +@@ -1,51 +1,114 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -111756,13 +111773,16 @@ index a4f20bc..f3d5b04 100644 + +/var/lib/kubelet(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) + ++/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) ++/var/lib/docker-latest/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) ++ +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) + +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..816d860 100644 +index facdee8..12e74f1 100644 --- a/virt.if +++ b/virt.if @@ -1,318 +1,231 @@ @@ -112589,7 +112609,7 @@ index facdee8..816d860 100644 ## ## ## -@@ -673,54 +539,472 @@ interface(`virt_home_filetrans',` +@@ -673,107 +539,607 @@ interface(`virt_home_filetrans',` ## ## # @@ -112625,14 +112645,8 @@ index facdee8..816d860 100644 gen_require(` - type virt_home_t; + type virt_var_lib_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 virt_home_t:dir manage_dir_perms; -- allow $1 virt_home_t:file manage_file_perms; -- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; -- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; -- allow $1 virt_home_t:sock_file manage_sock_file_perms; ++ ') ++ + dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; +') + @@ -112777,20 +112791,14 @@ index facdee8..816d860 100644 + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + read_blk_files_pattern($1, virt_image_type, virt_image_type) + read_chr_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_manage_nfs_symlinks($1) ++ ++ tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs($1) -- fs_manage_cifs_files($1) -- fs_manage_cifs_symlinks($1) ++ ') ++ ++ tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) @@ -112957,14 +112965,13 @@ index facdee8..816d860 100644 +interface(`virt_exec_sandbox_files',` + gen_require(` + type svirt_sandbox_file_t; - ') ++ ') + + can_exec($1, svirt_sandbox_file_t) - ') - - ######################################## - ## --## Relabel virt home content. ++') ++ ++######################################## ++## +## Allow any svirt_sandbox_file_t to be an entrypoint of this domain +## +## @@ -113081,54 +113088,39 @@ index facdee8..816d860 100644 +####################################### +## +## Connect to virt over a unix domain stream socket. - ## - ## - ## -@@ -728,52 +1012,80 @@ interface(`virt_manage_generic_virt_home_content',` - ## - ## - # --interface(`virt_relabel_generic_virt_home_content',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`virt_stream_connect_sandbox',` - gen_require(` -- type virt_home_t; ++ gen_require(` + attribute svirt_sandbox_domain; + type svirt_sandbox_file_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 virt_home_t:dir relabel_dir_perms; -- allow $1 virt_home_t:file relabel_file_perms; -- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; -- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; -- allow $1 virt_home_t:sock_file relabel_sock_file_perms; ++ ') ++ + files_search_pids($1) + stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) + ps_process_pattern(svirt_sandbox_domain, $1) - ') - - ######################################## - ## --## Create specified objects in user home --## directories with the generic virt --## home type. ++') ++ ++######################################## ++## +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain allowed access - ## - ## --## ++## ++## +## - ## --## Class of the object being created. ++## +## The role to be allowed the sandbox domain. - ## - ## --## ++## ++## +## +# +interface(`virt_transition_svirt',` @@ -113137,189 +113129,280 @@ index facdee8..816d860 100644 + type virt_bridgehelper_t; + type svirt_image_t; + type svirt_socket_t; -+ ') -+ + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir manage_dir_perms; +- allow $1 virt_home_t:file manage_file_perms; +- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; +- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; +- allow $1 virt_home_t:sock_file manage_sock_file_perms; + allow $1 virt_domain:process transition; + role $2 types virt_domain; + role $2 types virt_bridgehelper_t; + role $2 types svirt_socket_t; -+ + +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) +- ') + allow $1 virt_domain:process { sigkill sigstop signull signal }; + allow $1 svirt_image_t:file { relabelfrom relabelto }; + allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; + allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; + allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; -+ + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) + optional_policy(` + ptchown_run(virt_domain, $2) -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +-## Relabel virt home content. +## Do not audit attempts to write virt daemon unnamed pipes. -+## -+## + ## + ## ## --## The name of the object being created. +-## Domain allowed access. +## Domain to not audit. ## ## # --interface(`virt_home_filetrans_virt_home',` +-interface(`virt_relabel_generic_virt_home_content',` +interface(`virt_dontaudit_write_pipes',` gen_require(` - type virt_home_t; + type virtd_t; ') -- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir relabel_dir_perms; +- allow $1 virt_home_t:file relabel_file_perms; +- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; +- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; +- allow $1 virt_home_t:sock_file relabel_sock_file_perms; + dontaudit $1 virtd_t:fd use; + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ') ######################################## ## --## Read virt pid files. +-## Create specified objects in user home +-## directories with the generic virt +-## home type. +## Send a sigkill to virtual machines ## ## ## -@@ -781,19 +1093,17 @@ interface(`virt_home_filetrans_virt_home',` - ## - ## - # --interface(`virt_read_pid_files',` -+interface(`virt_kill_svirt',` - gen_require(` -- type virt_var_run_t; -+ attribute virt_domain; - ') - -- files_search_pids($1) -- read_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ allow $1 virt_domain:process sigkill; - ') - - ######################################## - ## --## Create, read, write, and delete --## virt pid files. -+## Send a sigkill to virtd daemon. - ## - ## - ## -@@ -801,18 +1111,17 @@ interface(`virt_read_pid_files',` - ## - ## - # --interface(`virt_manage_pid_files',` -+interface(`virt_kill',` - gen_require(` -- type virt_var_run_t; -+ type virtd_t; - ') - -- files_search_pids($1) -- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ allow $1 virtd_t:process sigkill; - ') - - ######################################## - ## --## Search virt lib directories. -+## Send a signal to virtd daemon. - ## - ## - ## -@@ -820,18 +1129,17 @@ interface(`virt_manage_pid_files',` - ## - ## - # --interface(`virt_search_lib',` -+interface(`virt_signal',` - gen_require(` -- type virt_var_lib_t; -+ type virtd_t; - ') - -- files_search_var_lib($1) -- allow $1 virt_var_lib_t:dir search_dir_perms; -+ allow $1 virtd_t:process signal; - ') - - ######################################## - ## --## Read virt lib files. -+## Send null signal to virtd daemon. - ## - ## - ## -@@ -839,20 +1147,17 @@ interface(`virt_search_lib',` - ## - ## - # --interface(`virt_read_lib_files',` -+interface(`virt_signull',` - gen_require(` -- type virt_var_lib_t; -+ type virtd_t; - ') - -- files_search_var_lib($1) -- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ allow $1 virtd_t:process signull; - ') - - ######################################## - ## --## Create, read, write, and delete --## virt lib files. -+## Send a signal to virtual machines - ## - ## - ## -@@ -860,74 +1165,123 @@ interface(`virt_read_lib_files',` - ## - ## - # --interface(`virt_manage_lib_files',` -+interface(`virt_signal_svirt',` - gen_require(` -- type virt_var_lib_t; -+ attribute virt_domain; - ') - -- files_search_var_lib($1) -- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ allow $1 virt_domain:process signal; - ') - - ######################################## - ## --## Create objects in virt pid --## directories with a private type. -+## Send a signal to sandbox domains - ## - ## - ## ## Domain allowed access. ## ## --## +-## +# -+interface(`virt_signal_sandbox',` ++interface(`virt_kill_svirt',` + gen_require(` -+ attribute svirt_sandbox_domain; ++ attribute virt_domain; + ') + -+ allow $1 svirt_sandbox_domain:process signal; ++ allow $1 virt_domain:process sigkill; +') + +######################################## +## ++## Send a sigkill to virtd daemon. ++## ++## + ## +-## Class of the object being created. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`virt_kill',` ++ gen_require(` ++ type virtd_t; ++ ') ++ ++ allow $1 virtd_t:process sigkill; ++') ++ ++######################################## ++## ++## Send a signal to virtd daemon. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## + # +-interface(`virt_home_filetrans_virt_home',` ++interface(`virt_signal',` + gen_require(` +- type virt_home_t; ++ type virtd_t; + ') + +- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) ++ allow $1 virtd_t:process signal; + ') + + ######################################## + ## +-## Read virt pid files. ++## Send null signal to virtd daemon. + ## + ## + ## +@@ -781,19 +1147,17 @@ interface(`virt_home_filetrans_virt_home',` + ## + ## + # +-interface(`virt_read_pid_files',` ++interface(`virt_signull',` + gen_require(` +- type virt_var_run_t; ++ type virtd_t; + ') + +- files_search_pids($1) +- read_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ allow $1 virtd_t:process signull; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt pid files. ++## Send a signal to virtual machines + ## + ## + ## +@@ -801,18 +1165,17 @@ interface(`virt_read_pid_files',` + ## + ## + # +-interface(`virt_manage_pid_files',` ++interface(`virt_signal_svirt',` + gen_require(` +- type virt_var_run_t; ++ attribute virt_domain; + ') + +- files_search_pids($1) +- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ allow $1 virt_domain:process signal; + ') + + ######################################## + ## +-## Search virt lib directories. ++## Send a signal to sandbox domains + ## + ## + ## +@@ -820,18 +1183,17 @@ interface(`virt_manage_pid_files',` + ## + ## + # +-interface(`virt_search_lib',` ++interface(`virt_signal_sandbox',` + gen_require(` +- type virt_var_lib_t; ++ attribute svirt_sandbox_domain; + ') + +- files_search_var_lib($1) +- allow $1 virt_var_lib_t:dir search_dir_perms; ++ allow $1 svirt_sandbox_domain:process signal; + ') + + ######################################## + ## +-## Read virt lib files. +## Manage virt home files. + ## + ## + ## +@@ -839,192 +1201,243 @@ interface(`virt_search_lib',` + ## + ## + # +-interface(`virt_read_lib_files',` ++interface(`virt_manage_home_files',` + gen_require(` +- type virt_var_lib_t; ++ type virt_home_t; + ') + +- files_search_var_lib($1) +- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, virt_home_t, virt_home_t) + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt lib files. ++## allow domain to read ++## virt tmpfs files + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access + ## + ## + # +-interface(`virt_manage_lib_files',` ++interface(`virt_read_tmpfs_files',` + gen_require(` +- type virt_var_lib_t; ++ attribute virt_tmpfs_type; + ') + +- files_search_var_lib($1) +- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ allow $1 virt_tmpfs_type:file read_file_perms; + ') + + ######################################## + ## +-## Create objects in virt pid +-## directories with a private type. ++## allow domain to manage ++## virt tmpfs files + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access + ## + ## +-## ++# ++interface(`virt_manage_tmpfs_files',` ++ gen_require(` ++ attribute virt_tmpfs_type; ++ ') ++ ++ allow $1 virt_tmpfs_type:file manage_file_perms; ++') ++ ++######################################## ++## ++## Create .virt directory in the user home directory ++## with an correct label. +## +## ## @@ -113329,84 +113412,12 @@ index facdee8..816d860 100644 ## -## +# -+interface(`virt_manage_home_files',` -+ gen_require(` -+ type virt_home_t; -+ ') -+ -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, virt_home_t, virt_home_t) -+') -+ -+######################################## -+## -+## allow domain to read -+## virt tmpfs files -+## -+## - ## --## The object class of the object being created. -+## Domain allowed access - ## - ## --## -+# -+interface(`virt_read_tmpfs_files',` -+ gen_require(` -+ attribute virt_tmpfs_type; -+ ') -+ -+ allow $1 virt_tmpfs_type:file read_file_perms; -+') -+ -+######################################## -+## -+## allow domain to manage -+## virt tmpfs files -+## -+## - ## --## The name of the object being created. -+## Domain allowed access - ## - ## --## - # --interface(`virt_pid_filetrans',` -+interface(`virt_manage_tmpfs_files',` - gen_require(` -- type virt_var_run_t; -+ attribute virt_tmpfs_type; - ') - -- files_search_pids($1) -- filetrans_pattern($1, virt_var_run_t, $2, $3, $4) -+ allow $1 virt_tmpfs_type:file manage_file_perms; - ') - - ######################################## - ## --## Read virt log files. -+## Create .virt directory in the user home directory -+## with an correct label. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`virt_read_log',` +interface(`virt_filetrans_home_content',` - gen_require(` -- type virt_log_t; ++ gen_require(` + type virt_home_t; + type svirt_home_t; - ') - -- logging_search_logs($1) -- read_files_pattern($1, virt_log_t, virt_log_t) ++ ') ++ + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") + filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") @@ -113419,57 +113430,50 @@ index facdee8..816d860 100644 + gnome_data_filetrans($1, svirt_home_t, dir, "images") + gnome_data_filetrans($1, svirt_home_t, dir, "boot") + ') - ') - - ######################################## - ## --## Append virt log files. ++') ++ ++######################################## ++## +## Dontaudit attempts to Read virt_image_type devices. - ## - ## ++## ++## ## -@@ -935,117 +1289,153 @@ interface(`virt_read_log',` +-## The object class of the object being created. ++## Domain allowed access. ## ## - # --interface(`virt_append_log',` +-## ++# +interface(`virt_dontaudit_read_chr_dev',` - gen_require(` -- type virt_log_t; ++ gen_require(` + attribute virt_image_type; - ') - -- logging_search_logs($1) -- append_files_pattern($1, virt_log_t, virt_log_t) ++ ') ++ + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## virt log files. ++') ++ ++######################################## ++## +## Creates types and rules for a basic +## virt_lxc process domain. - ## --## ++## +## ## --## Domain allowed access. +-## The name of the object being created. +## Prefix for the domain. ## ## +-## # --interface(`virt_manage_log',` +-interface(`virt_pid_filetrans',` +template(`virt_sandbox_domain_template',` gen_require(` -- type virt_log_t; +- type virt_var_run_t; + attribute svirt_sandbox_domain; ') -- logging_search_logs($1) -- manage_dirs_pattern($1, virt_log_t, virt_log_t) -- manage_files_pattern($1, virt_log_t, virt_log_t) -- manage_lnk_files_pattern($1, virt_log_t, virt_log_t) +- files_search_pids($1) +- filetrans_pattern($1, virt_var_run_t, $2, $3, $4) + type $1_t, svirt_sandbox_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) @@ -113485,7 +113489,7 @@ index facdee8..816d860 100644 ######################################## ## --## Search virt image directories. +-## Read virt log files. +## Make the specified type usable as a lxc domain ## -## @@ -113495,22 +113499,23 @@ index facdee8..816d860 100644 +## Type to be used as a lxc domain ## ## +-## # --interface(`virt_search_images',` +-interface(`virt_read_log',` +template(`virt_sandbox_domain',` gen_require(` -- attribute virt_image_type; +- type virt_log_t; + attribute svirt_sandbox_domain; ') -- virt_search_lib($1) -- allow $1 virt_image_type:dir search_dir_perms; +- logging_search_logs($1) +- read_files_pattern($1, virt_log_t, virt_log_t) + typeattribute $1 svirt_sandbox_domain; ') ######################################## ## --## Read virt image files. +-## Append virt log files. +## Make the specified type usable as a lxc network domain ## -## @@ -113521,66 +113526,69 @@ index facdee8..816d860 100644 ## ## # --interface(`virt_read_images',` +-interface(`virt_append_log',` +template(`virt_sandbox_net_domain',` gen_require(` -- type virt_var_lib_t; -- attribute virt_image_type; +- type virt_log_t; + attribute sandbox_net_domain; ') -- virt_search_lib($1) -- allow $1 virt_image_type:dir list_dir_perms; -- list_dirs_pattern($1, virt_image_type, virt_image_type) -- read_files_pattern($1, virt_image_type, virt_image_type) -- read_lnk_files_pattern($1, virt_image_type, virt_image_type) -- read_blk_files_pattern($1, virt_image_type, virt_image_type) +- logging_search_logs($1) +- append_files_pattern($1, virt_log_t, virt_log_t) + virt_sandbox_domain($1) + typeattribute $1 sandbox_net_domain; -+') + ') -- tunable_policy(`virt_use_nfs',` -- fs_list_nfs($1) -- fs_read_nfs_files($1) -- fs_read_nfs_symlinks($1) -+######################################## -+## + ######################################## + ## +-## Create, read, write, and delete +-## virt log files. +## Execute a qemu_exec_t in the callers domain -+## -+## + ## + ## +-## +## -+## Domain allowed access. + ## Domain allowed access. +-## +## -+## -+# + ## + # +-interface(`virt_manage_log',` +interface(`virt_exec_qemu',` -+ gen_require(` + gen_require(` +- type virt_log_t; + type qemu_exec_t; ') -- tunable_policy(`virt_use_samba',` -- fs_list_cifs($1) -- fs_read_cifs_files($1) -- fs_read_cifs_symlinks($1) +- logging_search_logs($1) +- manage_dirs_pattern($1, virt_log_t, virt_log_t) +- manage_files_pattern($1, virt_log_t, virt_log_t) +- manage_lnk_files_pattern($1, virt_log_t, virt_log_t) + can_exec($1, qemu_exec_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search virt image directories. +## Transition to virt named content -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`virt_search_images',` +interface(`virt_filetrans_named_content',` -+ gen_require(` + gen_require(` +- attribute virt_image_type; + type virt_lxc_var_run_t; + type virt_var_run_t; ') -+ + +- virt_search_lib($1) +- allow $1 virt_image_type:dir search_dir_perms; + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") + files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") @@ -113588,8 +113596,7 @@ index facdee8..816d860 100644 ######################################## ## --## Read and write all virt image --## character files. +-## Read virt image files. +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. ## @@ -113606,9 +113613,56 @@ index facdee8..816d860 100644 ## +## # --interface(`virt_rw_all_image_chr_files',` +-interface(`virt_read_images',` +interface(`virt_transition_svirt_sandbox',` gen_require(` +- type virt_var_lib_t; +- attribute virt_image_type; ++ attribute svirt_sandbox_domain; + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- list_dirs_pattern($1, virt_image_type, virt_image_type) +- read_files_pattern($1, virt_image_type, virt_image_type) +- read_lnk_files_pattern($1, virt_image_type, virt_image_type) +- read_blk_files_pattern($1, virt_image_type, virt_image_type) ++ allow $1 svirt_sandbox_domain:process { transition signal_perms }; ++ role $2 types svirt_sandbox_domain; ++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; + +- tunable_policy(`virt_use_nfs',` +- fs_list_nfs($1) +- fs_read_nfs_files($1) +- fs_read_nfs_symlinks($1) +- ') ++ allow svirt_sandbox_domain $1:fd use; + +- tunable_policy(`virt_use_samba',` +- fs_list_cifs($1) +- fs_read_cifs_files($1) +- fs_read_cifs_symlinks($1) +- ') ++ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; ++ allow svirt_sandbox_domain $1:process sigchld; ++ ps_process_pattern($1, svirt_sandbox_domain) + ') + + ######################################## + ## +-## Read and write all virt image +-## character files. ++## Read the process state of virt sandbox containers + ## + ## + ## +@@ -1032,20 +1445,17 @@ interface(`virt_read_images',` + ## + ## + # +-interface(`virt_rw_all_image_chr_files',` ++interface(`virt_sandbox_read_state',` + gen_require(` - attribute virt_image_type; + attribute svirt_sandbox_domain; ') @@ -113616,12 +113670,6 @@ index facdee8..816d860 100644 - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - rw_chr_files_pattern($1, virt_image_type, virt_image_type) -+ allow $1 svirt_sandbox_domain:process { transition signal_perms }; -+ role $2 types svirt_sandbox_domain; -+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; -+ -+ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; -+ allow svirt_sandbox_domain $1:process sigchld; + ps_process_pattern($1, svirt_sandbox_domain) ') @@ -113629,23 +113677,23 @@ index facdee8..816d860 100644 ## -## Create, read, write, and delete -## svirt cache files. -+## Read the process state of virt sandbox containers ++## Read and write to svirt_image devices. ## ## ## -@@ -1053,15 +1443,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # -interface(`virt_manage_svirt_cache',` - refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') - virt_manage_virt_cache($1) -+interface(`virt_sandbox_read_state',` ++interface(`virt_rw_svirt_dev',` + gen_require(` -+ attribute svirt_sandbox_domain; ++ type svirt_image_t; + ') + -+ ps_process_pattern($1, svirt_sandbox_domain) ++ allow $1 svirt_image_t:chr_file rw_file_perms; ') ######################################## @@ -113656,22 +113704,22 @@ index facdee8..816d860 100644 ## ## ## -@@ -1069,21 +1461,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',` ## ## # -interface(`virt_manage_virt_cache',` -+interface(`virt_rw_svirt_dev',` ++interface(`virt_rlimitinh',` gen_require(` - type virt_cache_t; -+ type svirt_image_t; ++ type virtd_t; ') - files_search_var($1) - manage_dirs_pattern($1, virt_cache_t, virt_cache_t) - manage_files_pattern($1, virt_cache_t, virt_cache_t) - manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) -+ allow $1 svirt_image_t:chr_file rw_file_perms; ++ allow $1 virtd_t:process { rlimitinh }; ') ######################################## @@ -113682,43 +113730,28 @@ index facdee8..816d860 100644 ## ## ## -@@ -1091,36 +1479,36 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1499,18 @@ interface(`virt_manage_virt_cache',` ## ## # -interface(`virt_manage_images',` -+interface(`virt_rlimitinh',` ++interface(`virt_noatsecure',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -+ type virtd_t; - ') - +- ') +- - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_type, virt_image_type) - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) -+ allow $1 virtd_t:process { rlimitinh }; -+') - +- - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) -+######################################## -+## -+## Read and write to svirt_image devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_noatsecure',` -+ gen_require(` + type virtd_t; ') @@ -113739,7 +113772,7 @@ index facdee8..816d860 100644 ## ## ## -@@ -1136,50 +1524,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1526,76 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -113849,7 +113882,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..a4e5bf6 100644 +index f03dcf5..75d9fa0 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -115431,7 +115464,7 @@ index f03dcf5..a4e5bf6 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1258,357 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1258,359 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -115486,6 +115519,7 @@ index f03dcf5..a4e5bf6 100644 + +allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; +allow svirt_sandbox_domain self:fifo_file manage_file_perms; ++allow svirt_sandbox_domain self:msg all_msg_perms; +allow svirt_sandbox_domain self:sem create_sem_perms; +allow svirt_sandbox_domain self:shm create_shm_perms; +allow svirt_sandbox_domain self:msgq create_msgq_perms; @@ -115619,6 +115653,7 @@ index f03dcf5..a4e5bf6 100644 +kernel_list_all_proc(svirt_sandbox_domain) +kernel_read_all_sysctls(svirt_sandbox_domain) +kernel_rw_net_sysctls(svirt_sandbox_domain) ++kernel_rw_unix_sysctls(svirt_sandbox_domain) +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) +kernel_dontaudit_access_check_proc(svirt_sandbox_domain) +kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) @@ -115930,7 +115965,7 @@ index f03dcf5..a4e5bf6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1623,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -115945,7 +115980,7 @@ index f03dcf5..a4e5bf6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1639,7 @@ optional_policy(` +@@ -1192,7 +1641,7 @@ optional_policy(` ######################################## # @@ -115954,7 +115989,7 @@ index f03dcf5..a4e5bf6 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1648,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1650,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 25f2f24a..2242d571 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 212%{?dist} +Release: 213%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,12 @@ exit 0 %endif %changelog +* Fri Sep 02 2016 Lukas Vrabec 3.13.1-213 +- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module +- Label /usr/bin/pappet as puppetagent_exec_t +- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label +- Allow run sulogin_t in range mls_systemlow-mls_systemhigh. + * Wed Aug 31 2016 Lukas Vrabec 3.13.1-212 - udisk2 module is part of devicekit module now - Fix file context for /etc/pki/pki-tomcat/ca/