* Tue Sep 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-279

- Allow abrt_dump_oops_t to read sssd_public_t files - Allow cockpit_ws_t to mmap usr_t files - Allow systemd to read/write dri devices.
2017-09-05 09:36:30 +02:00 · 2017-09-05 09:36:30 +02:00 · fcebe07f6c
parent 313e17b74e
commit fcebe07f6c
4 changed files with 60 additions and 51 deletions
--- a/container-selinux.tgz
+++ b/container-selinux.tgz
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -36943,7 +36943,7 @@ index 79a45f62e..6ed0c399a 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..a980b4d3f 100644
+index 17eda2480..4593a868a 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@ -37124,7 +37124,7 @@ index 17eda2480..a980b4d3f 100644
 
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +213,27 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +213,28 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
@ -37150,10 +37150,11 @@ index 17eda2480..a980b4d3f 100644
 +dev_filetrans_all_named_dev(init_t)
 +dev_write_watchdog(init_t)
 +dev_rw_inherited_input_dev(init_t)
+dev_rw_dri(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
-@@ -139,45 +241,103 @@ domain_signal_all_domains(init_t)
+@@ -139,45 +242,103 @@ domain_signal_all_domains(init_t)
 domain_signull_all_domains(init_t)
 domain_sigstop_all_domains(init_t)
 domain_sigchld_all_domains(init_t)
@ -37264,7 +37265,7 @@ index 17eda2480..a980b4d3f 100644
 
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
-@@ -186,29 +346,283 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +347,283 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -37557,7 +37558,7 @@ index 17eda2480..a980b4d3f 100644
 ')
 
 optional_policy(`
-@@ -216,7 +630,30 @@ optional_policy(`
+@@ -216,7 +631,30 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37589,7 +37590,7 @@ index 17eda2480..a980b4d3f 100644
 ')
 
 ########################################
-@@ -225,9 +662,9 @@ optional_policy(`
+@@ -225,9 +663,9 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -37601,7 +37602,7 @@ index 17eda2480..a980b4d3f 100644
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 
-@@ -258,12 +695,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +696,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -37618,7 +37619,7 @@ index 17eda2480..a980b4d3f 100644
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +720,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +721,36 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -37661,7 +37662,7 @@ index 17eda2480..a980b4d3f 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +757,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +758,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -37673,7 +37674,7 @@ index 17eda2480..a980b4d3f 100644
 dev_rw_sysfs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
-@@ -313,8 +769,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +770,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -37684,7 +37685,7 @@ index 17eda2480..a980b4d3f 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -322,8 +780,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +781,7 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -37694,7 +37695,7 @@ index 17eda2480..a980b4d3f 100644
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
-@@ -332,7 +789,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +790,6 @@ domain_sigstop_all_domains(initrc_t)
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
@ -37702,7 +37703,7 @@ index 17eda2480..a980b4d3f 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -340,6 +796,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +797,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -37710,7 +37711,7 @@ index 17eda2480..a980b4d3f 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -347,14 +804,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +805,15 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -37728,7 +37729,7 @@ index 17eda2480..a980b4d3f 100644
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-@@ -364,8 +822,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +823,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -37742,7 +37743,7 @@ index 17eda2480..a980b4d3f 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -375,10 +837,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +838,11 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -37756,7 +37757,7 @@ index 17eda2480..a980b4d3f 100644
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
-@@ -387,8 +850,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +851,10 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -37767,7 +37768,7 @@ index 17eda2480..a980b4d3f 100644
 
 storage_getattr_fixed_disk_dev(initrc_t)
 storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +863,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +864,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -37775,7 +37776,7 @@ index 17eda2480..a980b4d3f 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -416,20 +882,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +883,18 @@ logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
 
@ -37799,7 +37800,7 @@ index 17eda2480..a980b4d3f 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +915,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +916,6 @@ ifdef(`distro_gentoo',`
 	allow initrc_t self:process setfscreate;
 	dev_create_null_dev(initrc_t)
 	dev_create_zero_dev(initrc_t)
@ -37807,7 +37808,7 @@ index 17eda2480..a980b4d3f 100644
 	term_create_console_dev(initrc_t)
 
 	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +949,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +950,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -37818,7 +37819,7 @@ index 17eda2480..a980b4d3f 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -506,7 +973,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +974,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -37827,7 +37828,7 @@ index 17eda2480..a980b4d3f 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -521,6 +988,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +989,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -37835,7 +37836,7 @@ index 17eda2480..a980b4d3f 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1009,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1010,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -37843,7 +37844,7 @@ index 17eda2480..a980b4d3f 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1019,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1020,44 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -37888,7 +37889,7 @@ index 17eda2480..a980b4d3f 100644
 	')
 
 	optional_policy(`
-@@ -559,14 +1064,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1065,31 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -37920,7 +37921,7 @@ index 17eda2480..a980b4d3f 100644
 	')
 ')
 
-@@ -577,6 +1099,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1100,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -37960,7 +37961,7 @@ index 17eda2480..a980b4d3f 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1144,8 @@ optional_policy(`
+@@ -589,6 +1145,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -37969,7 +37970,7 @@ index 17eda2480..a980b4d3f 100644
 ')
 
 optional_policy(`
-@@ -610,6 +1167,7 @@ optional_policy(`
+@@ -610,6 +1168,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -37977,7 +37978,7 @@ index 17eda2480..a980b4d3f 100644
 ')
 
 optional_policy(`
-@@ -626,6 +1184,17 @@ optional_policy(`
+@@ -626,6 +1185,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -37995,7 +37996,7 @@ index 17eda2480..a980b4d3f 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -642,9 +1211,13 @@ optional_policy(`
+@@ -642,9 +1212,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -38009,7 +38010,7 @@ index 17eda2480..a980b4d3f 100644
 	')
 
 	optional_policy(`
-@@ -657,15 +1230,11 @@ optional_policy(`
+@@ -657,15 +1231,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38027,7 +38028,7 @@ index 17eda2480..a980b4d3f 100644
 ')
 
 optional_policy(`
-@@ -686,6 +1255,15 @@ optional_policy(`
+@@ -686,6 +1256,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38043,7 +38044,7 @@ index 17eda2480..a980b4d3f 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -726,6 +1304,7 @@ optional_policy(`
+@@ -726,6 +1305,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -38051,7 +38052,7 @@ index 17eda2480..a980b4d3f 100644
 ')
 
 optional_policy(`
-@@ -743,7 +1322,13 @@ optional_policy(`
+@@ -743,7 +1323,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38066,7 +38067,7 @@ index 17eda2480..a980b4d3f 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -766,6 +1351,10 @@ optional_policy(`
+@@ -766,6 +1352,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38077,7 +38078,7 @@ index 17eda2480..a980b4d3f 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -775,10 +1364,20 @@ optional_policy(`
+@@ -775,10 +1365,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38098,7 +38099,7 @@ index 17eda2480..a980b4d3f 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -787,6 +1386,10 @@ optional_policy(`
+@@ -787,6 +1387,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38109,7 +38110,7 @@ index 17eda2480..a980b4d3f 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -808,8 +1411,6 @@ optional_policy(`
+@@ -808,8 +1412,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -38118,7 +38119,7 @@ index 17eda2480..a980b4d3f 100644
 ')
 
 optional_policy(`
-@@ -818,6 +1419,10 @@ optional_policy(`
+@@ -818,6 +1420,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38129,7 +38130,7 @@ index 17eda2480..a980b4d3f 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -827,10 +1432,12 @@ optional_policy(`
+@@ -827,10 +1433,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -38142,7 +38143,7 @@ index 17eda2480..a980b4d3f 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1464,62 @@ optional_policy(`
+@@ -857,21 +1465,62 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38206,7 +38207,7 @@ index 17eda2480..a980b4d3f 100644
 ')
 
 optional_policy(`
-@@ -887,6 +1535,10 @@ optional_policy(`
+@@ -887,6 +1536,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -38217,7 +38218,7 @@ index 17eda2480..a980b4d3f 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -897,3 +1549,218 @@ optional_policy(`
+@@ -897,3 +1550,218 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f070f..3c19e28fc 100644
+index eb50f070f..5c05075a4 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -1060,7 +1060,7 @@ index eb50f070f..3c19e28fc 100644
 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
 
 domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +476,86 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +476,87 @@ corecmd_exec_shell(abrt_retrace_worker_t)
 
 dev_read_urand(abrt_retrace_worker_t)
 
@ -1142,6 +1142,7 @@ index eb50f070f..3c19e28fc 100644
 +init_read_var_lib_files(abrt_dump_oops_t)
 +
 +optional_policy(`
+    sssd_read_public_files(abrt_dump_oops_t)
 +    sssd_stream_connect(abrt_dump_oops_t)
 +')
 +
@ -1151,7 +1152,7 @@ index eb50f070f..3c19e28fc 100644
 
 #######################################
 #
-@@ -404,25 +563,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +564,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1214,7 +1215,7 @@ index eb50f070f..3c19e28fc 100644
 ')
 
 #######################################
-@@ -430,10 +624,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +625,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
 
@ -15550,10 +15551,10 @@ index 000000000..d5920c061
 +')
 diff --git a/cockpit.te b/cockpit.te
 new file mode 100644
-index 000000000..b802a9920
+index 000000000..08aaee4bb
 --- /dev/null
 +++ b/cockpit.te
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,123 @@
 +policy_module(cockpit, 1.0.0)
 +
 +########################################
@ -15618,6 +15619,8 @@ index 000000000..b802a9920
 +
 +auth_use_nsswitch(cockpit_ws_t)
 +
+files_mmap_usr_files(cockpit_ws_t)
+
 +init_stream_connect(cockpit_ws_t)
 +
 +logging_send_syslog_msg(cockpit_ws_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 278%{?dist}
+Release: 279%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -681,6 +681,11 @@ exit 0
 %endif

 %changelog
+* Tue Sep 05 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-279
+- Allow abrt_dump_oops_t to read sssd_public_t files
+- Allow cockpit_ws_t to mmap usr_t files
+- Allow systemd to read/write dri devices.
+
 * Thu Aug 31 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-278
 - Add couple rules related to map permissions
 - Allow ddclient use nsswitch BZ(1456241)