commit c79e4b8a8a365e0f7d2455f8f4e3288e07ce9bed
Author: Lukas Berk <lberk@redhat.com>
Date: Mon Jan 15 16:24:29 2018 -0500
build: selinux, update policy package on upgrade
Don't just install new policy package on a fresh install, we need to
make sure it's up to date on an upgrade as well. Also, version match
the policy package to ensure changes on specific releases are visible
via diagnostic tools like semodule.
diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile
index 6635c8e7b..6c993ee4c 100644
--- a/src/selinux/GNUmakefile
+++ b/src/selinux/GNUmakefile
@@ -61,6 +61,7 @@ $(IAM).te: $(IAM).te.in
-e 's;@PCP_SOCK_FILE_GETATTR@;'$(PCP_SOCK_FILE_GETATTR)';' \
-e 's;@PCP_SOCK_FILE_GETATTR_RULE@;'$(PCP_SOCK_FILE_GETATTR_RULE)';' \
-e 's;@PCP_HOSTNAME_EXEC_MAP@;'$(PCP_HOSTNAME_EXEC_MAP)';' \
+ -e 's;@PACKAGE_VERSION@;'$(PACKAGE_VERSION)';' \
# END
make -f /usr/share/selinux/devel/Makefile
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index e6a504c8a..56376ac4e 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -1,4 +1,4 @@
-module pcpupstream 1.0;
+module pcpupstream @PACKAGE_VERSION@;
require {
type pcp_pmcd_t;
commit 50d0d55ffe2c9af2a73bb55a8bf826c68b97ce1e
Author: Lukas Berk <lberk@redhat.com>
Date: Thu Jan 25 21:22:57 2018 -0500
selinux: rhbz1488116, rhbz1533080 rules, update qa
diff --git a/qa/917 b/qa/917
index 9fc3a993e..3afa39b8c 100755
--- a/qa/917
+++ b/qa/917
@@ -37,6 +37,7 @@ class_status=`seinfo -x --class=system | grep "status$"`
sock_file_getattr=`seinfo -x --class=sock_file | grep "getattr$"`
hostname_exec_map_a=`seinfo -x --class=file | grep "map$"`
hostname_exec_map_b=`seinfo -x --common=file 2>/dev/null | grep "map$"`
+container_runtime_tmpfs_t=`seinfo -t | grep "container_runtime_tmpfs_t$"`
_filter_semodule()
{
@@ -54,6 +55,7 @@ _filter_sedismod1()
_filter_outfile()
{
awk -v container_t="$container_runtime_t" \
+ -v container_tmpfs_t="$container_runtime_tmpfs_t" \
-v nsfs_t="$nsfs_t" \
-v docker_var_lib_t="$docker_var_lib_t" \
-v svirt_lxc_net_t="$svirt_lxc_net_t" \
@@ -70,8 +72,10 @@ _filter_outfile()
-v hostname_exec_map_a="$hostname_exec_map_a" \
-v hostname_exec_map_b="$hostname_exec_map_b" \
'{
- if (container_t == "" && /container_runtime_t/)
- !/container_runtime_t/ ;
+ if (container_t == "" && /container_runtime_t /)
+ !/container_runtime_t / ;
+ else if (container_tmpfs_t == "" && /container_runtime_tmpfs_t/)
+ !/container_runtime_tmpfs_t/ ;
else if (nsfs_t == "" && /nsfs_t/)
!/nsfs_t/ ;
else if (docker_var_lib_t == "" && /docker_var_lib_t/)
diff --git a/qa/917.out.in b/qa/917.out.in
index edd247e25..0c2472d64 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -48,6 +48,12 @@ decl 1:
allow [pcp_pmcd_t] [nfsd_fs_t] : [file] { getattr open read };
allow [pcp_pmcd_t] [gpmctl_t] : [sock_file] { getattr };
allow [pcp_pmcd_t] [postfix_spool_t] : [dir] { read };
+ allow [pcp_pmcd_t] [container_runtime_tmpfs_t] : [dir] { getattr };
+ allow [pcp_pmcd_t] [unconfined_service_t] : [sem] { associate getattr };
+ allow [pcp_pmcd_t] [mock_var_lib_t] : [dir] { getattr };
+ allow [pcp_pmcd_t] [ldconfig_exec_t] : [file] { map };
+ allow [pcp_pmcd_t] [httpd_t] : [shm] { unix_read associate getattr };
+ allow [pcp_pmcd_t] [httpd_t] : [sem] { unix_read associate getattr };
allow [pcp_pmlogger_t] [kmsg_device_t] : [chr_file] { open write };
allow [pcp_pmlogger_t] self : [capability] { kill };
allow [pcp_pmlogger_t] [init_t] : [system] { status };
@@ -68,6 +74,8 @@ decl 1:
allow [pcp_pmie_t] [unconfined_t] : [unix_stream_socket] { connectto };
allow [pcp_pmie_t] [pcp_pmie_exec_t] : [file] { execute_no_trans };
allow [pcp_pmie_t] [proc_net_t] : [file] { read };
+ allow [pcp_pmie_t] [kmsg_device_t] : [chr_file] { open };
+ allow [pcp_pmie_t] [pcp_pmcd_t] : [process] { signal };
allow [pcp_pmcd_t] [configfs_t] : [dir] { open read search };
allow [pcp_pmcd_t] [configfs_t] : [file] { getattr open read };
allow [pcp_pmcd_t] [configfs_t] : [lnk_file] { read getattr };
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
index 65c296611..7d36cb6a2 100644
--- a/src/selinux/GNUlocaldefs
+++ b/src/selinux/GNUlocaldefs
@@ -66,4 +66,5 @@ endif
ifeq "$(PCP_SELINUX_HOSTNAME_EXEC_MAP)" "true"
PCP_HOSTNAME_EXEC_MAP=" map "
+PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map\;"
endif
\ No newline at end of file
diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile
index 6c993ee4c..343178d38 100644
--- a/src/selinux/GNUmakefile
+++ b/src/selinux/GNUmakefile
@@ -61,6 +61,7 @@ $(IAM).te: $(IAM).te.in
-e 's;@PCP_SOCK_FILE_GETATTR@;'$(PCP_SOCK_FILE_GETATTR)';' \
-e 's;@PCP_SOCK_FILE_GETATTR_RULE@;'$(PCP_SOCK_FILE_GETATTR_RULE)';' \
-e 's;@PCP_HOSTNAME_EXEC_MAP@;'$(PCP_HOSTNAME_EXEC_MAP)';' \
+ -e 's;@PCP_LDCONFIG_EXEC_MAP_RULE@;'$(PCP_LDCONFIG_EXEC_MAP_RULE)';' \
-e 's;@PACKAGE_VERSION@;'$(PACKAGE_VERSION)';' \
# END
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index 56376ac4e..fb14fec96 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -49,6 +49,12 @@ require {
type gpmctl_t; #RHBZ1517656
type proc_net_t; #RHBZ1517656
type postfix_spool_t; #RHBZ1517862
+ type container_runtime_tmpfs_t;
+ type unconfined_service_t;
+ type mock_var_lib_t;
+ type ldconfig_exec_t;
+ type httpd_t;
+ class sem { unix_read associate getattr };
class lnk_file { read getattr };
class file { append create execute execute_no_trans getattr ioctl lock open read write @PCP_HOSTNAME_EXEC_MAP@ };
class dir { add_name open read search write getattr };
@@ -112,7 +118,6 @@ allow pcp_pmcd_t proc_kcore_t:file getattr;
#type=AVC msg=audit(1491581538.587:10952): avc: denied { sys_ptrace } for pid=9375 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=cap_userns permissive=1
@PCP_CAPUSERNS_PTRACE_RULE@
-
#type=AVC msg=audit(1485899863.032:3024): avc: denied { sys_chroot } for pid=25873 comm="pmdalinux" capability=18 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability
allow pcp_pmcd_t self:capability sys_chroot;
@@ -182,6 +187,21 @@ allow pcp_pmcd_t nfsd_fs_t:file { getattr open read };
#RHBZ1517862
allow pcp_pmcd_t postfix_spool_t:dir read;
+
+allow pcp_pmcd_t container_runtime_tmpfs_t:dir getattr;
+
+allow pcp_pmcd_t unconfined_service_t:sem { associate getattr };
+
+#type=AVC msg=audit(...): avc: denied { getattr } for pid=NNN comm="pmdalinux" path="/var/lib/mock" dev="dm-1" ino=917749 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=dir permissive=1
+allow pcp_pmcd_t mock_var_lib_t:dir getattr;
+
+#type=AVC msg=audit(...): avc: denied { map } for pid=NNN comm="ldconfig" path="/usr/sbin/ldconfig" dev="dm-1" ino=1052382 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1
+@PCP_LDCONFIG_EXEC_MAP_RULE@
+
+#RHBZ1488116
+allow pcp_pmcd_t httpd_t:shm { unix_read associate getattr };
+allow pcp_pmcd_t httpd_t:sem { unix_read associate getattr };
+
#============= pcp_pmlogger_t ==============
allow pcp_pmlogger_t kmsg_device_t:chr_file { open write };
allow pcp_pmlogger_t self:capability kill;
@@ -250,6 +270,11 @@ allow pcp_pmie_t pcp_pmie_exec_t:file execute_no_trans;
#RHBZ1517656
allow pcp_pmie_t proc_net_t:file read;
+#type=AVC msg=audit(...): avc: denied { open } for pid=NNN comm="runlevel" path="/dev/kmsg" dev="devtmpfs" ino=1043 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1
+allow pcp_pmie_t kmsg_device_t:chr_file open;
+
+#RHBZ1533080
+allow pcp_pmie_t pcp_pmcd_t:process signal;
#============= pmda-lio ==============
allow pcp_pmcd_t configfs_t:dir { open read search };
allow pcp_pmcd_t configfs_t:file { getattr open read };
commit 7ab2c18f36f96e73a93892bcabc2a53797aaeb54
Author: Lukas Berk <lberk@redhat.com>
Date: Fri Dec 8 10:42:59 2017 -0500
selinux: RHBZ1460131 add gettatr, open to pcp_var_lib_t:fifo_file
adjust qa output
diff --git a/qa/917.out.in b/qa/917.out.in
index 86805d11a..edd247e25 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -19,7 +19,7 @@ decl 1:
allow [pcp_pmcd_t] [debugfs_t] : [dir] { read };
allow [pcp_pmcd_t] [debugfs_t] : [file] { getattr ioctl open read };
allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read };
- allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { read unlink };
+ allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink };
allow [pcp_pmcd_t] self : [capability] { sys_ptrace net_admin chown ipc_owner };
allow [pcp_pmcd_t] [initctl_t] : [fifo_file] { getattr };
allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr };
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index 236a0ecf1..e6a504c8a 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -97,8 +97,7 @@ allow pcp_pmcd_t user_home_t:file { execute execute_no_trans open read };
allow pcp_pmcd_t debugfs_t:dir read;
allow pcp_pmcd_t debugfs_t:file { getattr ioctl open read };
allow pcp_pmcd_t pcp_pmie_exec_t:file { execute execute_no_trans open read };
-allow pcp_pmcd_t pcp_var_lib_t:fifo_file { read unlink }; #RHBZ1460131
-
+allow pcp_pmcd_t pcp_var_lib_t:fifo_file { getattr open read unlink }; #RHBZ1460131
#type=AVC msg=audit(1463754714.313:316): avc: denied { net_admin } for pid=2335 comm="pmcd" capability=12 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1
#type=AVC msg=audit(1491576442.619:1738169): avc: denied { sys_ptrace } for pid=15205 comm="pmdaproc" capability=19 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0
#type=AVC msg=audit(1498833776.957:2094): avc: denied { ipc_owner } for pid=21341 comm="pmdalinux" capability=15 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=0