From 0d70340b72243c95172428e9ba177dd5c73c2f84 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 30 2015 21:03:47 +0000 Subject: * Sun Aug 30 2015 Lukas Vrabec 3.13.1-145 - Allow watchdog execute fenced python script. - Added inferface watchdog_unconfined_exec_read_lnk_files() - Allow pmweb daemon to exec shell. BZ(1256127) - Allow pmweb daemon to read system state. BZ(#1256128) - Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t. - Revert "Revert default_range change in targeted policy" - Allow dhcpc_t domain transition to chronyd_t --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index bdae1d1..1568f3c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1052,10 +1052,17 @@ index 4705ab6..b82865c 100644 +## +gen_tunable(mount_anyfile, false) diff --git a/policy/mcs b/policy/mcs -index 216b3d1..78e56ed 100644 +index 216b3d1..064ec83 100644 --- a/policy/mcs +++ b/policy/mcs -@@ -69,53 +69,56 @@ gen_levels(1,mcs_num_cats) +@@ -1,4 +1,6 @@ + ifdef(`enable_mcs',` ++default_range dir_file_class_set target low; ++ + # + # Define sensitivities + # +@@ -69,53 +71,56 @@ gen_levels(1,mcs_num_cats) # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } @@ -1132,7 +1139,7 @@ index 216b3d1..78e56ed 100644 mlsconstrain process { signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -@@ -135,6 +138,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d +@@ -135,6 +140,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d mlsconstrain { db_tuple } { insert relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); @@ -1142,7 +1149,7 @@ index 216b3d1..78e56ed 100644 # Access control for any database objects based on MCS rules. mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } ( h1 dom h2 ); -@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } +@@ -166,4 +174,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); @@ -42578,7 +42585,7 @@ index 2cea692..57c9025 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..77ee719 100644 +index a392fc4..bf8b888 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -42720,13 +42727,14 @@ index a392fc4..77ee719 100644 modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -161,7 +185,14 @@ ifdef(`distro_ubuntu',` +@@ -161,7 +185,15 @@ ifdef(`distro_ubuntu',` ') optional_policy(` - consoletype_run(dhcpc_t, dhcpc_roles) + chronyd_initrc_domtrans(dhcpc_t) + chronyd_systemctl(dhcpc_t) ++ chronyd_domtrans(dhcpc_t) + chronyd_read_keys(dhcpc_t) +') + @@ -42736,7 +42744,7 @@ index a392fc4..77ee719 100644 ') optional_policy(` -@@ -179,10 +210,6 @@ optional_policy(` +@@ -179,10 +211,6 @@ optional_policy(` ') optional_policy(` @@ -42747,7 +42755,7 @@ index a392fc4..77ee719 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -195,23 +222,31 @@ optional_policy(` +@@ -195,23 +223,31 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) @@ -42782,7 +42790,7 @@ index a392fc4..77ee719 100644 ') optional_policy(` -@@ -221,7 +256,11 @@ optional_policy(` +@@ -221,7 +257,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -42795,7 +42803,7 @@ index a392fc4..77ee719 100644 ') optional_policy(` -@@ -233,6 +272,10 @@ optional_policy(` +@@ -233,6 +273,10 @@ optional_policy(` ') optional_policy(` @@ -42806,7 +42814,7 @@ index a392fc4..77ee719 100644 vmware_append_log(dhcpc_t) ') -@@ -264,12 +307,24 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,12 +308,24 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -42831,7 +42839,7 @@ index a392fc4..77ee719 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +334,32 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -279,14 +335,32 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -42864,7 +42872,7 @@ index a392fc4..77ee719 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +373,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -42922,7 +42930,7 @@ index a392fc4..77ee719 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +427,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +428,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -42935,7 +42943,7 @@ index a392fc4..77ee719 100644 ') optional_policy(` -@@ -350,7 +445,16 @@ optional_policy(` +@@ -350,7 +446,16 @@ optional_policy(` ') optional_policy(` @@ -42953,7 +42961,7 @@ index a392fc4..77ee719 100644 ') optional_policy(` -@@ -371,3 +475,13 @@ optional_policy(` +@@ -371,3 +476,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 6fecdc7..36bbc41 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -11947,7 +11947,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..fc5b086 100644 +index 550b287..943af3b 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -12036,7 +12036,7 @@ index 550b287..fc5b086 100644 ') optional_policy(` -@@ -92,11 +109,57 @@ optional_policy(` +@@ -92,11 +109,58 @@ optional_policy(` ') optional_policy(` @@ -12050,6 +12050,7 @@ index 550b287..fc5b086 100644 +optional_policy(` + ipa_manage_lib(certmonger_t) + ipa_manage_pid_files(certmonger_t) ++ ipa_filetrans_pid(certmonger_t,"renewal.lock") +') + +optional_policy(` @@ -37061,10 +37062,10 @@ index 0000000..db194ec + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..71bde7d +index 0000000..904782d --- /dev/null +++ b/ipa.if -@@ -0,0 +1,155 @@ +@@ -0,0 +1,178 @@ +## Policy for IPA services. + +######################################## @@ -37220,6 +37221,29 @@ index 0000000..71bde7d + manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t) +') + ++######################################## ++## ++## Create specified objects in generic ++## pid directories with the ipa pid file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`ipa_filetrans_pid',` ++ gen_require(` ++ type ipa_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, ipa_var_run_t, file, $2) ++') diff --git a/ipa.te b/ipa.te new file mode 100644 index 0000000..694c092 @@ -66020,10 +66044,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..684f7b0 +index 0000000..5b5747f --- /dev/null +++ b/pcp.te -@@ -0,0 +1,260 @@ +@@ -0,0 +1,264 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -66217,6 +66241,10 @@ index 0000000..684f7b0 +# pcp_pmwebd local policy +# + ++kernel_read_system_state(pcp_pmwebd_t) ++ ++corecmd_exec_shell(pcp_pmwebd_t) ++ +corenet_tcp_bind_generic_node(pcp_pmwebd_t) + +optional_policy(` @@ -83184,10 +83212,10 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..eb08783 100644 +index 47de2d6..9ecda11 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,93 @@ +@@ -1,31 +1,95 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -83277,6 +83305,8 @@ index 47de2d6..eb08783 100644 + +/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) + ++/usr/share/cluster/fence_scsi_check.* -- gen_context(system_u:object_r:fenced_exec_t,s0) ++ +/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) + +/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) @@ -84152,7 +84182,7 @@ index c8bdea2..29df561 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..448a0c5 100644 +index 6cf79c4..9d253c3 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -84582,24 +84612,26 @@ index 6cf79c4..448a0c5 100644 ') optional_policy(` -@@ -190,12 +484,13 @@ optional_policy(` +@@ -190,12 +484,17 @@ optional_policy(` ') optional_policy(` - gnome_read_generic_home_content(fenced_t) -+ lvm_domtrans(fenced_t) -+ lvm_read_config(fenced_t) -+ lvm_stream_connect(fenced_t) ++ libs_exec_ldconfig(fenced_t) ') optional_policy(` -- lvm_domtrans(fenced_t) -- lvm_read_config(fenced_t) + lvm_domtrans(fenced_t) + lvm_read_config(fenced_t) ++ lvm_stream_connect(fenced_t) ++') ++ ++optional_policy(` + sanlock_domtrans(fenced_t) ') optional_policy(` -@@ -203,6 +498,13 @@ optional_policy(` +@@ -203,6 +502,17 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -84610,10 +84642,14 @@ index 6cf79c4..448a0c5 100644 + virt_stream_connect(fenced_t) +') + ++optional_policy(` ++ watchdog_unconfined_exec_read_lnk_files(fenced_t) ++') ++ ####################################### # # foghorn local policy -@@ -221,16 +523,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +531,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -84634,7 +84670,7 @@ index 6cf79c4..448a0c5 100644 snmp_stream_connect(foghorn_t) ') -@@ -247,16 +551,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ +@@ -247,16 +559,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -84656,7 +84692,7 @@ index 6cf79c4..448a0c5 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +583,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +591,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -84716,7 +84752,7 @@ index 6cf79c4..448a0c5 100644 ###################################### # # qdiskd local policy -@@ -292,7 +647,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +@@ -292,7 +655,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) @@ -84724,7 +84760,7 @@ index 6cf79c4..448a0c5 100644 kernel_read_software_raid_state(qdiskd_t) kernel_getattr_core_if(qdiskd_t) -@@ -321,6 +675,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +683,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -112151,11 +112187,37 @@ index eecd0e0..8df2e8c 100644 /var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0) /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) +diff --git a/watchdog.if b/watchdog.if +index 6461a77..146852e 100644 +--- a/watchdog.if ++++ b/watchdog.if +@@ -37,3 +37,21 @@ interface(`watchdog_admin',` + files_search_pids($1) + admin_pattern($1, watchdog_var_run_t) + ') ++ ++####################################### ++## ++## Allow read watchdog_unconfined_t lnk files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`watchdog_unconfined_exec_read_lnk_files',` ++ gen_require(` ++ type watchdog_unconfined_exec_t; ++ ') ++ ++ allow $1 watchdog_unconfined_exec_t:lnk_file read_lnk_file_perms; ++') diff --git a/watchdog.te b/watchdog.te -index 3548317..a6d1675 100644 +index 3548317..fc3da17 100644 --- a/watchdog.te +++ b/watchdog.te -@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) +@@ -12,34 +12,47 @@ init_daemon_domain(watchdog_t, watchdog_exec_t) type watchdog_initrc_exec_t; init_script_file(watchdog_initrc_exec_t) @@ -112183,12 +112245,12 @@ index 3548317..a6d1675 100644 allow watchdog_t self:fifo_file rw_fifo_file_perms; allow watchdog_t self:tcp_socket { accept listen }; +allow watchdog_t self:rawip_socket create_socket_perms; -+ -+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) -+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) -allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms }; -logging_log_filetrans(watchdog_t, watchdog_log_t, file) ++manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) ++manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t) ++ +manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) +manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t) +logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file}) @@ -112200,7 +112262,13 @@ index 3548317..a6d1675 100644 kernel_read_system_state(watchdog_t) kernel_read_kernel_sysctls(watchdog_t) kernel_unmount_proc(watchdog_t) -@@ -63,7 +75,6 @@ domain_signull_all_domains(watchdog_t) + + corecmd_exec_shell(watchdog_t) ++corecmd_exec_bin(watchdog_t) + + corenet_all_recvfrom_unlabeled(watchdog_t) + corenet_all_recvfrom_netlabel(watchdog_t) +@@ -63,7 +76,6 @@ domain_signull_all_domains(watchdog_t) domain_signal_all_domains(watchdog_t) domain_kill_all_domains(watchdog_t) @@ -112208,7 +112276,7 @@ index 3548317..a6d1675 100644 files_manage_etc_runtime_files(watchdog_t) files_etc_filetrans_etc_runtime(watchdog_t, file) -@@ -72,17 +83,20 @@ fs_getattr_all_fs(watchdog_t) +@@ -72,17 +84,20 @@ fs_getattr_all_fs(watchdog_t) fs_search_auto_mountpoints(watchdog_t) auth_append_login_records(watchdog_t) @@ -112231,11 +112299,25 @@ index 3548317..a6d1675 100644 mta_send_mail(watchdog_t) ') -@@ -97,3 +111,28 @@ optional_policy(` +@@ -91,9 +106,42 @@ optional_policy(` + ') + + optional_policy(` ++ rhcs_domtrans_fenced(watchdog_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(watchdog_t) + ') + optional_policy(` udev_read_db(watchdog_t) ') + ++optional_policy(` ++ watchdog_unconfined_exec_read_lnk_files(watchdog_t) ++') ++ +######################################## +# +# watchdog_unconfined_script_t local policy diff --git a/selinux-policy.spec b/selinux-policy.spec index 80ee139..43d45ea 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 144%{?dist} +Release: 145%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,15 @@ exit 0 %endif %changelog +* Sun Aug 30 2015 Lukas Vrabec 3.13.1-145 +- Allow watchdog execute fenced python script. +- Added inferface watchdog_unconfined_exec_read_lnk_files() +- Allow pmweb daemon to exec shell. BZ(1256127) +- Allow pmweb daemon to read system state. BZ(#1256128) +- Add file transition that cermonger can create /run/ipa/renewal.lock with label ipa_var_run_t. +- Revert "Revert default_range change in targeted policy" +- Allow dhcpc_t domain transition to chronyd_t + * Mon Aug 24 2015 Lukas Vrabec 3.13.1-144 - Allow pmlogger to create pmlogger.primary.socket link file. BZ(1254080) - Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764)