From 24d43eb10dc9b6a316a91f3cbbfba1a01965d5b4 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Nov 14 2014 15:06:50 +0000 Subject: * Fri Nov 14 2014 Lukas Vrabec 3.13.1-93 - Allow bumblebee to use nsswitch. BZ(1155339) - Allow openvpn to stream connect to networkmanager. BZ(1164182) - Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS. - Allow cpuplug rw virtual memory sysctl. BZ (1077831) - Docker needs to write to sysfs, needs back port to F20,F21, RHEL7 --- diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 99e193a..9fc84d2 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10820,7 +10820,7 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..cccf2f7 +index 0000000..23a4606 --- /dev/null +++ b/bumblebee.te @@ -0,0 +1,61 @@ @@ -10867,7 +10867,7 @@ index 0000000..cccf2f7 + +dev_read_sysfs(bumblebee_t) + -+auth_read_passwd(bumblebee_t) ++auth_use_nsswitch(bumblebee_t) + +logging_send_syslog_msg(bumblebee_t) + @@ -16738,10 +16738,10 @@ index 0000000..c68d1d3 +') diff --git a/cpuplug.te b/cpuplug.te new file mode 100644 -index 0000000..11361fc +index 0000000..074f3e0 --- /dev/null +++ b/cpuplug.te -@@ -0,0 +1,39 @@ +@@ -0,0 +1,40 @@ +policy_module(cpuplug, 1.0.0) + +######################################## @@ -16776,6 +16776,7 @@ index 0000000..11361fc +files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file }) + +kernel_read_system_state(cpuplug_t) ++kernel_rw_vm_sysctls(cpuplug_t) + +dev_rw_sysfs(cpuplug_t) + @@ -25061,7 +25062,7 @@ index 0000000..2a614ed +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..a1ed007 +index 0000000..17a2829 --- /dev/null +++ b/docker.te @@ -0,0 +1,285 @@ @@ -25269,7 +25270,7 @@ index 0000000..a1ed007 +dev_getattr_sysfs_fs(docker_t) +dev_read_urand(docker_t) +dev_read_lvm_control(docker_t) -+dev_read_sysfs(docker_t) ++dev_rw_sysfs(docker_t) +dev_rw_loop_control(docker_t) +dev_rw_lvm_control(docker_t) + @@ -61914,7 +61915,7 @@ index 6837e9a..21e6dae 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 63957a3..e059df5 100644 +index 63957a3..3eb9dc1 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) @@ -62050,8 +62051,11 @@ index 63957a3..e059df5 100644 daemontools_service_domain(openvpn_t, openvpn_exec_t) ') -@@ -175,3 +203,27 @@ optional_policy(` +@@ -173,5 +201,30 @@ optional_policy(` + + optional_policy(` networkmanager_dbus_chat(openvpn_t) ++ networkmanager_stream_connect(openvpn_t) ') ') + @@ -88291,7 +88295,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..fdfd40f 100644 +index 2b7c441..3fb8192 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -88863,7 +88867,21 @@ index 2b7c441..fdfd40f 100644 ') optional_policy(` -@@ -479,6 +484,11 @@ optional_policy(` +@@ -474,11 +479,25 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_system_bus_client(smbd_t) ++ ++ optional_policy(` ++ oddjob_dbus_chat(smbd_t) ++ oddjob_domtrans_mkhomedir(smbd_t) ++ ') ++') ++ ++optional_policy(` + kerberos_read_keytab(smbd_t) + kerberos_use(smbd_t) ') optional_policy(` @@ -88875,7 +88893,7 @@ index 2b7c441..fdfd40f 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +498,10 @@ optional_policy(` +@@ -488,6 +507,10 @@ optional_policy(` ') optional_policy(` @@ -88886,7 +88904,7 @@ index 2b7c441..fdfd40f 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +513,44 @@ optional_policy(` +@@ -499,9 +522,44 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -88932,7 +88950,7 @@ index 2b7c441..fdfd40f 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +561,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +570,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -88947,7 +88965,7 @@ index 2b7c441..fdfd40f 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +577,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +586,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -88971,7 +88989,7 @@ index 2b7c441..fdfd40f 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -547,53 +593,44 @@ kernel_read_kernel_sysctls(nmbd_t) +@@ -547,53 +602,44 @@ kernel_read_kernel_sysctls(nmbd_t) kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -89022,14 +89040,14 @@ index 2b7c441..fdfd40f 100644 - userdom_use_unpriv_users_fds(nmbd_t) -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -+userdom_dontaudit_search_user_home_dirs(nmbd_t) - +- -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(nmbd_t) - files_list_non_auth_dirs(nmbd_t) - files_read_non_auth_files(nmbd_t) -') -- ++userdom_dontaudit_search_user_home_dirs(nmbd_t) + -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) @@ -89040,7 +89058,7 @@ index 2b7c441..fdfd40f 100644 ') optional_policy(` -@@ -606,16 +643,22 @@ optional_policy(` +@@ -606,16 +652,22 @@ optional_policy(` ######################################## # @@ -89067,7 +89085,7 @@ index 2b7c441..fdfd40f 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +670,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +679,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -89085,7 +89103,7 @@ index 2b7c441..fdfd40f 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +682,23 @@ optional_policy(` +@@ -644,22 +691,23 @@ optional_policy(` ######################################## # @@ -89117,7 +89135,7 @@ index 2b7c441..fdfd40f 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +707,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +716,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -89153,19 +89171,19 @@ index 2b7c441..fdfd40f 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +734,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +743,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) -auth_use_nsswitch(smbmount_t) +corecmd_list_bin(smbmount_t) - --miscfiles_read_localization(smbmount_t) ++ +files_list_mnt(smbmount_t) +files_mounton_mnt(smbmount_t) +files_manage_etc_runtime_files(smbmount_t) +files_etc_filetrans_etc_runtime(smbmount_t, file) -+ + +-miscfiles_read_localization(smbmount_t) +auth_use_nsswitch(smbmount_t) -mount_use_fds(smbmount_t) @@ -89205,13 +89223,13 @@ index 2b7c441..fdfd40f 100644 -allow swat_t { nmbd_t smbd_t }:process { signal signull }; +samba_domtrans_smbd(swat_t) +allow swat_t smbd_t:process { signal signull }; -+ -+samba_domtrans_nmbd(swat_t) -+allow swat_t nmbd_t:process { signal signull }; -+allow nmbd_t swat_t:process signal; -allow swat_t smbd_var_run_t:file read_file_perms; -allow swat_t smbd_var_run_t:file { lock delete_file_perms }; ++samba_domtrans_nmbd(swat_t) ++allow swat_t nmbd_t:process { signal signull }; ++allow nmbd_t swat_t:process signal; ++ +read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) +stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) + @@ -89245,7 +89263,7 @@ index 2b7c441..fdfd40f 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +813,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +822,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -89269,7 +89287,7 @@ index 2b7c441..fdfd40f 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +827,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +836,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -89312,7 +89330,7 @@ index 2b7c441..fdfd40f 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +857,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +866,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -89326,7 +89344,7 @@ index 2b7c441..fdfd40f 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +880,20 @@ optional_policy(` +@@ -840,17 +889,20 @@ optional_policy(` # Winbind local policy # @@ -89352,7 +89370,7 @@ index 2b7c441..fdfd40f 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +903,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +912,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -89363,7 +89381,7 @@ index 2b7c441..fdfd40f 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,38 +914,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,38 +923,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -89416,7 +89434,7 @@ index 2b7c441..fdfd40f 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,38 +956,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,38 +965,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -89475,7 +89493,7 @@ index 2b7c441..fdfd40f 100644 ') optional_policy(` -@@ -959,31 +1017,35 @@ optional_policy(` +@@ -959,31 +1026,35 @@ optional_policy(` # Winbind helper local policy # @@ -89518,7 +89536,7 @@ index 2b7c441..fdfd40f 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1059,38 @@ optional_policy(` +@@ -997,25 +1068,38 @@ optional_policy(` ######################################## # diff --git a/selinux-policy.spec b/selinux-policy.spec index af9250f..6efdd23 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 92%{?dist} +Release: 93%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -604,7 +604,14 @@ SELinux Reference policy mls base module. %endif %changelog -* Mon Nov 10 2014 Lukas Vrabec 3.12.1-92 +* Fri Nov 14 2014 Lukas Vrabec 3.13.1-93 +- Allow bumblebee to use nsswitch. BZ(1155339) +- Allow openvpn to stream connect to networkmanager. BZ(1164182) +- Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS. +- Allow cpuplug rw virtual memory sysctl. BZ (1077831) +- Docker needs to write to sysfs, needs back port to F20,F21, RHEL7 + +* Mon Nov 10 2014 Lukas Vrabec 3.13.1-92 - Add kdump_rw_inherited_kdumpctl_tmp_pipes() - Added fixes related to linuxptp. BZ (1149693) - Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424