From 2818673721f7981f6edec07e236927aabff9cacb Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 14 2015 07:29:16 +0000 Subject: * Mon Sep 14 2015 Lukas Vrabec 3.13.1-147 - named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272) - Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling. - Dontaudit fenced search gnome config - Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180) - Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t. - Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon - Fix labeling for fence_scsi_check script - Allow openhpid to read system state Aloow openhpid to connect to tcp http port. - Allow openhpid to read snmp var lib files. - Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe - Fix regexp in chronyd.fc file - systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175) - Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. - Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t - Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f7031bd..0f02a50 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3466,7 +3466,7 @@ index 7590165..d81185e 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8d..d41bb39 100644 +index 33e0f8d..e16fba2 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3728,13 +3728,12 @@ index 33e0f8d..d41bb39 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -280,10 +343,15 @@ ifdef(`distro_gentoo',` +@@ -280,10 +343,14 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0) -+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3744,7 +3743,7 @@ index 33e0f8d..d41bb39 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -298,16 +366,22 @@ ifdef(`distro_gentoo',` +@@ -298,16 +365,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3769,7 +3768,7 @@ index 33e0f8d..d41bb39 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,20 +399,27 @@ ifdef(`distro_redhat', ` +@@ -325,20 +398,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3798,7 +3797,7 @@ index 33e0f8d..d41bb39 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -346,6 +427,7 @@ ifdef(`distro_redhat', ` +@@ -346,6 +426,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -3806,7 +3805,7 @@ index 33e0f8d..d41bb39 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,17 +469,34 @@ ifdef(`distro_suse', ` +@@ -387,17 +468,34 @@ ifdef(`distro_suse', ` # # /var # @@ -10085,7 +10084,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..e8da15e 100644 +index cf04cb5..e9c1427 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10238,7 +10237,7 @@ index cf04cb5..e8da15e 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +242,365 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +242,369 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -10379,6 +10378,10 @@ index cf04cb5..e8da15e 100644 +') + +optional_policy(` ++ iptables_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` + kerberos_filetrans_named_content(named_filetrans_domain) +') + @@ -22428,7 +22431,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..f2029b6 100644 +index 2522ca6..0371f63 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) @@ -22634,7 +22637,7 @@ index 2522ca6..f2029b6 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -175,6 +249,13 @@ optional_policy(` +@@ -175,10 +249,27 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -22648,23 +22651,21 @@ index 2522ca6..f2029b6 100644 ') optional_policy(` -@@ -182,6 +263,15 @@ optional_policy(` - ') - - optional_policy(` -+ irc_role(sysadm_r, sysadm_t) + iptables_run(sysadm_t, sysadm_r) ++ iptables_filetrans_named_content(sysadm_t) +') + +optional_policy(` -+ kerberos_exec_kadmind(sysadm_t) -+ kerberos_filetrans_named_content(sysadm_t) ++ irc_role(sysadm_r, sysadm_t) +') + +optional_policy(` - kudzu_run(sysadm_t, sysadm_r) ++ kerberos_exec_kadmind(sysadm_t) ++ kerberos_filetrans_named_content(sysadm_t) ') -@@ -190,11 +280,12 @@ optional_policy(` + optional_policy(` +@@ -190,11 +281,12 @@ optional_policy(` ') optional_policy(` @@ -22679,7 +22680,7 @@ index 2522ca6..f2029b6 100644 ') optional_policy(` -@@ -210,22 +301,20 @@ optional_policy(` +@@ -210,22 +302,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -22708,7 +22709,7 @@ index 2522ca6..f2029b6 100644 ') optional_policy(` -@@ -237,14 +326,28 @@ optional_policy(` +@@ -237,14 +327,28 @@ optional_policy(` ') optional_policy(` @@ -22737,7 +22738,7 @@ index 2522ca6..f2029b6 100644 ') optional_policy(` -@@ -252,10 +355,20 @@ optional_policy(` +@@ -252,10 +356,20 @@ optional_policy(` ') optional_policy(` @@ -22758,7 +22759,7 @@ index 2522ca6..f2029b6 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +379,41 @@ optional_policy(` +@@ -266,35 +380,41 @@ optional_policy(` ') optional_policy(` @@ -22807,7 +22808,7 @@ index 2522ca6..f2029b6 100644 ') optional_policy(` -@@ -308,6 +427,7 @@ optional_policy(` +@@ -308,6 +428,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -22815,7 +22816,7 @@ index 2522ca6..f2029b6 100644 ') optional_policy(` -@@ -315,12 +435,20 @@ optional_policy(` +@@ -315,12 +436,20 @@ optional_policy(` ') optional_policy(` @@ -22837,7 +22838,7 @@ index 2522ca6..f2029b6 100644 ') optional_policy(` -@@ -345,30 +473,37 @@ optional_policy(` +@@ -345,30 +474,37 @@ optional_policy(` ') optional_policy(` @@ -22884,7 +22885,7 @@ index 2522ca6..f2029b6 100644 ') optional_policy(` -@@ -380,10 +515,6 @@ optional_policy(` +@@ -380,10 +516,6 @@ optional_policy(` ') optional_policy(` @@ -22895,7 +22896,7 @@ index 2522ca6..f2029b6 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +522,9 @@ optional_policy(` +@@ -391,6 +523,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -22905,7 +22906,7 @@ index 2522ca6..f2029b6 100644 ') optional_policy(` -@@ -398,31 +532,34 @@ optional_policy(` +@@ -398,31 +533,34 @@ optional_policy(` ') optional_policy(` @@ -22946,7 +22947,7 @@ index 2522ca6..f2029b6 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +572,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +573,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22957,7 +22958,7 @@ index 2522ca6..f2029b6 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +592,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +593,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -35737,7 +35738,7 @@ index 73a1c4e..ec4c7c7 100644 + +/var/run/xtables.* -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index c42fbc3..277fe6c 100644 +index c42fbc3..bf211db 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -17,10 +17,6 @@ interface(`iptables_domtrans',` @@ -35782,6 +35783,28 @@ index c42fbc3..277fe6c 100644 ##################################### ## ## Set the attributes of iptables config files. +@@ -163,3 +183,21 @@ interface(`iptables_manage_config',` + files_search_etc($1) + manage_files_pattern($1, iptables_conf_t, iptables_conf_t) + ') ++ ++######################################## ++## ++## Transition to iptables named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`iptables_filetrans_named_content',` ++ gen_require(` ++ type iptables_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") ++') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index be8ed1e..3c2729f 100644 --- a/policy/modules/system/iptables.te @@ -44649,10 +44672,10 @@ index 0000000..cde0261 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..dff8d54 +index 0000000..8209291 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,723 @@ +@@ -0,0 +1,725 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -44780,6 +44803,8 @@ index 0000000..dff8d54 +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) +manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) + ++systemd_start_power_services(systemd_logind_t) ++ +dev_getattr_all_chr_files(systemd_logind_t) +dev_getattr_all_blk_files(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t) @@ -45674,7 +45699,7 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..125f7fe 100644 +index 39f185f..5658ab4 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -45712,17 +45737,18 @@ index 39f185f..125f7fe 100644 allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; -@@ -53,7 +54,9 @@ allow udev_t self:unix_stream_socket { listen accept }; +@@ -53,7 +54,10 @@ allow udev_t self:unix_stream_socket { listen accept }; allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; +allow udev_t self:netlink_generic_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; +allow udev_t self:netlink_socket create_socket_perms; ++allow udev_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -64,31 +67,39 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -64,31 +68,39 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -45769,7 +45795,7 @@ index 39f185f..125f7fe 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -99,6 +110,7 @@ corecmd_exec_all_executables(udev_t) +@@ -99,6 +111,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -45777,7 +45803,7 @@ index 39f185f..125f7fe 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -107,23 +119,31 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -107,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -45813,7 +45839,7 @@ index 39f185f..125f7fe 100644 mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) -@@ -145,17 +165,20 @@ auth_use_nsswitch(udev_t) +@@ -145,17 +166,20 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -45835,7 +45861,7 @@ index 39f185f..125f7fe 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,9 +192,13 @@ sysnet_read_dhcpc_pid(udev_t) +@@ -169,9 +193,13 @@ sysnet_read_dhcpc_pid(udev_t) sysnet_delete_dhcpc_pid(udev_t) sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) @@ -45850,7 +45876,7 @@ index 39f185f..125f7fe 100644 ifdef(`distro_debian',` files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") -@@ -195,16 +222,9 @@ ifdef(`distro_gentoo',` +@@ -195,16 +223,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -45869,7 +45895,7 @@ index 39f185f..125f7fe 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -242,6 +262,7 @@ optional_policy(` +@@ -242,6 +263,7 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) @@ -45877,7 +45903,7 @@ index 39f185f..125f7fe 100644 ') optional_policy(` -@@ -249,17 +270,31 @@ optional_policy(` +@@ -249,17 +271,31 @@ optional_policy(` dbus_use_system_bus_fds(udev_t) optional_policy(` @@ -45911,7 +45937,7 @@ index 39f185f..125f7fe 100644 ') optional_policy(` -@@ -289,6 +324,10 @@ optional_policy(` +@@ -289,6 +325,10 @@ optional_policy(` ') optional_policy(` @@ -45922,7 +45948,7 @@ index 39f185f..125f7fe 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -303,6 +342,15 @@ optional_policy(` +@@ -303,6 +343,15 @@ optional_policy(` ') optional_policy(` @@ -45938,7 +45964,7 @@ index 39f185f..125f7fe 100644 unconfined_signal(udev_t) ') -@@ -315,6 +363,7 @@ optional_policy(` +@@ -315,6 +364,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e6c90eb..56e5efb 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9476,7 +9476,7 @@ index 531a8f2..0b86f2f 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 1241123..e196b89 100644 +index 1241123..cce7112 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9520,7 +9520,11 @@ index 1241123..e196b89 100644 logging_log_filetrans(named_t, named_log_t, file) manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) -@@ -115,7 +117,6 @@ kernel_read_network_state(named_t) +@@ -112,10 +114,10 @@ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t) + kernel_read_kernel_sysctls(named_t) + kernel_read_system_state(named_t) + kernel_read_network_state(named_t) ++kernel_read_net_sysctls(named_t) corecmd_search_bin(named_t) @@ -9528,7 +9532,7 @@ index 1241123..e196b89 100644 corenet_all_recvfrom_netlabel(named_t) corenet_tcp_sendrecv_generic_if(named_t) corenet_udp_sendrecv_generic_if(named_t) -@@ -144,6 +145,7 @@ corenet_tcp_sendrecv_all_ports(named_t) +@@ -144,6 +146,7 @@ corenet_tcp_sendrecv_all_ports(named_t) dev_read_sysfs(named_t) dev_read_rand(named_t) dev_read_urand(named_t) @@ -9536,7 +9540,7 @@ index 1241123..e196b89 100644 domain_use_interactive_fds(named_t) -@@ -175,6 +177,19 @@ tunable_policy(`named_write_master_zones',` +@@ -175,6 +178,19 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` @@ -9556,7 +9560,7 @@ index 1241123..e196b89 100644 dbus_system_domain(named_t, named_exec_t) init_dbus_chat_script(named_t) -@@ -187,7 +202,13 @@ optional_policy(` +@@ -187,7 +203,13 @@ optional_policy(` ') optional_policy(` @@ -9570,7 +9574,7 @@ index 1241123..e196b89 100644 kerberos_use(named_t) ') -@@ -215,7 +236,8 @@ optional_policy(` +@@ -215,7 +237,8 @@ optional_policy(` # allow ndc_t self:capability { dac_override net_admin }; @@ -9580,7 +9584,7 @@ index 1241123..e196b89 100644 allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; -@@ -229,10 +251,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; +@@ -229,10 +252,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms; allow ndc_t named_zone_t:dir search_dir_perms; @@ -9592,7 +9596,7 @@ index 1241123..e196b89 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -242,6 +263,9 @@ corenet_tcp_bind_generic_node(ndc_t) +@@ -242,6 +264,9 @@ corenet_tcp_bind_generic_node(ndc_t) corenet_tcp_connect_rndc_port(ndc_t) corenet_sendrecv_rndc_client_packets(ndc_t) @@ -9602,7 +9606,7 @@ index 1241123..e196b89 100644 domain_use_interactive_fds(ndc_t) files_search_pids(ndc_t) -@@ -257,7 +281,7 @@ init_use_script_ptys(ndc_t) +@@ -257,7 +282,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -12985,7 +12989,7 @@ index 0000000..5955ff0 + gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) +') diff --git a/chronyd.fc b/chronyd.fc -index 4e4143e..16d23e1 100644 +index 4e4143e..36ee9e1 100644 --- a/chronyd.fc +++ b/chronyd.fc @@ -1,13 +1,17 @@ @@ -13003,8 +13007,9 @@ index 4e4143e..16d23e1 100644 /var/log/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_log_t,s0) - /var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) -+/var/run/chrony-helper(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) +-/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) ++/var/run/chronyd(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0) ++/var/run/chrony-helper(/.*)? gen_context(system_u:object_r:chronyd_var_run_t,s0) /var/run/chronyd\.pid -- gen_context(system_u:object_r:chronyd_var_run_t,s0) /var/run/chronyd\.sock -s gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/chronyd.if b/chronyd.if @@ -57241,7 +57246,7 @@ index 86dc29d..7380935 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..b84767b 100644 +index 55f2009..4a29f9c 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -57266,7 +57271,7 @@ index 55f2009..b84767b 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,25 +42,55 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,25 +42,56 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -57298,6 +57303,7 @@ index 55f2009..b84767b 100644 -allow NetworkManager_t self:unix_stream_socket { accept listen }; +allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; +allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto }; ++allow NetworkManager_t self:netlink_generic_socket create_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; +allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_socket create_socket_perms; @@ -57331,7 +57337,7 @@ index 55f2009..b84767b 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,6 +101,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,6 +102,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -57339,7 +57345,7 @@ index 55f2009..b84767b 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,17 +115,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,17 +116,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -57359,7 +57365,7 @@ index 55f2009..b84767b 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,36 +134,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,36 +135,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -57401,7 +57407,7 @@ index 55f2009..b84767b 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +160,36 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +161,36 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -57439,7 +57445,7 @@ index 55f2009..b84767b 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +204,34 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +205,34 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -57478,7 +57484,7 @@ index 55f2009..b84767b 100644 ') optional_policy(` -@@ -196,10 +247,6 @@ optional_policy(` +@@ -196,10 +248,6 @@ optional_policy(` ') optional_policy(` @@ -57489,7 +57495,7 @@ index 55f2009..b84767b 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +257,11 @@ optional_policy(` +@@ -210,16 +258,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -57508,7 +57514,7 @@ index 55f2009..b84767b 100644 ') ') -@@ -231,10 +273,17 @@ optional_policy(` +@@ -231,10 +274,17 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -57527,7 +57533,7 @@ index 55f2009..b84767b 100644 ') optional_policy(` -@@ -246,10 +295,26 @@ optional_policy(` +@@ -246,10 +296,26 @@ optional_policy(` ') optional_policy(` @@ -57554,7 +57560,7 @@ index 55f2009..b84767b 100644 ') optional_policy(` -@@ -257,15 +322,19 @@ optional_policy(` +@@ -257,15 +323,19 @@ optional_policy(` ') optional_policy(` @@ -57576,7 +57582,7 @@ index 55f2009..b84767b 100644 ') optional_policy(` -@@ -274,10 +343,17 @@ optional_policy(` +@@ -274,10 +344,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -57594,7 +57600,7 @@ index 55f2009..b84767b 100644 ') optional_policy(` -@@ -286,9 +362,12 @@ optional_policy(` +@@ -286,9 +363,12 @@ optional_policy(` openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) openvpn_signull(NetworkManager_t) @@ -57607,7 +57613,7 @@ index 55f2009..b84767b 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +375,7 @@ optional_policy(` +@@ -296,7 +376,7 @@ optional_policy(` ') optional_policy(` @@ -57616,7 +57622,7 @@ index 55f2009..b84767b 100644 ') optional_policy(` -@@ -307,6 +386,7 @@ optional_policy(` +@@ -307,6 +387,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -57624,7 +57630,7 @@ index 55f2009..b84767b 100644 ') optional_policy(` -@@ -320,14 +400,21 @@ optional_policy(` +@@ -320,14 +401,21 @@ optional_policy(` ') optional_policy(` @@ -57651,7 +57657,7 @@ index 55f2009..b84767b 100644 ') optional_policy(` -@@ -357,6 +444,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +445,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -62320,10 +62326,10 @@ index 0000000..598789a + diff --git a/openhpid.te b/openhpid.te new file mode 100644 -index 0000000..ade6576 +index 0000000..2cb47c8 --- /dev/null +++ b/openhpid.te -@@ -0,0 +1,52 @@ +@@ -0,0 +1,59 @@ +policy_module(openhpid, 1.0.0) + +######################################## @@ -62365,8 +62371,11 @@ index 0000000..ade6576 +manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t) +files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file }) + ++kernel_read_system_state(openhpid_t) ++ +corenet_tcp_bind_generic_node(openhpid_t) +corenet_tcp_bind_openhpid_port(openhpid_t) ++corenet_tcp_connect_http_port(openhpid_t) + +dev_read_urand(openhpid_t) +dev_rw_watchdog(openhpid_t) @@ -62376,6 +62385,10 @@ index 0000000..ade6576 +miscfiles_read_generic_certs(openhpid_t) + +sysnet_read_config(openhpid_t) ++ ++optional_policy(` ++ snmp_read_snmp_var_lib_files(openhpid_t) ++') diff --git a/openshift-origin.fc b/openshift-origin.fc new file mode 100644 index 0000000..30ca148 @@ -64677,7 +64690,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..eb8d420 100644 +index 44dbc99..ba23186 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -64742,7 +64755,7 @@ index 44dbc99..eb8d420 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -65,33 +68,46 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -65,33 +68,47 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -64787,6 +64800,7 @@ index 44dbc99..eb8d420 100644 +modutils_exec_insmod(openvswitch_t) +modutils_list_module_config(openvswitch_t) +modutils_read_module_config(openvswitch_t) ++modutils_read_module_deps(openvswitch_t) sysnet_dns_name_resolve(openvswitch_t) @@ -83435,7 +83449,7 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..9ecda11 100644 +index 47de2d6..dfb3396 100644 --- a/rhcs.fc +++ b/rhcs.fc @@ -1,31 +1,95 @@ @@ -83528,7 +83542,7 @@ index 47de2d6..9ecda11 100644 + +/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) + -+/usr/share/cluster/fence_scsi_check.* -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0) + +/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) + @@ -84405,7 +84419,7 @@ index c8bdea2..29df561 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..9d253c3 100644 +index 6cf79c4..2c7b543 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -84854,7 +84868,7 @@ index 6cf79c4..9d253c3 100644 ') optional_policy(` -@@ -203,6 +502,17 @@ optional_policy(` +@@ -203,6 +502,21 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -84869,10 +84883,14 @@ index 6cf79c4..9d253c3 100644 + watchdog_unconfined_exec_read_lnk_files(fenced_t) +') + ++optional_policy(` ++ gnome_dontaudit_search_config(fenced_t) ++') ++ ####################################### # # foghorn local policy -@@ -221,16 +531,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +535,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -84893,7 +84911,7 @@ index 6cf79c4..9d253c3 100644 snmp_stream_connect(foghorn_t) ') -@@ -247,16 +559,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ +@@ -247,16 +563,20 @@ stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_ stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -84915,7 +84933,7 @@ index 6cf79c4..9d253c3 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +591,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +595,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -84975,7 +84993,7 @@ index 6cf79c4..9d253c3 100644 ###################################### # # qdiskd local policy -@@ -292,7 +655,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) +@@ -292,7 +659,6 @@ manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) @@ -84983,7 +85001,7 @@ index 6cf79c4..9d253c3 100644 kernel_read_software_raid_state(qdiskd_t) kernel_getattr_core_if(qdiskd_t) -@@ -321,6 +683,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +687,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -93700,37 +93718,44 @@ index 0000000..7a8e744 +userdom_dontaudit_open_user_ptys(sandbox_x_domain) + diff --git a/sanlock.fc b/sanlock.fc -index 3df2a0f..4eb82b8 100644 +index 3df2a0f..7264d8a 100644 --- a/sanlock.fc +++ b/sanlock.fc -@@ -1,7 +1,12 @@ +@@ -1,7 +1,18 @@ + /etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) -/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) -+/etc/sanlock(/.*)? gen_context(system_u:object_r:sanlock_conf_t,s0) ++/etc/sanlock(/.*)? gen_context(system_u:object_r:sanlock_conf_t,s0) + +/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) ++ ++/var/run/sanlk-resetd(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) + +/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0) ++ ++/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) ++ ++/usr/sbin/sanlk-resetd -- gen_context(system_u:object_r:sanlk_resetd_exec_t,s0) -/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) -+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) ++/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0) -/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0) -+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0) ++/usr/lib/systemd/system/sanlk-resetd\.service -- gen_context(system_u:object_r:sanlk_resetd_unit_file_t,s0) diff --git a/sanlock.if b/sanlock.if -index cd6c213..82a5ff0 100644 +index cd6c213..372c7bb 100644 --- a/sanlock.if +++ b/sanlock.if -@@ -1,4 +1,5 @@ +@@ -1,4 +1,6 @@ -## shared storage lock manager. + -+## policy for sanlock ++## Sanlock - lock manager built on shared storage. ++ ######################################## ## -@@ -15,18 +16,17 @@ interface(`sanlock_domtrans',` +@@ -15,18 +17,17 @@ interface(`sanlock_domtrans',` type sanlock_t, sanlock_exec_t; ') @@ -93752,7 +93777,7 @@ index cd6c213..82a5ff0 100644 ## ## # -@@ -40,8 +40,7 @@ interface(`sanlock_initrc_domtrans',` +@@ -40,8 +41,7 @@ interface(`sanlock_initrc_domtrans',` ###################################### ## @@ -93762,7 +93787,7 @@ index cd6c213..82a5ff0 100644 ## ## ## -@@ -60,28 +59,51 @@ interface(`sanlock_manage_pid_files',` +@@ -60,28 +60,51 @@ interface(`sanlock_manage_pid_files',` ######################################## ## @@ -93823,7 +93848,7 @@ index cd6c213..82a5ff0 100644 ## ## ## -@@ -97,21 +119,23 @@ interface(`sanlock_stream_connect',` +@@ -97,21 +120,125 @@ interface(`sanlock_stream_connect',` # interface(`sanlock_admin',` gen_require(` @@ -93846,20 +93871,120 @@ index cd6c213..82a5ff0 100644 role_transition $2 sanlock_initrc_exec_t system_r; allow $2 system_r; -- files_search_pids($1) -- admin_pattern($1, sanlock_var_run_t) -- -- logging_search_logs($1) -- admin_pattern($1, sanlock_log_t) + virt_systemctl($1) + admin_pattern($1, sanlock_unit_file_t) + allow $1 sanlock_unit_file_t:service all_service_perms; ++') ++ ++######################################## ++## ++## Execute sanlk_resetd_exec_t in the sanlk_resetd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sanlock_domtrans_sanlk_resetd',` ++ gen_require(` ++ type sanlk_resetd_t, sanlk_resetd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, sanlk_resetd_exec_t, sanlk_resetd_t) ++') ++ ++###################################### ++## ++## Execute sanlk_resetd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sanlock_exec_sanlk_resetd',` ++ gen_require(` ++ type sanlk_resetd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, sanlk_resetd_exec_t) ++') ++ ++######################################## ++## ++## Execute sanlk_resetd server in the sanlk_resetd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sanlock_systemctl_sanlk_resetd',` ++ gen_require(` ++ type sanlk_resetd_t; ++ type sanlk_resetd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 sanlk_resetd_unit_file_t:file read_file_perms; ++ allow $1 sanlk_resetd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, sanlk_resetd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an sanlk_resetd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sanlock_admin_sanlk_resetd',` ++ gen_require(` ++ type sanlk_resetd_t; ++ type sanlk_resetd_unit_file_t; ++ type sanlk_resetd_unit_file_t; ++ ') ++ ++ allow $1 sanlk_resetd_t:process { signal_perms }; ++ ps_process_pattern($1, sanlk_resetd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 sanlk_resetd_t:process ptrace; ++ ') ++ + files_search_pids($1) +- admin_pattern($1, sanlock_var_run_t) + +- logging_search_logs($1) +- admin_pattern($1, sanlock_log_t) ++ sanlk_resetd_systemctl($1) ++ admin_pattern($1, sanlk_resetd_unit_file_t) ++ allow $1 sanlk_resetd_unit_file_t:service all_service_perms; ++ ++ sanlk_resetd_systemctl($1) ++ admin_pattern($1, sanlk_resetd_unit_file_t) ++ allow $1 sanlk_resetd_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ') diff --git a/sanlock.te b/sanlock.te -index 0045465..2059657 100644 +index 0045465..7afb413 100644 --- a/sanlock.te +++ b/sanlock.te -@@ -6,25 +6,33 @@ policy_module(sanlock, 1.1.0) +@@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0) # ## @@ -93895,23 +94020,30 @@ index 0045465..2059657 100644 type sanlock_exec_t; init_daemon_domain(sanlock_t, sanlock_exec_t) ++type sanlk_resetd_t; ++type sanlk_resetd_exec_t; ++init_daemon_domain(sanlk_resetd_t, sanlk_resetd_exec_t) ++ +type sanlock_conf_t; +files_config_file(sanlock_conf_t) + type sanlock_var_run_t; files_pid_file(sanlock_var_run_t) -@@ -34,6 +42,9 @@ logging_log_file(sanlock_log_t) +@@ -34,6 +46,12 @@ logging_log_file(sanlock_log_t) type sanlock_initrc_exec_t; init_script_file(sanlock_initrc_exec_t) +type sanlock_unit_file_t; +systemd_unit_file(sanlock_unit_file_t) + ++type sanlk_resetd_unit_file_t; ++systemd_unit_file(sanlk_resetd_unit_file_t) ++ ifdef(`enable_mcs',` init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh) ') -@@ -44,17 +55,18 @@ ifdef(`enable_mls',` +@@ -44,17 +62,18 @@ ifdef(`enable_mls',` ######################################## # @@ -93925,18 +94057,18 @@ index 0045465..2059657 100644 allow sanlock_t self:fifo_file rw_fifo_file_perms; -allow sanlock_t self:unix_stream_socket { accept listen }; +allow sanlock_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) -+manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) -append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) -setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) ++manage_files_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) ++manage_dirs_pattern(sanlock_t, sanlock_conf_t, sanlock_conf_t) ++ +manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) logging_log_filetrans(sanlock_t, sanlock_log_t, file) manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -@@ -65,13 +77,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) +@@ -65,13 +84,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) kernel_read_kernel_sysctls(sanlock_t) @@ -93956,7 +94088,7 @@ index 0045465..2059657 100644 auth_use_nsswitch(sanlock_t) init_read_utmp(sanlock_t) -@@ -79,20 +94,29 @@ init_dontaudit_write_utmp(sanlock_t) +@@ -79,20 +101,29 @@ init_dontaudit_write_utmp(sanlock_t) logging_send_syslog_msg(sanlock_t) @@ -93995,7 +94127,7 @@ index 0045465..2059657 100644 ') optional_policy(` -@@ -100,7 +124,10 @@ optional_policy(` +@@ -100,7 +131,34 @@ optional_policy(` ') optional_policy(` @@ -94007,6 +94139,30 @@ index 0045465..2059657 100644 - virt_signal_all_virt_domains(sanlock_t) + virt_signal_svirt(sanlock_t) + virt_read_pid_files(sanlock_t) ++') ++ ++######################################## ++# ++# sanlk_resetd local policy ++# ++ ++allow sanlk_resetd_t self:capability dac_override; ++allow sanlk_resetd_t self:fifo_file rw_fifo_file_perms; ++allow sanlk_resetd_t sanlock_t:unix_stream_socket connectto; ++ ++manage_dirs_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t) ++manage_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t) ++manage_sock_files_pattern(sanlk_resetd_t, sanlock_var_run_t, sanlock_var_run_t) ++files_pid_filetrans(sanlk_resetd_t, sanlock_var_run_t, dir) ++ ++kernel_dgram_send(sanlk_resetd_t) ++ ++domain_use_interactive_fds(sanlk_resetd_t) ++ ++logging_send_syslog_msg(sanlk_resetd_t) ++ ++optional_policy(` ++ wdmd_stream_connect(sanlk_resetd_t) ') diff --git a/sasl.fc b/sasl.fc index 54f41c2..7e58679 100644 @@ -94579,7 +94735,7 @@ index e7c2cf7..435aaa6 100644 +/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/screen.if b/screen.if -index be5cce2..a7a8a67 100644 +index be5cce2..b81f5df 100644 --- a/screen.if +++ b/screen.if @@ -1,4 +1,4 @@ @@ -94600,7 +94756,7 @@ index be5cce2..a7a8a67 100644 ') ######################################## -@@ -35,50 +34,52 @@ template(`screen_role_template',` +@@ -35,50 +34,53 @@ template(`screen_role_template',` # type $1_screen_t, screen_domain; @@ -94620,6 +94776,7 @@ index be5cce2..a7a8a67 100644 - # - # Local policy - # ++ userdom_list_user_home_dirs($1_screen_t) + userdom_home_reader($1_screen_t) domtrans_pattern($3, screen_exec_t, $1_screen_t) @@ -94675,7 +94832,7 @@ index be5cce2..a7a8a67 100644 tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) -@@ -88,3 +89,41 @@ template(`screen_role_template',` +@@ -88,3 +90,41 @@ template(`screen_role_template',` fs_nfs_domtrans($1_screen_t, $3) ') ') @@ -112411,7 +112568,7 @@ index eecd0e0..8df2e8c 100644 /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0) diff --git a/watchdog.if b/watchdog.if -index 6461a77..146852e 100644 +index 6461a77..8fda2dd 100644 --- a/watchdog.if +++ b/watchdog.if @@ -37,3 +37,21 @@ interface(`watchdog_admin',` @@ -112434,7 +112591,7 @@ index 6461a77..146852e 100644 + type watchdog_unconfined_exec_t; + ') + -+ allow $1 watchdog_unconfined_exec_t:lnk_file read_lnk_file_perms; ++ read_lnk_files_pattern($1,watchdog_unconfined_exec_t, watchdog_unconfined_exec_t) +') diff --git a/watchdog.te b/watchdog.te index 3548317..fc3da17 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index d345fdb..fa117a0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 146%{?dist} +Release: 147%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -651,6 +651,23 @@ exit 0 %endif %changelog +* Mon Sep 14 2015 Lukas Vrabec 3.13.1-147 +- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. BZ(#1260272) +- Allow user screen domains to list directorires in HOMEDIR wit user_home_t labeling. +- Dontaudit fenced search gnome config +- Allow teamd running as NetworkManager_t to access netlink_generic_socket to allow multiple network interfaces to be teamed together. BZ(#1259180) +- Fix for watchdog_unconfined_exec_read_lnk_files, Add also dir search perms in watchdog_unconfined_exec_t. +- Sanlock policy update. #1255307 - New sub-domain for sanlk-reset daemon +- Fix labeling for fence_scsi_check script +- Allow openhpid to read system state Aloow openhpid to connect to tcp http port. +- Allow openhpid to read snmp var lib files. +- Allow openvswitch_t domains read kernel dependencies due to openvswitch run modprobe +- Fix regexp in chronyd.fc file +- systemd-logind needs to be able to act with /usr/lib/systemd/system/poweroff.target to allow shutdown system. BZ(#1260175) +- Allow systemd-udevd to access netlink_route_socket to change names for network interfaces without unconfined.pp module. It affects also MLS. +- Allow unconfined_t domains to create /var/run/xtables.lock with iptables_var_run_t +- Remove bin_t label for /usr/share/cluster/fence_scsi_check\.pl + * Tue Sep 01 2015 Lukas Vrabec 3.13.1-146 - Allow passenger to getattr filesystem xattr - Revert "Allow pegasus_openlmi_storage_t create mdadm.conf.anacbak file in /etc."