From 4a34c4fbf059cdbc6cc77c8f29666cf40fad45e9 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jun 16 2016 11:44:49 +0000 Subject: * Thu Jun 16 2016 Lukas Vrabec 3.13.1-197 - Allow conman to kill conman_unconfined_script. - Make conman_unconfined_script_t as init_system_domain. - Allow init dbus chat with apmd. - Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t. - Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t - Allow collectd_t to stream connect to postgresql. - Allow mysqld_safe to inherit rlimit information from mysqld - Allow ip netns to mounton root fs and unmount proc_t fs. - Allow sysadm_t to run newaliases command. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 3a4a272..5224658 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 23edb1d..0af94e9 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -25199,7 +25199,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..f7ff2c7 100644 +index 2522ca6..d2f55a2 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) @@ -25464,7 +25464,7 @@ index 2522ca6..f7ff2c7 100644 ') optional_policy(` -@@ -210,22 +308,20 @@ optional_policy(` +@@ -210,22 +308,21 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -25490,10 +25490,11 @@ index 2522ca6..f7ff2c7 100644 + # this is defined in userdom_common_user_template + #mta_filetrans_home_content(sysadm_t) + mta_filetrans_admin_home_content(sysadm_t) ++ mta_rw_aliases(sysadm_t) ') optional_policy(` -@@ -237,14 +333,28 @@ optional_policy(` +@@ -237,14 +334,28 @@ optional_policy(` ') optional_policy(` @@ -25522,7 +25523,7 @@ index 2522ca6..f7ff2c7 100644 ') optional_policy(` -@@ -252,10 +362,20 @@ optional_policy(` +@@ -252,10 +363,20 @@ optional_policy(` ') optional_policy(` @@ -25543,7 +25544,7 @@ index 2522ca6..f7ff2c7 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +386,41 @@ optional_policy(` +@@ -266,35 +387,41 @@ optional_policy(` ') optional_policy(` @@ -25592,7 +25593,7 @@ index 2522ca6..f7ff2c7 100644 ') optional_policy(` -@@ -308,6 +434,7 @@ optional_policy(` +@@ -308,6 +435,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -25600,7 +25601,7 @@ index 2522ca6..f7ff2c7 100644 ') optional_policy(` -@@ -315,12 +442,20 @@ optional_policy(` +@@ -315,12 +443,20 @@ optional_policy(` ') optional_policy(` @@ -25622,7 +25623,7 @@ index 2522ca6..f7ff2c7 100644 ') optional_policy(` -@@ -345,30 +480,37 @@ optional_policy(` +@@ -345,30 +481,37 @@ optional_policy(` ') optional_policy(` @@ -25669,7 +25670,7 @@ index 2522ca6..f7ff2c7 100644 ') optional_policy(` -@@ -380,10 +522,6 @@ optional_policy(` +@@ -380,10 +523,6 @@ optional_policy(` ') optional_policy(` @@ -25680,7 +25681,7 @@ index 2522ca6..f7ff2c7 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +529,9 @@ optional_policy(` +@@ -391,6 +530,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25690,7 +25691,7 @@ index 2522ca6..f7ff2c7 100644 ') optional_policy(` -@@ -398,31 +539,34 @@ optional_policy(` +@@ -398,31 +540,34 @@ optional_policy(` ') optional_policy(` @@ -25731,7 +25732,7 @@ index 2522ca6..f7ff2c7 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +579,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +580,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25742,7 +25743,7 @@ index 2522ca6..f7ff2c7 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +599,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +600,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -46030,7 +46031,7 @@ index 2cea692..8edb742 100644 + files_etc_filetrans($1, net_conf_t, file) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..155d5ce 100644 +index a392fc4..79fadfc 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -46264,7 +46265,7 @@ index a392fc4..155d5ce 100644 vmware_append_log(dhcpc_t) ') -@@ -264,12 +313,26 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,29 +313,66 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -46291,7 +46292,11 @@ index a392fc4..155d5ce 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +342,32 @@ kernel_rw_net_sysctls(ifconfig_t) + kernel_request_load_module(ifconfig_t) + kernel_search_network_sysctl(ifconfig_t) + kernel_rw_net_sysctls(ifconfig_t) ++kernel_getattr_proc(ifconfig_t) ++kernel_unmount_proc(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -46306,6 +46311,7 @@ index a392fc4..155d5ce 100644 +dev_mounton_sysfs(ifconfig_t) +dev_mount_sysfs_fs(ifconfig_t) +dev_unmount_sysfs_fs(ifconfig_t) ++dev_getattr_sysfs_fs(ifconfig_t) domain_use_interactive_fds(ifconfig_t) +domain_read_all_domains_state(ifconfig_t) @@ -46317,6 +46323,8 @@ index a392fc4..155d5ce 100644 +files_dontaudit_read_root_files(ifconfig_t) +files_rw_inherited_tmp_file(ifconfig_t) +files_dontaudit_rw_var_files(ifconfig_t) ++ ++files_mounton_rootfs(ifconfig_t) files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) @@ -46324,7 +46332,7 @@ index a392fc4..155d5ce 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +380,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +385,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -46382,7 +46390,7 @@ index a392fc4..155d5ce 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +435,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +440,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -46395,7 +46403,7 @@ index a392fc4..155d5ce 100644 ') optional_policy(` -@@ -350,7 +453,16 @@ optional_policy(` +@@ -350,7 +458,16 @@ optional_policy(` ') optional_policy(` @@ -46413,7 +46421,7 @@ index a392fc4..155d5ce 100644 ') optional_policy(` -@@ -371,3 +483,13 @@ optional_policy(` +@@ -371,3 +488,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index ff0837a..e5b5dff 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -8167,7 +8167,7 @@ index 1a7a97e..2c7252a 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431b..708ae24 100644 +index 7fd431b..a1b6c41 100644 --- a/apm.te +++ b/apm.te @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t) @@ -8229,16 +8229,17 @@ index 7fd431b..708ae24 100644 corecmd_exec_all_executables(apmd_t) -@@ -129,6 +133,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) +@@ -129,6 +133,9 @@ domain_dontaudit_list_all_domains_state(apmd_t) auth_use_nsswitch(apmd_t) init_domtrans_script(apmd_t) +init_read_utmp(apmd_t) +init_telinit(apmd_t) ++init_dbus_chat(apmd_t) libs_exec_ld_so(apmd_t) libs_exec_lib_files(apmd_t) -@@ -136,17 +142,16 @@ libs_exec_lib_files(apmd_t) +@@ -136,17 +143,16 @@ libs_exec_lib_files(apmd_t) logging_send_audit_msgs(apmd_t) logging_send_syslog_msg(apmd_t) @@ -8258,7 +8259,7 @@ index 7fd431b..708ae24 100644 optional_policy(` automount_domtrans(apmd_t) -@@ -206,11 +211,20 @@ optional_policy(` +@@ -206,11 +212,20 @@ optional_policy(` ') optional_policy(` @@ -15448,7 +15449,7 @@ index 954309e..6780142 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..3f5989f 100644 +index 6471fa8..de0fd11 100644 --- a/collectd.te +++ b/collectd.te @@ -26,43 +26,59 @@ files_type(collectd_var_lib_t) @@ -15492,12 +15493,12 @@ index 6471fa8..3f5989f 100644 +kernel_read_all_sysctls(collectd_t) +kernel_read_all_proc(collectd_t) +kernel_list_all_proc(collectd_t) ++ ++auth_use_nsswitch(collectd_t) -kernel_read_network_state(collectd_t) -kernel_read_net_sysctls(collectd_t) -kernel_read_system_state(collectd_t) -+auth_use_nsswitch(collectd_t) -+ +corenet_udp_bind_generic_node(collectd_t) +corenet_udp_bind_collectd_port(collectd_t) @@ -15520,7 +15521,7 @@ index 6471fa8..3f5989f 100644 logging_send_syslog_msg(collectd_t) -@@ -74,17 +90,41 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -74,17 +90,45 @@ tunable_policy(`collectd_tcp_network_connect',` corenet_tcp_sendrecv_all_ports(collectd_t) ') @@ -15538,6 +15539,10 @@ index 6471fa8..3f5989f 100644 +') + +optional_policy(` ++ postgresql_stream_connect(collectd_t) ++') ++ ++optional_policy(` + snmp_read_snmp_var_lib_dirs(collectd_t) +') + @@ -16588,10 +16593,10 @@ index 0000000..1cc5fa4 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 0000000..722f400 +index 0000000..bce21bf --- /dev/null +++ b/conman.te -@@ -0,0 +1,93 @@ +@@ -0,0 +1,96 @@ +policy_module(conman, 1.0.0) + +######################################## @@ -16626,6 +16631,7 @@ index 0000000..722f400 +type conman_unconfined_script_t; +type conman_unconfined_script_exec_t; +application_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t) ++init_system_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t) + +######################################## +# @@ -16639,6 +16645,8 @@ index 0000000..722f400 +allow conman_t self:unix_stream_socket create_stream_socket_perms; +allow conman_t self:tcp_socket { accept listen create_socket_perms }; + ++allow conman_t conman_unconfined_script_t:process sigkill; ++ +manage_dirs_pattern(conman_t, conman_log_t, conman_log_t) +manage_files_pattern(conman_t, conman_log_t, conman_log_t) +logging_log_filetrans(conman_t, conman_log_t, { dir }) @@ -32623,7 +32631,7 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..980f1f6 100644 +index ab09d61..cfd00e3 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,76 @@ @@ -32747,7 +32755,7 @@ index ab09d61..980f1f6 100644 ######################################## # # Gkeyringd policy -@@ -89,37 +110,85 @@ template(`gnome_role_template',` +@@ -89,37 +110,92 @@ template(`gnome_role_template',` domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) @@ -32806,10 +32814,17 @@ index ab09d61..980f1f6 100644 - gnome_dbus_chat_gkeyringd($1, $3) + telepathy_mission_control_read_state($1_gkeyringd_t) + telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t) ++ ') ++ ') ++ ++ optional_policy(` ++ gen_require(` ++ type xguest_gkeyringd_t; ') - ') - ') - ++ dbus_dontaudit_stream_connect_session_bus(xguest_gkeyringd_t) ++ ') ++') ++ +####################################### +## +## Allow domain to run gkeyring in the $1_gkeyringd_t domain. @@ -32834,11 +32849,11 @@ index ab09d61..980f1f6 100644 + gen_require(` + type $1_gkeyringd_t; + type gkeyringd_exec_t; -+ ') + ') + role $2 types $1_gkeyringd_t; + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) -+') -+ + ') + ######################################## ## -## Execute gconf in the caller domain. @@ -32846,7 +32861,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -127,18 +196,18 @@ template(`gnome_role_template',` +@@ -127,18 +203,18 @@ template(`gnome_role_template',` ## ## # @@ -32870,7 +32885,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -146,119 +215,114 @@ interface(`gnome_exec_gconf',` +@@ -146,119 +222,114 @@ interface(`gnome_exec_gconf',` ## ## # @@ -33027,7 +33042,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -266,15 +330,21 @@ interface(`gnome_create_generic_home_dirs',` +@@ -266,15 +337,21 @@ interface(`gnome_create_generic_home_dirs',` ## ## # @@ -33054,7 +33069,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -282,57 +352,89 @@ interface(`gnome_setattr_config_dirs',` +@@ -282,57 +359,89 @@ interface(`gnome_setattr_config_dirs',` ## ## # @@ -33162,7 +33177,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -340,15 +442,18 @@ interface(`gnome_read_generic_home_content',` +@@ -340,15 +449,18 @@ interface(`gnome_read_generic_home_content',` ## ## # @@ -33186,7 +33201,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -356,22 +461,18 @@ interface(`gnome_manage_config',` +@@ -356,22 +468,18 @@ interface(`gnome_manage_config',` ## ## # @@ -33214,7 +33229,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -379,53 +480,37 @@ interface(`gnome_manage_generic_home_content',` +@@ -379,53 +487,37 @@ interface(`gnome_manage_generic_home_content',` ## ## # @@ -33276,7 +33291,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -433,17 +518,18 @@ interface(`gnome_home_filetrans',` +@@ -433,17 +525,18 @@ interface(`gnome_home_filetrans',` ## ## # @@ -33299,7 +33314,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -451,23 +537,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -451,23 +544,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -33327,7 +33342,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -475,22 +556,18 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -475,22 +563,18 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -33354,7 +33369,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -498,79 +575,59 @@ interface(`gnome_manage_generic_gconf_home_content',` +@@ -498,79 +582,59 @@ interface(`gnome_manage_generic_gconf_home_content',` ## ## # @@ -33452,7 +33467,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -579,12 +636,12 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -579,12 +643,12 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## ## @@ -33467,7 +33482,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -593,18 +650,18 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -593,18 +657,18 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## # @@ -33492,7 +33507,7 @@ index ab09d61..980f1f6 100644 ## ## ## -@@ -612,46 +669,80 @@ interface(`gnome_gconf_home_filetrans',` +@@ -612,46 +676,58 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -33517,11 +33532,15 @@ index ab09d61..980f1f6 100644 +## Read generic data home dirs. ## -## +-## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). +-## +## +## +## Domain allowed access. +## -+## + ## +# +interface(`gnome_read_generic_data_home_dirs',` + gen_require(` @@ -33535,30 +33554,6 @@ index ab09d61..980f1f6 100644 +## +## Manage gconf data home files +## -+## - ## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). -+## Domain allowed access. - ## - ## -+# -+interface(`gnome_manage_data',` -+ gen_require(` -+ type data_home_t; -+ type gconf_home_t; -+ ') -+ -+ allow $1 gconf_home_t:dir search_dir_perms; -+ manage_dirs_pattern($1, data_home_t, data_home_t) -+ manage_files_pattern($1, data_home_t, data_home_t) -+ manage_lnk_files_pattern($1, data_home_t, data_home_t) -+') -+ -+######################################## -+## -+## Read icc data home content. -+## ## ## ## Domain allowed access. @@ -33566,122 +33561,146 @@ index ab09d61..980f1f6 100644 ## # -interface(`gnome_dbus_chat_gkeyringd',` -+interface(`gnome_read_home_icc_data_content',` ++interface(`gnome_manage_data',` gen_require(` - type $1_gkeyringd_t; - class dbus send_msg; -+ type icc_data_home_t, gconf_home_t, data_home_t; ++ type data_home_t; ++ type gconf_home_t; ') - allow $2 $1_gkeyringd_t:dbus send_msg; - allow $1_gkeyringd_t $2:dbus send_msg; -+ userdom_search_user_home_dirs($1) -+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; -+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) -+ read_files_pattern($1, icc_data_home_t, icc_data_home_t) -+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) ++ allow $1 gconf_home_t:dir search_dir_perms; ++ manage_dirs_pattern($1, data_home_t, data_home_t) ++ manage_files_pattern($1, data_home_t, data_home_t) ++ manage_lnk_files_pattern($1, data_home_t, data_home_t) ') ######################################## ## -## Send and receive messages from all -## gnome keyring daemon over dbus. -+## Read inherited icc data home files. ++## Read icc data home content. ## ## ## -@@ -659,46 +750,64 @@ interface(`gnome_dbus_chat_gkeyringd',` +@@ -659,59 +735,1090 @@ interface(`gnome_dbus_chat_gkeyringd',` ## ## # -interface(`gnome_dbus_chat_all_gkeyringd',` -+interface(`gnome_read_inherited_home_icc_data_files',` ++interface(`gnome_read_home_icc_data_content',` gen_require(` - attribute gkeyringd_domain; - class dbus send_msg; -+ type icc_data_home_t; ++ type icc_data_home_t, gconf_home_t, data_home_t; ') - allow $1 gkeyringd_domain:dbus send_msg; - allow gkeyringd_domain $1:dbus send_msg; -+ allow $1 icc_data_home_t:file read_inherited_file_perms; ++ userdom_search_user_home_dirs($1) ++ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; ++ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) ++ read_files_pattern($1, icc_data_home_t, icc_data_home_t) ++ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) ') ######################################## ## -## Connect to gnome keyring daemon -## with a unix stream socket. -+## Create gconf_home_t objects in the /root directory ++## Read inherited icc data home files. ## -## +## -+## -+## Domain allowed access. -+## -+## -+## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -+## The class of the object to be created. ++## Domain allowed access. ## ## -+## -+## -+## The name of the object being created. -+## -+## +# -+interface(`gnome_admin_home_gconf_filetrans',` ++interface(`gnome_read_inherited_home_icc_data_files',` + gen_require(` -+ type gconf_home_t; ++ type icc_data_home_t; + ') + -+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) ++ allow $1 icc_data_home_t:file read_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to read -+## inherited gconf config files. ++## Create gconf_home_t objects in the /root directory +## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## # -interface(`gnome_stream_connect_gkeyringd',` -+interface(`gnome_dontaudit_read_inherited_gconf_config_files',` ++interface(`gnome_admin_home_gconf_filetrans',` gen_require(` - type $1_gkeyringd_t, gnome_keyring_tmp_t; -+ type gconf_etc_t; ++ type gconf_home_t; ') - files_search_tmp($2) - stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) -+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms; ++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) ') ######################################## ## -## Connect to all gnome keyring daemon -## with a unix stream socket. -+## read gconf config files ++## Do not audit attempts to read ++## inherited gconf config files. ## ## ## -@@ -706,12 +815,1003 @@ interface(`gnome_stream_connect_gkeyringd',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`gnome_stream_connect_all_gkeyringd',` -+interface(`gnome_read_gconf_config',` ++interface(`gnome_dontaudit_read_inherited_gconf_config_files',` gen_require(` - attribute gkeyringd_domain; - type gnome_keyring_tmp_t; + type gconf_etc_t; + ') + +- files_search_tmp($1) +- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## ++## read gconf config files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gconf_config',` ++ gen_require(` ++ type gconf_etc_t; + ') + + allow $1 gconf_etc_t:dir list_dir_perms; @@ -33824,10 +33843,9 @@ index ab09d61..980f1f6 100644 +interface(`gnome_list_gkeyringd_tmp_dirs',` + gen_require(` + type gkeyringd_tmp_t; - ') - - files_search_tmp($1) -- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ++ ') ++ ++ files_search_tmp($1) + allow $1 gkeyringd_tmp_t:dir list_dir_perms; +') + @@ -56069,7 +56087,7 @@ index 687af38..5381f1b 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..dbbdb99 100644 +index 7584bbe..31069d2 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) @@ -56251,7 +56269,7 @@ index 7584bbe..dbbdb99 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +178,18 @@ optional_policy(` +@@ -155,21 +178,20 @@ optional_policy(` ####################################### # @@ -56266,7 +56284,8 @@ index 7584bbe..dbbdb99 100644 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; -allow mysqld_safe_t mysqld_t:process signull; -- ++allow mysqld_safe_t mysqld_t:process { rlimitinh }; + read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) +delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) @@ -56278,7 +56297,7 @@ index 7584bbe..dbbdb99 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +197,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +199,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -56289,7 +56308,7 @@ index 7584bbe..dbbdb99 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +205,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +207,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -56305,9 +56324,9 @@ index 7584bbe..dbbdb99 100644 +files_dontaudit_access_check_root(mysqld_safe_t) files_dontaudit_search_all_mountpoints(mysqld_safe_t) +files_dontaudit_getattr_all_dirs(mysqld_safe_t) -+ -+files_write_root_dirs(mysqld_safe_t) ++files_write_root_dirs(mysqld_safe_t) ++ +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) logging_send_syslog_msg(mysqld_safe_t) @@ -56325,7 +56344,7 @@ index 7584bbe..dbbdb99 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +235,7 @@ optional_policy(` +@@ -209,7 +237,7 @@ optional_policy(` ######################################## # @@ -56334,7 +56353,7 @@ index 7584bbe..dbbdb99 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +244,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -218,11 +246,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -56352,7 +56371,7 @@ index 7584bbe..dbbdb99 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +257,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +259,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -90628,10 +90647,10 @@ index 54de77c..0ee4cc1 100644 ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..913587c 100644 +index ebe91fc..6ba4338 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,78 @@ +@@ -1,61 +1,80 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -90666,6 +90685,11 @@ index ebe91fc..913587c 100644 +/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) + +/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) ++ ++/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -90684,14 +90708,11 @@ index ebe91fc..913587c 100644 -/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) -+ +/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) + ++/usr/share/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ++ +ifdef(`distro_redhat', ` +/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 945fe28..481b4b6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 196%{?dist} +Release: 197%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,17 @@ exit 0 %endif %changelog +* Thu Jun 16 2016 Lukas Vrabec 3.13.1-197 +- Allow conman to kill conman_unconfined_script. +- Make conman_unconfined_script_t as init_system_domain. +- Allow init dbus chat with apmd. +- Patch /var/lib/rpm is symlink to /usr/share/rpm on Atomic, due to this change we need to label also /usr/share/rpm as rpm_var_lib_t. +- Dontaudit xguest_gkeyringd_t stream connect to system_dbusd_t +- Allow collectd_t to stream connect to postgresql. +- Allow mysqld_safe to inherit rlimit information from mysqld +- Allow ip netns to mounton root fs and unmount proc_t fs. +- Allow sysadm_t to run newaliases command. + * Mon Jun 13 2016 Lukas Vrabec 3.13.1-196 - Allow svirt_sandbox_domains to r/w onload sockets - Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc.