From 7ac3a50aaf04c2a30526694f703c53f95bfa8a77 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Feb 26 2016 12:34:18 +0000 Subject: * Fri Feb 26 2016 Lukas Vrabec 3.13.1-173 - Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759 - Allow keepalived to create netlink generic sockets. rhbz#1311756 - Allow modemmanager to read /etc/passwd file. - Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t. - Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255 - Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019 - Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444 - Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319 --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 9763ea9..e2b3421 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f6f8c8e..7fe17fb 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -35871,7 +35871,7 @@ index 0d4c8d3..537aa42 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..34f5262 100644 +index 312cd04..324b3af 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -35978,7 +35978,7 @@ index 312cd04..34f5262 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,24 +178,32 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,22 +178,31 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -36004,16 +36004,15 @@ index 312cd04..34f5262 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) - - optional_policy(` -+ iptables_domtrans(ipsec_t) -+') ++userdom_read_home_certs(ipsec_t) + +optional_policy(` - seutil_sigchld_newrole(ipsec_t) - ') ++ iptables_domtrans(ipsec_t) ++') -@@ -182,19 +211,30 @@ optional_policy(` + optional_policy(` + seutil_sigchld_newrole(ipsec_t) +@@ -182,19 +212,30 @@ optional_policy(` udev_read_db(ipsec_t) ') @@ -36048,7 +36047,7 @@ index 312cd04..34f5262 100644 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) -@@ -208,12 +248,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) +@@ -208,12 +249,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -36064,7 +36063,7 @@ index 312cd04..34f5262 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +288,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -36081,7 +36080,7 @@ index 312cd04..34f5262 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +307,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -36090,7 +36089,7 @@ index 312cd04..34f5262 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -269,6 +323,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) +@@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -36098,7 +36097,7 @@ index 312cd04..34f5262 100644 files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) -@@ -278,9 +333,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -36110,7 +36109,7 @@ index 312cd04..34f5262 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +344,28 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +345,28 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -36144,7 +36143,7 @@ index 312cd04..34f5262 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +389,10 @@ optional_policy(` +@@ -322,6 +390,10 @@ optional_policy(` ') optional_policy(` @@ -36155,7 +36154,7 @@ index 312cd04..34f5262 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +406,7 @@ optional_policy(` +@@ -335,7 +407,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -36164,7 +36163,7 @@ index 312cd04..34f5262 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +441,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +442,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -36184,7 +36183,7 @@ index 312cd04..34f5262 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +471,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +472,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -36197,7 +36196,7 @@ index 312cd04..34f5262 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +508,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +509,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -43785,7 +43784,7 @@ index a392fc4..78fa512 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..b53de2b +index 0000000..849cdb8 --- /dev/null +++ b/policy/modules/system/systemd.fc @@ -0,0 +1,61 @@ @@ -43839,7 +43838,7 @@ index 0000000..b53de2b +/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) +/usr/var/lib/random-seed gen_context(system_u:object_r:random_seed_t,mls_systemhigh) + -+/var/run/nologin gen_context(system_u:object_r:systemd_logind_var_run_t,s0) ++/var/run/.*nologin.* gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) +/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0) +/var/run/systemd/shutdown(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0) @@ -43852,10 +43851,10 @@ index 0000000..b53de2b +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..300bf59 +index 0000000..21f7c14 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1676 @@ +@@ -0,0 +1,1678 @@ +## SELinux policy for systemd components + +###################################### @@ -44970,6 +44969,7 @@ index 0000000..300bf59 + type systemd_logind_var_run_t; + type hostname_etc_t; + type systemd_home_t; ++ type systemd_rfkill_var_lib_t; + ') + + files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") @@ -44978,6 +44978,7 @@ index 0000000..300bf59 + init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") + files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) + files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) ++ init_var_lib_filetrans($1, systemd_rfkill_var_lib_t, dir, "rfkill" ) +') + +######################################## @@ -45534,10 +45535,10 @@ index 0000000..300bf59 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..eb1b3c3 +index 0000000..bf93dba --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,842 @@ +@@ -0,0 +1,843 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -45687,7 +45688,7 @@ index 0000000..eb1b3c3 +manage_files_pattern(systemd_logind_t, { systemd_logind_sessions_t systemd_logind_var_run_t }, { systemd_logind_var_run_t systemd_logind_sessions_t }) +manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t }) +init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions") -+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir) ++init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, { file dir }) +files_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, file, "nologin") + +manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t) @@ -45896,6 +45897,7 @@ index 0000000..eb1b3c3 +fs_read_xenfs_files(systemd_networkd_t) + +dev_read_sysfs(systemd_networkd_t) ++dev_write_kmsg(systemd_networkd_t) + +logging_send_syslog_msg(systemd_networkd_t) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d3c8d76..b1c1c4c 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2267,7 +2267,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..f5784a5 100644 +index 519051c..0f871e6 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2330,7 +2330,15 @@ index 519051c..f5784a5 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -130,6 +137,7 @@ fs_list_all(amanda_t) + storage_raw_read_fixed_disk(amanda_t) + storage_read_tape(amanda_t) + storage_write_tape(amanda_t) ++storage_write_scsi_generic(amanda_t) + + auth_use_nsswitch(amanda_t) + auth_read_shadow(amanda_t) +@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2338,7 +2346,7 @@ index 519051c..f5784a5 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -41006,10 +41014,10 @@ index 0000000..bd7e7fa +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..8ab40b5 +index 0000000..66e747b --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,91 @@ +@@ -0,0 +1,92 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -41038,6 +41046,7 @@ index 0000000..8ab40b5 +allow keepalived_t self:capability { net_admin net_raw kill }; +allow keepalived_t self:process { signal_perms }; +allow keepalived_t self:netlink_socket create_socket_perms; ++allow keepalived_t self:netlink_generic_socket create_socket_perms; +allow keepalived_t self:netlink_route_socket nlmsg_write; +allow keepalived_t self:packet_socket create_socket_perms; +allow keepalived_t self:rawip_socket create_socket_perms; @@ -49397,7 +49406,7 @@ index b1ac8b5..24782b3 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..25f2cfe 100644 +index d15eb5b..6e2a403 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -49410,7 +49419,7 @@ index d15eb5b..25f2cfe 100644 ######################################## # # Local policy -@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; +@@ -19,20 +22,24 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; allow modemmanager_t self:process { getsched signal }; allow modemmanager_t self:fifo_file rw_fifo_file_perms; @@ -49420,6 +49429,8 @@ index d15eb5b..25f2cfe 100644 kernel_read_system_state(modemmanager_t) ++auth_read_passwd(modemmanager_t) ++ +corecmd_exec_bin(modemmanager_t) + dev_read_sysfs(modemmanager_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 799d32d..ab47992 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 172%{?dist} +Release: 173%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -673,6 +673,16 @@ exit 0 %endif %changelog +* Fri Feb 26 2016 Lukas Vrabec 3.13.1-173 +- Allow amanda to manipulate the tape changer to load the necessary tapes. rhbz#1311759 +- Allow keepalived to create netlink generic sockets. rhbz#1311756 +- Allow modemmanager to read /etc/passwd file. +- Label all files named /var/run/.*nologin.* as systemd_logind_var_run_t. +- Add filename transition to interface systemd_filetrans_named_content() that domain will create rfkill dir labeled as systemd_rfkill_var_lib_t instead of init_var_lib_t. rhbz #1290255 +- Allow systemd-logind to create .#nologinXXXXXX labeled as systemd_logind_var_run_t in /var/run/systemd/ rhbz#1285019 +- Allow systemd_networkd_t to write kmsg, when kernel was started with following params: systemd.debug systemd.log_level=debug systemd.log_target=kmsg rhbz#1311444 +- Allow ipsec to read home certs, when connecting to VPN. rhbz#1301319 + * Thu Feb 25 2016 Lukas Vrabec 3.13.1-172 - Fix macro name from snmp_manage_snmp_var_lib_files to snmp_manage_var_lib_files in cupsd policy. - Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes. Resolves: rhbz#1291033