From 8db354a9b7727f747640c142e75db6f6dee25da6 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec
Date: Oct 14 2014 09:51:56 +0000
Subject: * Tue Oct 14 2014 Lukas Vrabec 3.13.1-86
- Dontaudit aicuu to search home config dir. BZ (#1104076)
- couchdb is using erlang so it needs execmem privs
- ALlow sanlock to send a signal to virtd_t.
- Allow mondogdb to 'accept' accesses on the tcp_socket port.
- Make sosreport as unconfined domain.
- Allow nova-console to connect to mem_cache port.
- Allow mandb to getattr on file systems
- Allow read antivirus domain all kernel sysctls.
- Allow lmsd_plugin to read passwd file. BZ(1093733)
- Label /usr/share/corosync/corosync as cluster_exec_t.
- ALlow sensord to getattr on sysfs.
- automount policy is non-base module so it needs to be called in optional block.
- Add auth_use_nsswitch for portreserve to make it working with sssd.
- Fix samba_export_all_ro/samba_export_all_rw booleans to dontaudit search/read security files.
- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd.
- Allow openvpn to access /sys/fs/cgroup dir.
- Allow nova-scheduler to read certs
- Add support for /var/lib/swiftdirectory.
- Allow neutron connections to system dbus.
- Allow mongodb to manage own log files.
- Allow opensm_t to read/write /dev/infiniband/umad1.
- Added policy for mon_statd and mon_procd services. BZ (1077821)
- kernel_read_system_state needs to be called with type. Moved it to antivirus.if.
- Allow dnssec_trigger_t to execute unbound-control in own domain.
- Allow all RHCS services to read system state.
- Added monitor device
- Add interfaces for /dev/infiniband
- Add infiniband_device_t for /dev/infiniband instead of fixed_disk_device_t type.
- Add files_dontaudit_search_security_files()
- Add selinuxuser_udp_server boolean
- ALlow syslogd_t to create /var/log/cron with correct labeling
- Add support for /etc/.updated and /var/.updated
- Allow iptables read fail2ban logs. BZ (1147709)
- ALlow ldconfig to read proc//net/sockstat.
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c4b22b1..bf9912e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -900,7 +900,7 @@ index 66e85ea..d02654d 100644
## user domains.
##
diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..b7e7ea5 100644
+index 4705ab6..b82865c 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -6,52 +6,59 @@
@@ -989,7 +989,7 @@ index 4705ab6..b7e7ea5 100644
## Allow any files/directories to be exported read/write via NFS.
##
##
-@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,39 @@ gen_tunable(use_samba_home_dirs,false)
##
##
@@ -1017,6 +1017,15 @@ index 4705ab6..b7e7ea5 100644
+
+##
+##
++## Allow users to run UDP servers (bind to ports and accept connection from
++## the same domain and outside users) disabling this may break avahi
++## discovering services on the network and other udp related services.
++##
++##
++gen_tunable(selinuxuser_udp_server,false)
++
++##
++##
+## Allow the mount commands to mount any directory or file.
+##
+##
@@ -5913,7 +5922,7 @@ index 3f6e168..51ad69a 100644
')
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..5e37a40 100644
+index b31c054..50bfabf 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@@ -5937,7 +5946,16 @@ index b31c054..5e37a40 100644
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -61,7 +64,8 @@
+@@ -44,6 +47,8 @@
+ /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
+ /dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
++/dev/infiniband/.* -b gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh)
+ /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+ /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+ /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+@@ -61,7 +66,8 @@
/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -5947,7 +5965,15 @@ index b31c054..5e37a40 100644
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -106,6 +110,7 @@
+@@ -72,6 +78,7 @@
+ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
++/dev/monwriter -c gen_context(system_u:object_r:monitor_device_t,s0)
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
+@@ -106,6 +113,7 @@
/dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -5955,7 +5981,7 @@ index b31c054..5e37a40 100644
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +123,11 @@
+@@ -118,6 +126,11 @@
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
')
@@ -5967,7 +5993,7 @@ index b31c054..5e37a40 100644
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +139,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +142,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -5982,7 +6008,7 @@ index b31c054..5e37a40 100644
/dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
-@@ -172,6 +184,8 @@ ifdef(`distro_suse', `
+@@ -172,6 +187,8 @@ ifdef(`distro_suse', `
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -5991,7 +6017,7 @@ index b31c054..5e37a40 100644
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +212,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +215,27 @@ ifdef(`distro_debian',`
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -6022,7 +6048,7 @@ index b31c054..5e37a40 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..03d4787 100644
+index 76f285e..d36451a 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6500,7 +6526,7 @@ index 76f285e..03d4787 100644
##
##
##
-@@ -2025,17 +2266,73 @@ interface(`dev_rw_input_dev',`
+@@ -2025,17 +2266,18 @@ interface(`dev_rw_input_dev',`
##
##
#
@@ -6516,11 +6542,29 @@ index 76f285e..03d4787 100644
+ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
')
-+
########################################
##
-## Set the attributes of the framebuffer device node.
+## Read ipmi devices.
+ ##
+ ##
+ ##
+@@ -2043,7 +2285,101 @@ interface(`dev_getattr_framebuffer_dev',`
+ ##
+ ##
+ #
+-interface(`dev_setattr_framebuffer_dev',`
++interface(`dev_read_ipmi_dev',`
++ gen_require(`
++ type device_t, ipmi_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, ipmi_device_t)
++')
++
++########################################
++##
++## Read and write ipmi devices.
+##
+##
+##
@@ -6528,12 +6572,31 @@ index 76f285e..03d4787 100644
+##
+##
+#
-+interface(`dev_read_ipmi_dev',`
++interface(`dev_rw_ipmi_dev',`
+ gen_require(`
+ type device_t, ipmi_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, ipmi_device_t)
++ rw_chr_files_pattern($1, device_t, ipmi_device_t)
++')
++
++########################################
++##
++## Read infiniband devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_infiniband_dev',`
++ gen_require(`
++ type device_t, infiniband_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, infiniband_device_t)
++ read_blk_files_pattern($1, device_t, infiniband_device_t)
+')
+
+########################################
@@ -6546,14 +6609,17 @@ index 76f285e..03d4787 100644
+##
+##
+#
-+interface(`dev_rw_ipmi_dev',`
++interface(`dev_rw_infiniband_dev',`
+ gen_require(`
-+ type device_t, ipmi_device_t;
++ type device_t, infiniband_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, ipmi_device_t)
++ rw_chr_files_pattern($1, device_t, infiniband_device_t)
++ rw_blk_files_pattern($1, device_t, infiniband_device_t)
+')
+
++
++
+########################################
+##
+## Get the attributes of the framebuffer device node.
@@ -6575,10 +6641,18 @@ index 76f285e..03d4787 100644
+########################################
+##
+## Set the attributes of the framebuffer device node.
- ##
- ##
- ##
-@@ -2402,7 +2699,97 @@ interface(`dev_filetrans_lirc',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_framebuffer_dev',`
+ gen_require(`
+ type device_t, framebuf_device_t;
+ ')
+@@ -2402,7 +2738,97 @@ interface(`dev_filetrans_lirc',`
########################################
##
@@ -6677,7 +6751,7 @@ index 76f285e..03d4787 100644
##
##
##
-@@ -2725,7 +3112,7 @@ interface(`dev_write_misc',`
+@@ -2725,7 +3151,7 @@ interface(`dev_write_misc',`
##
##
##
@@ -6686,7 +6760,86 @@ index 76f285e..03d4787 100644
##
##
#
-@@ -2903,20 +3290,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2811,6 +3237,78 @@ interface(`dev_rw_modem',`
+
+ ########################################
+ ##
++## Get the attributes of the monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_getattr_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++##
++## Set the attributes of the monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++##
++## Read the monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_read_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++##
++## Read and write to monitor devices.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_rw_monitor_dev',`
++ gen_require(`
++ type device_t, monitor_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++##
+ ## Get the attributes of the mouse devices.
+ ##
+ ##
+@@ -2903,20 +3401,20 @@ interface(`dev_getattr_mtrr_dev',`
########################################
##
@@ -6711,7 +6864,7 @@ index 76f285e..03d4787 100644
##
##
##