From ae5a64804038ce6e0527b44ec4d0d457e41601a2 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 10 2014 13:47:04 +0000 Subject: * Wed Sep 10 2014 Lukas Vrabec 3.13.1-80 - Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21. - Since docker will now label volumes we can tighten the security of docker --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4ab6b63..e768ba5 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -29903,7 +29903,7 @@ index 3efd5b6..12dca57 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..ff0708e 100644 +index 09b791d..49d8c47 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -30227,7 +30227,7 @@ index 09b791d..ff0708e 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,10 +520,145 @@ optional_policy(` +@@ -456,10 +520,151 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -30235,6 +30235,12 @@ index 09b791d..ff0708e 100644 + sssd_read_lib_files(nsswitch_domain) ') ++#1134389 ++userdom_manage_all_users_keys(nsswitch_domain) ++optional_policy(` ++ sssd_manage_keys(nsswitch_domain) ++") ++ optional_policy(` samba_stream_connect_winbind(nsswitch_domain) + samba_stream_connect_nmbd(nsswitch_domain) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index fb586b5..285ba81 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -24183,7 +24183,7 @@ index 0000000..a952041 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..7f715f8 +index 0000000..c1ab586 --- /dev/null +++ b/dnssec.te @@ -0,0 +1,58 @@ @@ -24234,7 +24234,7 @@ index 0000000..7f715f8 + +logging_send_syslog_msg(dnssec_trigger_t) + -+auth_read_passwd(dnssec_trigger_t) ++auth_use_nsswitch(dnssec_trigger_t) + +sysnet_dns_name_resolve(dnssec_trigger_t) +sysnet_manage_config(dnssec_trigger_t) @@ -95487,7 +95487,7 @@ index dbb005a..45291bb 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..16a04bf 100644 +index a240455..f4d8c79 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -95781,7 +95781,7 @@ index a240455..16a04bf 100644 ## ## ## -@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',` +@@ -317,8 +388,46 @@ interface(`sssd_stream_connect',` ######################################## ## @@ -95804,6 +95804,25 @@ index a240455..16a04bf 100644 + dontaudit $1 sssd_var_lib_t:sock_file { read write }; +') + ++####################################### ++## ++## Manage keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_manage_keys',` ++ gen_require(` ++ type sssd_t; ++ ') ++ ++ allow $1 sssd_t:key manage_key_perms; ++ allow sssd_t $1:key manage_key_perms; ++') ++ +######################################## +## +## All of the rules required to administrate @@ -95811,7 +95830,7 @@ index a240455..16a04bf 100644 ## ## ## -@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +436,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -95820,7 +95839,7 @@ index a240455..16a04bf 100644 ## ## ## -@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +444,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -103952,7 +103971,7 @@ index facdee8..c43ef2e 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..58d42f6 100644 +index f03dcf5..7b38f46 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,227 @@ @@ -105439,7 +105458,7 @@ index f03dcf5..58d42f6 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1155,319 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1155,316 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -105468,12 +105487,12 @@ index f03dcf5..58d42f6 100644 +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') @@ -105503,89 +105522,7 @@ index f03dcf5..58d42f6 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -105661,20 +105598,14 @@ index f03dcf5..58d42f6 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) -+ docker_manage_lib_files(svirt_lxc_net_t) -+ docker_manage_lib_dirs(svirt_lxc_net_t) ++') ++ ++optional_policy(` + docker_read_share_files(svirt_sandbox_domain) -+ docker_exec_lib(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) + docker_use_ptys(svirt_sandbox_domain) +') @@ -105682,7 +105613,89 @@ index f03dcf5..58d42f6 100644 +optional_policy(` + gear_read_pid_files(svirt_sandbox_domain) +') -+ + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') @@ -105690,12 +105703,15 @@ index f03dcf5..58d42f6 100644 +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + udev_read_pid_files(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -105718,12 +105734,19 @@ index f03dcf5..58d42f6 100644 -# Lxc net local policy +# svirt_lxc_net_t local policy # -- --allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; +virt_sandbox_domain_template(svirt_lxc_net) +virt_default_capabilities(svirt_lxc_net_t) +typeattribute svirt_lxc_net_t sandbox_net_domain; - dontaudit svirt_lxc_net_t self:capability2 block_suspend; ++dontaudit svirt_lxc_net_t self:capability2 {fsetid block_suspend }; ++allow svirt_lxc_net_t self:process { execstack execmem }; ++manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++ ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') + +-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; +-dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:tcp_socket { accept listen }; -allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; @@ -105736,8 +105759,9 @@ index f03dcf5..58d42f6 100644 - -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) -+allow svirt_lxc_net_t self:process { execstack execmem }; -+manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++tunable_policy(`virt_sandbox_use_mknod',` ++ allow svirt_lxc_net_t self:capability mknod; ++') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -105749,14 +105773,6 @@ index f03dcf5..58d42f6 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') -+ -+tunable_policy(`virt_sandbox_use_mknod',` -+ allow svirt_lxc_net_t self:capability mknod; -+') -+ +tunable_policy(`virt_sandbox_use_all_caps',` + allow svirt_lxc_net_t self:capability all_capability_perms; + allow svirt_lxc_net_t self:capability2 all_capability2_perms; @@ -105846,10 +105862,10 @@ index f03dcf5..58d42f6 100644 +term_use_ptmx(svirt_qemu_net_t) + +dev_rw_kvm(svirt_qemu_net_t) ++ ++manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) -allow svirt_prot_exec_t self:process { execmem execstack }; -+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) -+ +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) + @@ -105897,7 +105913,7 @@ index f03dcf5..58d42f6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1480,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1477,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -105912,7 +105928,7 @@ index f03dcf5..58d42f6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1498,8 @@ optional_policy(` +@@ -1192,9 +1495,8 @@ optional_policy(` ######################################## # @@ -105923,7 +105939,7 @@ index f03dcf5..58d42f6 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1512,219 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1509,219 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index f3e652b..7618739 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 79%{?dist} +Release: 80%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Sep 10 2014 Lukas Vrabec 3.13.1-80 +- Back port workaround for #1134389 from F20. It needs to be removed from rawhide once we ship F21. +- Since docker will now label volumes we can tighten the security of docker + * Wed Sep 10 2014 Lukas Vrabec 3.13.1-79 - Re-arange openshift_net_read_t rules. - Kernel is reporting random block_suspends, we should dontaudit these until the kernel is fixed in Rawhide