From fc41f8a9df458cb1410aa5359edcffd7f1617989 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 22 2017 08:26:38 +0000 Subject: * Fri Sep 22 2017 Lukas Vrabec - 3.13.1-287 - Allow init noatsecure httpd_t - Allow mysqld_t domain to mmap mysqld db files. BZ(1483331) - Allow unconfined_t domain to create new users with proper SELinux lables - Allow init noatsecure httpd_t - Label tcp port 3269 as ldap_port_t --- diff --git a/container-selinux.tgz b/container-selinux.tgz index f68e784..1fbd717 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 61241e1..4b91b04 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6162,7 +6162,7 @@ index 8e0f9cd14..2fe34db47 100644 +create_ibendport_type_interfaces($*) +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055f9..15ec98f76 100644 +index b191055f9..12aecdf4e 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6386,7 +6386,7 @@ index b191055f9..15ec98f76 100644 network_port(ktalkd, udp,517,s0, udp,518,s0) -network_port(l2tp, tcp,1701,s0, udp,1701,s0) -network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) -+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp, 7389,s0) ++network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0, tcp, 7389,s0) network_port(lirc, tcp,8765,s0) -network_port(lmtp, tcp,24,s0, udp,24,s0) +network_port(luci, tcp,8084,s0) @@ -27377,10 +27377,10 @@ index 000000000..f73028658 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 000000000..883d9eaa3 +index 000000000..bdfe41b61 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,362 @@ +@@ -0,0 +1,363 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -27418,6 +27418,7 @@ index 000000000..883d9eaa3 +userdom_manage_tmp_role(unconfined_r, unconfined_t) +userdom_unpriv_type(unconfined_t) +userdom_login_userdomain(unconfined_t) ++userdom_home_filetrans_user_home_dir(unconfined_t) + +type unconfined_exec_t; +application_domain(unconfined_t, unconfined_exec_t) @@ -37845,7 +37846,7 @@ index 79a45f62e..6ed0c399a 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda2480..6c22a0a1f 100644 +index 17eda2480..7d76c87ce 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -38167,7 +38168,7 @@ index 17eda2480..6c22a0a1f 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +347,292 @@ ifdef(`distro_gentoo',` +@@ -186,29 +347,293 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38208,6 +38209,7 @@ index 17eda2480..6c22a0a1f 100644 + +optional_policy(` + apache_delete_tmp(init_t) ++ apache_noatsecure(init_t) +') + +optional_policy(` @@ -38469,7 +38471,7 @@ index 17eda2480..6c22a0a1f 100644 ') optional_policy(` -@@ -216,7 +640,30 @@ optional_policy(` +@@ -216,7 +641,30 @@ optional_policy(` ') optional_policy(` @@ -38501,7 +38503,7 @@ index 17eda2480..6c22a0a1f 100644 ') ######################################## -@@ -225,9 +672,9 @@ optional_policy(` +@@ -225,9 +673,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38513,7 +38515,7 @@ index 17eda2480..6c22a0a1f 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +705,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +706,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38530,7 +38532,7 @@ index 17eda2480..6c22a0a1f 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +730,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +731,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38573,7 +38575,7 @@ index 17eda2480..6c22a0a1f 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +767,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +768,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38585,7 +38587,7 @@ index 17eda2480..6c22a0a1f 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +779,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +780,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38596,7 +38598,7 @@ index 17eda2480..6c22a0a1f 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +790,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +791,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38606,7 +38608,7 @@ index 17eda2480..6c22a0a1f 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +799,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +800,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38614,7 +38616,7 @@ index 17eda2480..6c22a0a1f 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +806,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +807,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38622,7 +38624,7 @@ index 17eda2480..6c22a0a1f 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +814,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +815,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38640,7 +38642,7 @@ index 17eda2480..6c22a0a1f 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +832,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +833,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38654,7 +38656,7 @@ index 17eda2480..6c22a0a1f 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +847,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +848,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38668,7 +38670,7 @@ index 17eda2480..6c22a0a1f 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +860,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +861,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38679,7 +38681,7 @@ index 17eda2480..6c22a0a1f 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +873,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +874,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38687,7 +38689,7 @@ index 17eda2480..6c22a0a1f 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +892,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +893,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38711,7 +38713,7 @@ index 17eda2480..6c22a0a1f 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +925,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +926,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38719,7 +38721,7 @@ index 17eda2480..6c22a0a1f 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +959,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +960,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38730,7 +38732,7 @@ index 17eda2480..6c22a0a1f 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +983,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +984,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38739,7 +38741,7 @@ index 17eda2480..6c22a0a1f 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +998,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +999,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38747,7 +38749,7 @@ index 17eda2480..6c22a0a1f 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +1019,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +1020,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38755,7 +38757,7 @@ index 17eda2480..6c22a0a1f 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +1029,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +1030,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38800,7 +38802,7 @@ index 17eda2480..6c22a0a1f 100644 ') optional_policy(` -@@ -559,14 +1074,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1075,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38832,7 +38834,7 @@ index 17eda2480..6c22a0a1f 100644 ') ') -@@ -577,6 +1109,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1110,39 @@ ifdef(`distro_suse',` ') ') @@ -38872,7 +38874,7 @@ index 17eda2480..6c22a0a1f 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1154,8 @@ optional_policy(` +@@ -589,6 +1155,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38881,7 +38883,7 @@ index 17eda2480..6c22a0a1f 100644 ') optional_policy(` -@@ -610,6 +1177,7 @@ optional_policy(` +@@ -610,6 +1178,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38889,7 +38891,7 @@ index 17eda2480..6c22a0a1f 100644 ') optional_policy(` -@@ -626,6 +1194,17 @@ optional_policy(` +@@ -626,6 +1195,17 @@ optional_policy(` ') optional_policy(` @@ -38907,7 +38909,7 @@ index 17eda2480..6c22a0a1f 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1221,13 @@ optional_policy(` +@@ -642,9 +1222,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38921,7 +38923,7 @@ index 17eda2480..6c22a0a1f 100644 ') optional_policy(` -@@ -657,15 +1240,11 @@ optional_policy(` +@@ -657,15 +1241,11 @@ optional_policy(` ') optional_policy(` @@ -38939,7 +38941,7 @@ index 17eda2480..6c22a0a1f 100644 ') optional_policy(` -@@ -686,6 +1265,15 @@ optional_policy(` +@@ -686,6 +1266,15 @@ optional_policy(` ') optional_policy(` @@ -38955,7 +38957,7 @@ index 17eda2480..6c22a0a1f 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1314,7 @@ optional_policy(` +@@ -726,6 +1315,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38963,7 +38965,7 @@ index 17eda2480..6c22a0a1f 100644 ') optional_policy(` -@@ -743,7 +1332,13 @@ optional_policy(` +@@ -743,7 +1333,13 @@ optional_policy(` ') optional_policy(` @@ -38978,7 +38980,7 @@ index 17eda2480..6c22a0a1f 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1361,10 @@ optional_policy(` +@@ -766,6 +1362,10 @@ optional_policy(` ') optional_policy(` @@ -38989,7 +38991,7 @@ index 17eda2480..6c22a0a1f 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1374,20 @@ optional_policy(` +@@ -775,10 +1375,20 @@ optional_policy(` ') optional_policy(` @@ -39010,7 +39012,7 @@ index 17eda2480..6c22a0a1f 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1396,10 @@ optional_policy(` +@@ -787,6 +1397,10 @@ optional_policy(` ') optional_policy(` @@ -39021,7 +39023,7 @@ index 17eda2480..6c22a0a1f 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1421,6 @@ optional_policy(` +@@ -808,8 +1422,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39030,7 +39032,7 @@ index 17eda2480..6c22a0a1f 100644 ') optional_policy(` -@@ -818,6 +1429,10 @@ optional_policy(` +@@ -818,6 +1430,10 @@ optional_policy(` ') optional_policy(` @@ -39041,7 +39043,7 @@ index 17eda2480..6c22a0a1f 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1442,12 @@ optional_policy(` +@@ -827,10 +1443,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -39054,7 +39056,7 @@ index 17eda2480..6c22a0a1f 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1474,62 @@ optional_policy(` +@@ -857,21 +1475,62 @@ optional_policy(` ') optional_policy(` @@ -39118,7 +39120,7 @@ index 17eda2480..6c22a0a1f 100644 ') optional_policy(` -@@ -887,6 +1545,10 @@ optional_policy(` +@@ -887,6 +1546,10 @@ optional_policy(` ') optional_policy(` @@ -39129,7 +39131,7 @@ index 17eda2480..6c22a0a1f 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1559,218 @@ optional_policy(` +@@ -897,3 +1560,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 902c1f0..e27883e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3925,7 +3925,7 @@ index 7caefc353..966c2f3e6 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb4851f..422f408d4 100644 +index f6eb4851f..3628a384f 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -4218,11 +4218,11 @@ index f6eb4851f..422f408d4 100644 - ') + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) ++ ++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) -+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; -+ + # apache runs the script: + domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) + allow httpd_t $1_script_t:unix_dgram_socket sendto; @@ -4499,12 +4499,10 @@ index f6eb4851f..422f408d4 100644 - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to read and --## write httpd unix domain stream sockets. ++') ++ ++######################################## ++## +## Allow attempts to read and write Apache +## unix domain stream sockets. +## @@ -4520,10 +4518,12 @@ index f6eb4851f..422f408d4 100644 + ') + + allow $1 httpd_t:unix_stream_socket { getattr read write }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd unix domain stream sockets. +## Do not audit attempts to read and write Apache +## unix domain stream sockets. ## @@ -4997,31 +4997,11 @@ index f6eb4851f..422f408d4 100644 -######################################## +###################################### -+## -+## Allow the specified domain to read -+## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_files',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ -+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+###################################### ## -## Create, read, write, and delete -## httpd system rw content. +## Allow the specified domain to read -+## apache system content rw dirs. ++## apache system content rw files. ## ## ## @@ -5031,12 +5011,32 @@ index f6eb4851f..422f408d4 100644 +## # -interface(`apache_manage_sys_rw_content',` -+interface(`apache_read_sys_content_rw_dirs',` ++interface(`apache_read_sys_content_rw_files',` gen_require(` type httpd_sys_rw_content_t; ') - apache_search_sys_content($1) ++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to read ++## apache system content rw dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_sys_content_rw_dirs',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ + list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + @@ -5390,7 +5390,7 @@ index f6eb4851f..422f408d4 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1625,201 @@ interface(`apache_admin',` +@@ -1224,9 +1625,219 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -5591,10 +5591,28 @@ index f6eb4851f..422f408d4 100644 + gen_require(` + type httpd_tmp_t; + ') ++ ++ allow $1 httpd_tmp_t:file unlink; ++') ++ ++######################################## ++## ++## Allow httpd noatsecure ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_noatsecure',` ++ gen_require(` ++ type httpd_t; ++ ') - apache_run_all_scripts($1, $2) - apache_run_helper($1, $2) -+ allow $1 httpd_tmp_t:file unlink; ++ allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te index 6649962b6..1a0189a44 100644 @@ -58089,7 +58107,7 @@ index 687af38bb..5381f1b39 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe7c..a89f6d665 100644 +index 7584bbe7c..9c33fb9ac 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) @@ -58140,7 +58158,7 @@ index 7584bbe7c..a89f6d665 100644 type mysqld_initrc_exec_t; init_script_file(mysqld_initrc_exec_t) -@@ -62,28 +66,29 @@ files_pid_file(mysqlmanagerd_var_run_t) +@@ -62,28 +66,30 @@ files_pid_file(mysqlmanagerd_var_run_t) # Local policy # @@ -58161,6 +58179,7 @@ index 7584bbe7c..a89f6d665 100644 +manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) ++allow mysqld_t mysqld_db_t:file map; -filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file) - @@ -58177,7 +58196,7 @@ index 7584bbe7c..a89f6d665 100644 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) -@@ -95,50 +100,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +@@ -95,50 +101,66 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -58262,7 +58281,7 @@ index 7584bbe7c..a89f6d665 100644 ') optional_policy(` -@@ -146,6 +167,10 @@ optional_policy(` +@@ -146,6 +168,10 @@ optional_policy(` ') optional_policy(` @@ -58273,7 +58292,7 @@ index 7584bbe7c..a89f6d665 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +180,20 @@ optional_policy(` +@@ -155,21 +181,20 @@ optional_policy(` ####################################### # @@ -58301,7 +58320,7 @@ index 7584bbe7c..a89f6d665 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +201,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +202,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -58312,7 +58331,7 @@ index 7584bbe7c..a89f6d665 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +209,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +210,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -58348,7 +58367,7 @@ index 7584bbe7c..a89f6d665 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,20 +239,21 @@ optional_policy(` +@@ -209,20 +240,21 @@ optional_policy(` ######################################## # @@ -58377,7 +58396,7 @@ index 7584bbe7c..a89f6d665 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +261,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +262,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -112229,10 +112248,10 @@ index 000000000..e5cec8fda +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 000000000..9c3b00220 +index 000000000..31baf3bb8 --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,117 @@ +@@ -0,0 +1,124 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -112292,8 +112311,7 @@ index 000000000..9c3b00220 + +allow tomcat_t self:capability { dac_override setuid kill }; + -+allow tomcat_t self:process execmem; -+allow tomcat_t self:process { setcap signal signull }; ++allow tomcat_t self:process { execmem setcap setsched signal signull }; + +allow tomcat_t self:tcp_socket { accept listen }; +allow tomcat_domain self:fifo_file rw_fifo_file_perms; @@ -112333,6 +112351,8 @@ index 000000000..9c3b00220 + +domain_use_interactive_fds(tomcat_domain) + ++libs_exec_ldconfig(tomcat_domain) ++ +fs_getattr_all_fs(tomcat_domain) +fs_read_hugetlbfs_files(tomcat_domain) + @@ -112343,6 +112363,12 @@ index 000000000..9c3b00220 +') + +optional_policy(` ++ # needed by FreeIPA ++ ldap_stream_connect(tomcat_domain) ++ ldap_read_certs(tomcat_domain) ++') ++ ++optional_policy(` + tomcat_search_lib(tomcat_domain) +') + @@ -117037,7 +117063,7 @@ index facdee8b3..2a619ba9e 100644 + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') diff --git a/virt.te b/virt.te -index f03dcf567..529ae6612 100644 +index f03dcf567..cf9950e36 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,424 @@ @@ -118002,7 +118028,7 @@ index f03dcf567..529ae6612 100644 ') optional_policy(` -@@ -691,99 +653,432 @@ optional_policy(` +@@ -691,99 +653,433 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -118247,6 +118273,7 @@ index f03dcf567..529ae6612 100644 +dev_rw_inherited_vhost(virt_domain) +dev_rw_infiniband_dev(virt_domain) +dev_rw_dri(virt_domain) ++dev_rw_tpm(virt_domain) + +domain_use_interactive_fds(virt_domain) + @@ -118484,7 +118511,7 @@ index f03dcf567..529ae6612 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1090,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -118511,7 +118538,7 @@ index f03dcf567..529ae6612 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1110,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -118545,7 +118572,7 @@ index f03dcf567..529ae6612 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1146,20 @@ optional_policy(` +@@ -856,14 +1147,20 @@ optional_policy(` ') optional_policy(` @@ -118567,7 +118594,7 @@ index f03dcf567..529ae6612 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1184,66 @@ optional_policy(` +@@ -888,49 +1185,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -118652,7 +118679,7 @@ index f03dcf567..529ae6612 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1256,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -118672,7 +118699,7 @@ index f03dcf567..529ae6612 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1277,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -118696,7 +118723,7 @@ index f03dcf567..529ae6612 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1302,296 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -119140,7 +119167,7 @@ index f03dcf567..529ae6612 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1604,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -119155,7 +119182,7 @@ index f03dcf567..529ae6612 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1621,7 @@ optional_policy(` +@@ -1192,7 +1622,7 @@ optional_policy(` ######################################## # @@ -119164,7 +119191,7 @@ index f03dcf567..529ae6612 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1631,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 290d069..110607f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 286%{?dist} +Release: 287%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -682,6 +682,13 @@ exit 0 %endif %changelog +* Fri Sep 22 2017 Lukas Vrabec - 3.13.1-287 +- Allow init noatsecure httpd_t +- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331) +- Allow unconfined_t domain to create new users with proper SELinux lables +- Allow init noatsecure httpd_t +- Label tcp port 3269 as ldap_port_t + * Mon Sep 18 2017 Lukas Vrabec - 3.13.1-286 - Add new boolean tomcat_read_rpm_db() - Allow tomcat to connect on mysqld tcp ports