diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 85f3e81..7ba4bba 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -17465,7 +17465,7 @@ index 9d2f311..9e87525 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 346d011..a00f4ea 100644 +index 346d011..3e23acb 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -17578,7 +17578,7 @@ index 346d011..a00f4ea 100644 -tunable_policy(`allow_execmem',` +optional_policy(` -+ rgmanager_manage_pid_files(postgresql_t) ++ rhcs_manage_cluster_pid_files(postgresql_t) +') + +tunable_policy(`deny_execmem',`',` @@ -18333,7 +18333,7 @@ index fe0c682..da12170 100644 + allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..ab68072 100644 +index 5fc0391..3540387 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,44 +6,52 @@ policy_module(ssh, 2.3.3) @@ -18661,7 +18661,7 @@ index 5fc0391..ab68072 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +335,68 @@ optional_policy(` +@@ -279,13 +335,69 @@ optional_policy(` ') optional_policy(` @@ -18697,6 +18697,7 @@ index 5fc0391..ab68072 100644 optional_policy(` + kernel_write_proc_files(sshd_t) + virt_transition_svirt_lxc(sshd_t, system_r) ++ virt_stream_connect_lxc(sshd_t) + virt_stream_connect(sshd_t) +') + @@ -18730,7 +18731,7 @@ index 5fc0391..ab68072 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +405,26 @@ optional_policy(` +@@ -294,19 +406,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -18758,7 +18759,7 @@ index 5fc0391..ab68072 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +441,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +442,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -18771,7 +18772,7 @@ index 5fc0391..ab68072 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +455,138 @@ optional_policy(` +@@ -331,3 +456,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -20444,7 +20445,7 @@ index 6bf0ecc..8a8ed32 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..2964047 100644 +index 2696452..7a3a6c0 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -20978,7 +20979,7 @@ index 2696452..2964047 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +587,26 @@ files_list_mnt(xdm_t) +@@ -430,9 +587,27 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -20989,6 +20990,7 @@ index 2696452..2964047 100644 +files_dontaudit_getattr_all_symlinks(xdm_t) +files_dontaudit_getattr_all_tmp_sockets(xdm_t) +files_dontaudit_all_access_check(xdm_t) ++files_dontaudit_list_non_security(xdm_t) fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) @@ -21005,7 +21007,7 @@ index 2696452..2964047 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +615,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +616,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -21049,7 +21051,7 @@ index 2696452..2964047 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +657,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +658,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -21099,7 +21101,7 @@ index 2696452..2964047 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +707,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +708,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -21126,7 +21128,7 @@ index 2696452..2964047 100644 ') optional_policy(` -@@ -514,12 +734,72 @@ optional_policy(` +@@ -514,12 +735,72 @@ optional_policy(` ') optional_policy(` @@ -21199,7 +21201,7 @@ index 2696452..2964047 100644 hostname_exec(xdm_t) ') -@@ -537,28 +817,78 @@ optional_policy(` +@@ -537,28 +818,78 @@ optional_policy(` ') optional_policy(` @@ -21287,7 +21289,7 @@ index 2696452..2964047 100644 ') optional_policy(` -@@ -570,6 +900,14 @@ optional_policy(` +@@ -570,6 +901,14 @@ optional_policy(` ') optional_policy(` @@ -21302,7 +21304,7 @@ index 2696452..2964047 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +932,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +933,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -21315,7 +21317,7 @@ index 2696452..2964047 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +949,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -21331,7 +21333,7 @@ index 2696452..2964047 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +976,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -21353,7 +21355,7 @@ index 2696452..2964047 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +996,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +997,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -21367,7 +21369,7 @@ index 2696452..2964047 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1022,27 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1023,27 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -21398,7 +21400,7 @@ index 2696452..2964047 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1053,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1054,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -21412,7 +21414,7 @@ index 2696452..2964047 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,20 +1072,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1073,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -21436,7 +21438,7 @@ index 2696452..2964047 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1091,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1092,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -21445,7 +21447,7 @@ index 2696452..2964047 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1135,44 @@ optional_policy(` +@@ -775,16 +1136,44 @@ optional_policy(` ') optional_policy(` @@ -21491,7 +21493,7 @@ index 2696452..2964047 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1181,10 @@ optional_policy(` +@@ -793,6 +1182,10 @@ optional_policy(` ') optional_policy(` @@ -21502,7 +21504,7 @@ index 2696452..2964047 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1200,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1201,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -21516,7 +21518,7 @@ index 2696452..2964047 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1211,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1212,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -21525,7 +21527,7 @@ index 2696452..2964047 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1224,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1225,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -21560,7 +21562,7 @@ index 2696452..2964047 100644 ') optional_policy(` -@@ -902,7 +1289,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -21569,7 +21571,7 @@ index 2696452..2964047 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1343,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1344,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -21601,7 +21603,7 @@ index 2696452..2964047 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1389,40 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1390,40 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -22638,7 +22640,7 @@ index 3efd5b6..792df83 100644 +') + diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 104037e..fbe9b26 100644 +index 104037e..a8a2a2d 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2) @@ -22903,12 +22905,15 @@ index 104037e..fbe9b26 100644 files_list_var_lib(nsswitch_domain) # read /etc/nsswitch.conf -@@ -418,14 +448,18 @@ files_read_etc_files(nsswitch_domain) +@@ -417,15 +447,21 @@ files_read_etc_files(nsswitch_domain) + sysnet_dns_name_resolve(nsswitch_domain) - tunable_policy(`authlogin_nsswitch_use_ldap',` +-tunable_policy(`authlogin_nsswitch_use_ldap',` - files_list_var_lib(nsswitch_domain) -- ++systemd_hostnamed_read_config(nsswitch_domain) + ++tunable_policy(`authlogin_nsswitch_use_ldap',` miscfiles_read_generic_certs(nsswitch_domain) sysnet_use_ldap(nsswitch_domain) ') @@ -22924,7 +22929,7 @@ index 104037e..fbe9b26 100644 ldap_stream_connect(nsswitch_domain) ') ') -@@ -438,6 +472,7 @@ optional_policy(` +@@ -438,6 +474,7 @@ optional_policy(` likewise_stream_connect_lsassd(nsswitch_domain) ') @@ -22932,7 +22937,7 @@ index 104037e..fbe9b26 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,6 +491,7 @@ optional_policy(` +@@ -456,6 +493,7 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -22940,7 +22945,7 @@ index 104037e..fbe9b26 100644 ') optional_policy(` -@@ -463,3 +499,132 @@ optional_policy(` +@@ -463,3 +501,132 @@ optional_policy(` samba_read_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9c1e9bd..59ef21b 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2694,7 +2694,7 @@ index 0000000..b334e9a + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..d2af19f 100644 +index 550a69e..e714059 100644 --- a/apache.fc +++ b/apache.fc @@ -1,161 +1,184 @@ @@ -2724,7 +2724,7 @@ index 550a69e..d2af19f 100644 +/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) @@ -56417,7 +56417,7 @@ index 20d4697..e6605c1 100644 + files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") +') diff --git a/prelink.te b/prelink.te -index c0f047a..e81b5b1 100644 +index c0f047a..6f22887 100644 --- a/prelink.te +++ b/prelink.te @@ -1,4 +1,4 @@ @@ -56590,19 +56590,20 @@ index c0f047a..e81b5b1 100644 kernel_read_system_state(prelink_cron_system_t) -@@ -184,8 +168,10 @@ optional_policy(` +@@ -184,8 +168,11 @@ optional_policy(` dev_list_sysfs(prelink_cron_system_t) dev_read_sysfs(prelink_cron_system_t) - files_rw_etc_dirs(prelink_cron_system_t) files_dontaudit_search_all_mountpoints(prelink_cron_system_t) + files_search_var_lib(prelink_cron_system_t) ++ files_dontaudit_list_non_security(prelink_cron_system_t) + + fs_search_cgroup_dirs(prelink_cron_system_t) auth_use_nsswitch(prelink_cron_system_t) -@@ -196,11 +182,20 @@ optional_policy(` +@@ -196,11 +183,20 @@ optional_policy(` logging_search_logs(prelink_cron_system_t) @@ -63844,7 +63845,7 @@ index 47de2d6..1f5dbf8 100644 +/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if -index 56bc01f..f0a05e8 100644 +index 56bc01f..27c4de4 100644 --- a/rhcs.if +++ b/rhcs.if @@ -1,19 +1,19 @@ @@ -64206,7 +64207,7 @@ index 56bc01f..f0a05e8 100644 ') ###################################### -@@ -446,52 +456,303 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -446,52 +456,322 @@ interface(`rhcs_domtrans_qdiskd',` ######################################## ## @@ -64257,7 +64258,11 @@ index 56bc01f..f0a05e8 100644 + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -+ + +- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) +- domain_system_change_exemption($1) +- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; +- allow $2 system_r; +##################################### +## +## Allow domain to manage cluster lib files @@ -64272,15 +64277,15 @@ index 56bc01f..f0a05e8 100644 + gen_require(` + type cluster_var_lib_t; + ') -+ + +- files_search_pids($1) +- admin_pattern($1, cluster_pid) + files_search_var_lib($1) + manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t }) -- domain_system_change_exemption($1) -- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r; -- allow $2 system_r; +- files_search_locks($1) +- admin_pattern($1, fenced_lock_t) +#################################### +## +## Allow domain to relabel cluster lib files @@ -64301,8 +64306,8 @@ index 56bc01f..f0a05e8 100644 + relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') -- files_search_pids($1) -- admin_pattern($1, cluster_pid) +- files_search_tmp($1) +- admin_pattern($1, fenced_tmp_t) +###################################### +## +## Execute a domain transition to run cluster administrative domain. @@ -64318,14 +64323,14 @@ index 56bc01f..f0a05e8 100644 + type cluster_t, cluster_exec_t; + ') -- files_search_locks($1) -- admin_pattern($1, fenced_lock_t) +- files_search_var_lib($1) +- admin_pattern($1, qdiskd_var_lib_t) + corecmd_search_bin($1) + domtrans_pattern($1, cluster_exec_t, cluster_t) +') -- files_search_tmp($1) -- admin_pattern($1, fenced_tmp_t) +- fs_search_tmpfs($1) +- admin_pattern($1, cluster_tmpfs) +####################################### +## +## Execute cluster init scripts in @@ -64341,14 +64346,10 @@ index 56bc01f..f0a05e8 100644 + gen_require(` + type cluster_initrc_exec_t; + ') - -- files_search_var_lib($1) -- admin_pattern($1, qdiskd_var_lib_t) ++ + init_labeled_script_domtrans($1, cluster_initrc_exec_t) +') - -- fs_search_tmpfs($1) -- admin_pattern($1, cluster_tmpfs) ++ +##################################### +## +## Execute cluster in the caller domain. @@ -64462,6 +64463,25 @@ index 56bc01f..f0a05e8 100644 + manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) +') + ++##################################### ++## ++## Allow manage cluster pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_manage_cluster_pid_files',` ++ gen_require(` ++ type cluster_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t) ++') ++ +####################################### +## +## Execute cluster server in the cluster domain. @@ -68941,7 +68961,7 @@ index f1140ef..c5bd83a 100644 + files_etc_filetrans($1, rsync_etc_t, $2, $3) ') diff --git a/rsync.te b/rsync.te -index e3e7c96..68cba2d 100644 +index e3e7c96..0820cb2 100644 --- a/rsync.te +++ b/rsync.te @@ -1,4 +1,4 @@ @@ -68963,40 +68983,24 @@ index e3e7c96..68cba2d 100644 +##

## -gen_tunable(rsync_use_cifs, false) -- --## --##

--## Determine whether rsync can --## use fuse file systems. --##

--## --gen_tunable(rsync_use_fusefs, false) -- --## --##

--## Determine whether rsync can use --## nfs file systems. --##

--## --gen_tunable(rsync_use_nfs, false) +gen_tunable(rsync_client, false) ## -##

-## Determine whether rsync can --## run as a client +-## use fuse file systems. -##

+##

+## Allow rsync to export any files/directories read only. +##

## --gen_tunable(rsync_client, false) +-gen_tunable(rsync_use_fusefs, false) +gen_tunable(rsync_export_all_ro, false) ## -##

--## Determine whether rsync can --## export all content read only. +-## Determine whether rsync can use +-## nfs file systems. -##

+##

+## Allow rsync to modify public files @@ -69004,21 +69008,37 @@ index e3e7c96..68cba2d 100644 +## labeled public_content_rw_t. +##

## --gen_tunable(rsync_export_all_ro, false) +-gen_tunable(rsync_use_nfs, false) +gen_tunable(rsync_anon_write, false) ## ##

--## Determine whether rsync can modify --## public files used for public file --## transfer services. Directories/Files must --## be labeled public_content_rw_t. +-## Determine whether rsync can +-## run as a client +## Allow rsync server to manage all files/directories on the system. ##

## --gen_tunable(allow_rsync_anon_write, false) +-gen_tunable(rsync_client, false) +gen_tunable(rsync_full_access, false) +-## +-##

+-## Determine whether rsync can +-## export all content read only. +-##

+-## +-gen_tunable(rsync_export_all_ro, false) +- +-## +-##

+-## Determine whether rsync can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

+-## +-gen_tunable(allow_rsync_anon_write, false) +- -attribute_role rsync_roles; type rsync_t; @@ -69045,14 +69065,14 @@ index e3e7c96..68cba2d 100644 -allow rsync_t self:tcp_socket { accept listen }; +allow rsync_t self:tcp_socket create_stream_socket_perms; +allow rsync_t self:udp_socket connected_socket_perms; - --allow rsync_t rsync_etc_t:file read_file_perms; ++ +# for identd +# cjp: this should probably only be inetd_child_t rules? +# search home and kerberos also. +allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +#end for identd -+ + +-allow rsync_t rsync_etc_t:file read_file_perms; +read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) allow rsync_t rsync_data_t:dir list_dir_perms; @@ -69069,7 +69089,7 @@ index e3e7c96..68cba2d 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +97,76 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +97,80 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -69192,11 +69212,12 @@ index e3e7c96..68cba2d 100644 -optional_policy(` - kerberos_use(rsync_t) -') -- --optional_policy(` -- inetd_service_domain(rsync_t, rsync_exec_t) --') +auth_can_read_shadow_passwords(rsync_t) + + optional_policy(` +- inetd_service_domain(rsync_t, rsync_exec_t) ++ swift_manage_data_files(rsync_t) + ') diff --git a/rtkit.if b/rtkit.if index bd35afe..051addd 100644 --- a/rtkit.if @@ -73262,7 +73283,7 @@ index c21ddcc..ee00be2 100644 + can_exec($1, screen_exec_t) +') diff --git a/screen.te b/screen.te -index f095081..c0d7b61 100644 +index f095081..ee69aa7 100644 --- a/screen.te +++ b/screen.te @@ -1,13 +1,11 @@ @@ -73293,7 +73314,7 @@ index f095081..c0d7b61 100644 type screen_var_run_t; typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t }; typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; -@@ -30,33 +23,33 @@ ubac_constrained(screen_var_run_t) +@@ -30,33 +23,35 @@ ubac_constrained(screen_var_run_t) ######################################## # @@ -73301,7 +73322,9 @@ index f095081..c0d7b61 100644 +# Local policy # - allow screen_domain self:capability { setuid setgid fsetid }; +-allow screen_domain self:capability { setuid setgid fsetid }; ++allow screen_domain self:capability { fsetid setgid setuid sys_tty_config }; ++dontaudit screen_domain self:capability dac_override; allow screen_domain self:process signal_perms; -allow screen_domain self:fd use; allow screen_domain self:fifo_file rw_fifo_file_perms; @@ -73329,6 +73352,7 @@ index f095081..c0d7b61 100644 manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) -read_files_pattern(screen_domain, screen_home_t, screen_home_t) manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t) ++manage_sock_files_pattern(screen_domain, screen_home_t, screen_home_t) +userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir) +userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir) +read_files_pattern(screen_domain, screen_home_t, screen_home_t) @@ -73339,7 +73363,7 @@ index f095081..c0d7b61 100644 kernel_read_kernel_sysctls(screen_domain) corecmd_list_bin(screen_domain) -@@ -65,55 +58,39 @@ corecmd_read_bin_symlinks(screen_domain) +@@ -65,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain) corecmd_read_bin_pipes(screen_domain) corecmd_read_bin_sockets(screen_domain) @@ -74272,7 +74296,7 @@ index 3a9a70b..039b0c8 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 49b12ae..0a0f095 100644 +index 49b12ae..c6f3302 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -1,4 +1,4 @@ @@ -74369,7 +74393,7 @@ index 49b12ae..0a0f095 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -108,13 +113,13 @@ init_dontaudit_write_utmp(setroubleshootd_t) +@@ -108,26 +113,23 @@ init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -74379,13 +74403,16 @@ index 49b12ae..0a0f095 100644 logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) -- --miscfiles_read_localization(setroubleshootd_t) +logging_stream_connect_syslog(setroubleshootd_t) +-miscfiles_read_localization(setroubleshootd_t) +- ++seutil_read_bin_policy(setroubleshootd_t) seutil_read_config(setroubleshootd_t) ++seutil_read_default_contexts(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) -@@ -123,11 +128,7 @@ seutil_read_bin_policy(setroubleshootd_t) +-seutil_read_bin_policy(setroubleshootd_t) + userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -74398,7 +74425,7 @@ index 49b12ae..0a0f095 100644 ') optional_policy(` -@@ -135,10 +136,18 @@ optional_policy(` +@@ -135,10 +137,18 @@ optional_policy(` ') optional_policy(` @@ -74417,7 +74444,7 @@ index 49b12ae..0a0f095 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -148,15 +157,17 @@ optional_policy(` +@@ -148,15 +158,17 @@ optional_policy(` ######################################## # @@ -74436,7 +74463,7 @@ index 49b12ae..0a0f095 100644 setroubleshoot_stream_connect(setroubleshoot_fixit_t) kernel_read_system_state(setroubleshoot_fixit_t) -@@ -165,9 +176,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t) +@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) corecmd_getattr_all_executables(setroubleshoot_fixit_t) @@ -74451,7 +74478,7 @@ index 49b12ae..0a0f095 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -175,23 +190,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -78654,10 +78681,21 @@ index c6aaac7..dc3f167 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..7917018 +index 0000000..e5433ad --- /dev/null +++ b/swift.fc -@@ -0,0 +1,9 @@ +@@ -0,0 +1,28 @@ ++/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-account-server -- gen_context(system_u:object_r:swift_exec_t,s0) ++ ++/usr/bin/swift-container-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-container-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-container-server -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-container-sync -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-container-updater -- gen_context(system_u:object_r:swift_exec_t,s0) ++ +/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -78667,12 +78705,20 @@ index 0000000..7917018 +/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) + +/var/run/swift(/.*)? gen_context(system_u:object_r:swift_var_run_t,s0) ++ ++# This seems to be a de-facto standard when using swift. ++/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0) ++ ++# This is specific to RHOS's packstack utility ++ifdef(`distro_redhat', ` ++/srv/loopback-device(/.*)? gen_context(system_u:object_r:swift_data_t,s0) ++') diff --git a/swift.if b/swift.if new file mode 100644 -index 0000000..4ec3f4d +index 0000000..ce6e8ae --- /dev/null +++ b/swift.if -@@ -0,0 +1,103 @@ +@@ -0,0 +1,124 @@ + +## policy for swift + @@ -78694,6 +78740,7 @@ index 0000000..4ec3f4d + corecmd_search_bin($1) + domtrans_pattern($1, swift_exec_t, swift_t) +') ++ +######################################## +## +## Read swift PID files. @@ -78715,6 +78762,26 @@ index 0000000..4ec3f4d + +######################################## +## ++## Manage swift data files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`swift_manage_data_files',` ++ gen_require(` ++ type swift_data_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, swift_data_t, swift_data_t) ++ manage_dirs_pattern($1, swift_data_t, swift_data_t) ++') ++ ++######################################## ++## +## Execute swift server in the swift domain. +## +## @@ -78778,10 +78845,10 @@ index 0000000..4ec3f4d +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..e3eab32 +index 0000000..39f1ca1 --- /dev/null +++ b/swift.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,53 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -78799,6 +78866,9 @@ index 0000000..e3eab32 +type swift_unit_file_t; +systemd_unit_file(swift_unit_file_t) + ++type swift_data_t; ++files_type(swift_data_t) ++ +######################################## +# +# swift local policy @@ -78813,6 +78883,11 @@ index 0000000..e3eab32 +manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t) +files_pid_filetrans(swift_t, swift_var_run_t, { dir }) + ++# swift makes use of rsync, so we need to give rsync permissions ++# to edit swift_data_t files as well as swift_t those permissions ++manage_dirs_pattern(swift_t, swift_data_t, swift_data_t) ++manage_files_pattern(swift_t, swift_data_t, swift_data_t) ++ +kernel_dgram_send(swift_t) +kernel_read_system_state(swift_t) + @@ -83745,7 +83820,7 @@ index c30da4c..014e40c 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..d8a2b54 100644 +index 9dec06c..175e66a 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -84723,7 +84798,7 @@ index 9dec06c..d8a2b54 100644 ## ## ## -@@ -860,115 +603,223 @@ interface(`virt_read_lib_files',` +@@ -860,115 +603,244 @@ interface(`virt_read_lib_files',` ## ## # @@ -84754,9 +84829,6 @@ index 9dec06c..d8a2b54 100644 ## ## -## --## --## The type of the object to be created. --## +# +interface(`virt_manage_images',` + gen_require(` @@ -84781,8 +84853,7 @@ index 9dec06c..d8a2b54 100644 +## +## Domain allowed access. +## - ## --## ++## +# +interface(`virt_manage_default_image_type',` + gen_require(` @@ -84802,11 +84873,11 @@ index 9dec06c..d8a2b54 100644 +## +## ## --## The object class of the object being created. +-## The type of the object to be created. +## Domain allowed to transition. ## ## --## +-## +# +interface(`virt_systemctl',` + gen_require(` @@ -84827,24 +84898,46 @@ index 9dec06c..d8a2b54 100644 +## +## ## --## The name of the object being created. +-## The object class of the object being created. +## Domain allowed to transition. ## ## +-## ++# ++interface(`virt_ptrace',` ++ gen_require(` ++ attribute virt_domain; ++ ') ++ ++ allow $1 virt_domain:process ptrace; ++') ++ ++####################################### ++## ++## Connect to virt over a unix domain stream socket. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. + ## + ## -## # -interface(`virt_pid_filetrans',` -+interface(`virt_ptrace',` ++interface(`virt_stream_connect_lxc',` gen_require(` - type virt_var_run_t; -+ attribute virt_domain; ++ attribute svirt_lxc_domain; ++ type svirt_lxc_file_t; ') -- files_search_pids($1) + files_search_pids($1) - filetrans_pattern($1, virt_var_run_t, $2, $3, $4) -+ allow $1 virt_domain:process ptrace; ++ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain) ') ++ ######################################## ## -## Read virt log files. @@ -84987,7 +85080,7 @@ index 9dec06c..d8a2b54 100644 ## ## ## -@@ -976,18 +827,17 @@ interface(`virt_manage_log',` +@@ -976,18 +848,17 @@ interface(`virt_manage_log',` ## ## # @@ -85010,7 +85103,7 @@ index 9dec06c..d8a2b54 100644 ## ## ## -@@ -995,36 +845,17 @@ interface(`virt_search_images',` +@@ -995,36 +866,17 @@ interface(`virt_search_images',` ## ## # @@ -85051,7 +85144,7 @@ index 9dec06c..d8a2b54 100644 ## ## ## -@@ -1032,58 +863,57 @@ interface(`virt_read_images',` +@@ -1032,58 +884,57 @@ interface(`virt_read_images',` ## ## # @@ -85131,7 +85224,7 @@ index 9dec06c..d8a2b54 100644 ## ## ## -@@ -1091,95 +921,131 @@ interface(`virt_manage_virt_cache',` +@@ -1091,95 +942,131 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -85325,7 +85418,7 @@ index 9dec06c..d8a2b54 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 1f22fba..12f4354 100644 +index 1f22fba..d5e8852 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -85621,7 +85714,9 @@ index 1f22fba..12f4354 100644 -append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - -kernel_read_system_state(virt_domain) -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -fs_getattr_xattr_fs(virt_domain) - -corecmd_exec_bin(virt_domain) @@ -85739,15 +85834,17 @@ index 1f22fba..12f4354 100644 - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_read_xdm_pid(virt_domain) - xserver_stream_connect(virt_domain) - ') -') +- +-optional_policy(` +- dbus_read_lib_files(virt_domain) +-') +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) @@ -85757,24 +85854,20 @@ index 1f22fba..12f4354 100644 +corenet_tcp_connect_all_ports(svirt_t) -optional_policy(` -- dbus_read_lib_files(virt_domain) +- nscd_use(virt_domain) -') +miscfiles_read_generic_certs(svirt_t) optional_policy(` -- nscd_use(virt_domain) +- samba_domtrans_smbd(virt_domain) + xen_rw_image_files(svirt_t) ') optional_policy(` -- samba_domtrans_smbd(virt_domain) +- xen_rw_image_files(virt_domain) + nscd_use(svirt_t) ') --optional_policy(` -- xen_rw_image_files(virt_domain) --') -- -######################################## +####################################### # @@ -85792,9 +85885,7 @@ index 1f22fba..12f4354 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - +- -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) @@ -85818,7 +85909,9 @@ index 1f22fba..12f4354 100644 -corenet_sendrecv_all_server_packets(svirt_t) -corenet_udp_bind_all_ports(svirt_t) -corenet_tcp_bind_all_ports(svirt_t) -- ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + -corenet_sendrecv_all_client_packets(svirt_t) -corenet_tcp_connect_all_ports(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_tcg_t) @@ -85946,16 +86039,16 @@ index 1f22fba..12f4354 100644 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -86047,13 +86140,13 @@ index 1f22fba..12f4354 100644 +sysnet_read_config(virtd_t) -userdom_read_all_users_state(virtd_t) -- --ifdef(`hide_broken_symptoms',` -- dontaudit virtd_t self:capability { sys_module sys_ptrace }; --') +systemd_dbus_chat_logind(virtd_t) +systemd_write_inhibit_pipes(virtd_t) +-ifdef(`hide_broken_symptoms',` +- dontaudit virtd_t self:capability { sys_module sys_ptrace }; +-') +- -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virtd_t) - fs_manage_fusefs_files(virtd_t) @@ -86084,15 +86177,13 @@ index 1f22fba..12f4354 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -646,107 +472,326 @@ optional_policy(` - consoletype_exec(virtd_t) - ') +@@ -649,104 +475,323 @@ optional_policy(` + optional_policy(` + dbus_system_bus_client(virtd_t) --optional_policy(` -- dbus_system_bus_client(virtd_t) -+optional_policy(` -+ dbus_system_bus_client(virtd_t) -+ +- optional_policy(` +- avahi_dbus_chat(virtd_t) +- ') + optional_policy(` + avahi_dbus_chat(virtd_t) + ') @@ -86283,10 +86374,7 @@ index 1f22fba..12f4354 100644 +dev_rw_inherited_vhost(virt_domain) + +domain_use_interactive_fds(virt_domain) - -- optional_policy(` -- avahi_dbus_chat(virtd_t) -- ') ++ +files_read_mnt_symlinks(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) @@ -86802,7 +86890,7 @@ index 1f22fba..12f4354 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,11 +1109,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1109,91 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -86816,23 +86904,32 @@ index 1f22fba..12f4354 100644 +userdom_use_inherited_user_terminals(svirt_lxc_domain) + +optional_policy(` ++ apache_exec_modules(svirt_lxc_domain) ++ apache_read_sys_content(svirt_lxc_domain) ++') ++ ++optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +') ++ ++optional_policy(` ++ ssh_use_ptys(svirt_lxc_net_t) ++') optional_policy(` udev_read_pid_files(svirt_lxc_domain) -@@ -1078,81 +1129,67 @@ optional_policy(` - apache_read_sys_content(svirt_lxc_domain) + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) ++ userhelper_dontaudit_write_config(svirt_lxc_domain) ') -######################################## -# -# Lxc net local policy -# -+optional_policy(` -+ userhelper_dontaudit_write_config(svirt_lxc_domain) -+') -+ +virt_lxc_domain_template(svirt_lxc_net) -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; @@ -86929,7 +87026,7 @@ index 1f22fba..12f4354 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1202,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1206,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -86944,7 +87041,7 @@ index 1f22fba..12f4354 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1220,8 @@ optional_policy(` +@@ -1183,9 +1224,8 @@ optional_policy(` ######################################## # @@ -86955,7 +87052,7 @@ index 1f22fba..12f4354 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1234,70 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1238,70 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index b22b6a1..c96e031 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Mar 8 2013 Miroslav Grepl 3.12.1-20 +- Adopt swift changes from lhh@redhat.com +- Add rhcs_manage_cluster_pid_files() interface +- Allow screen domains to configure tty and setup sock_file in ~/.screen directory +- ALlow setroubleshoot to read default_context_t, needed to backport to F18 +- Label /etc/owncloud as being an apache writable directory +- Allow sshd to stream connect to an lxc domain + * Thu Mar 7 2013 Miroslav Grepl 3.12.1-19 - Allow postgresql to manage rgmanager pid files - Allow postgresql to read ccs data