diff --git a/SOURCES/policy-rhel-7.6.z-base.patch b/SOURCES/policy-rhel-7.6.z-base.patch index f63d0a4..ddd5e75 100644 --- a/SOURCES/policy-rhel-7.6.z-base.patch +++ b/SOURCES/policy-rhel-7.6.z-base.patch @@ -10,6 +10,53 @@ index b6debf340..329eb3922 100644 allow $1_sudo_t $3:key search; # Enter this derived domain from the user domain +diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if +index 5fa83a2fb..34fd0b0f1 100644 +--- a/policy/modules/kernel/domain.if ++++ b/policy/modules/kernel/domain.if +@@ -602,6 +602,42 @@ interface(`domain_search_all_domains_state',` + allow $1 domain:dir search_dir_perms; + ') + ++######################################## ++## ++## Allow read and write of process kernel keyrings ++## ++## ++## ++## Domain to dontaudit. ++## ++## ++# ++interface(`domain_rw_all_domains_keyrings',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:key { read write}; ++') ++ ++######################################## ++## ++## Allow manage of process kernel keyrings ++## ++## ++## ++## Domain to dontaudit. ++## ++## ++# ++interface(`domain_manage_all_domains_keyrings',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:key manage_key_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to search the process diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index c03a52c04..8569b19db 100644 --- a/policy/modules/roles/staff.te diff --git a/SOURCES/policy-rhel-7.6.z-contrib.patch b/SOURCES/policy-rhel-7.6.z-contrib.patch index 4f47591..eed0798 100644 --- a/SOURCES/policy-rhel-7.6.z-contrib.patch +++ b/SOURCES/policy-rhel-7.6.z-contrib.patch @@ -459,7 +459,7 @@ index 2ee527f2a..79a2a9c48 100644 - allow nfsd_t $1:dbus send_msg; -') diff --git a/rpc.te b/rpc.te -index f4df4fda2..f585a7fb5 100644 +index f4df4fda2..b9665f773 100644 --- a/rpc.te +++ b/rpc.te @@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t) @@ -511,6 +511,61 @@ index f4df4fda2..f585a7fb5 100644 optional_policy(` mount_exec(nfsd_t) mount_manage_pid_files(nfsd_t) +@@ -357,6 +331,8 @@ kernel_signal(gssd_t) + + corecmd_exec_bin(gssd_t) + ++domain_manage_all_domains_keyrings(gssd_t) ++ + fs_list_rpc(gssd_t) + fs_rw_rpc_sockets(gssd_t) + fs_read_rpc_files(gssd_t) +diff --git a/rpm.te b/rpm.te +index 7394a0dfc..4402cbe09 100644 +--- a/rpm.te ++++ b/rpm.te +@@ -34,6 +34,7 @@ logging_log_file(rpm_log_t) + + type rpm_var_lib_t; + files_type(rpm_var_lib_t) ++files_mountpoint(rpm_var_lib_t) + typealias rpm_var_lib_t alias var_lib_rpm_t; + + type rpm_var_cache_t; +diff --git a/snapper.fc b/snapper.fc +index 4f4bdb397..0a43846a8 100644 +--- a/snapper.fc ++++ b/snapper.fc +@@ -7,6 +7,7 @@ + + /mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) + /\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) ++ + /usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) + /var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) + /etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) +diff --git a/snapper.te b/snapper.te +index 8c9e4a200..5be6d3542 100644 +--- a/snapper.te ++++ b/snapper.te +@@ -22,7 +22,7 @@ files_type(snapperd_data_t) + # + # snapperd local policy + # +-allow snapperd_t self:capability { dac_read_search fowner sys_admin }; ++allow snapperd_t self:capability { dac_read_search dac_override fowner sys_admin }; + allow snapperd_t self:process setsched; + + allow snapperd_t self:fifo_file rw_fifo_file_perms; +@@ -57,6 +57,8 @@ files_read_all_files(snapperd_t) + files_read_all_symlinks(snapperd_t) + files_list_all(snapperd_t) + files_manage_isid_type_dirs(snapperd_t) ++files_manage_non_security_dirs(snapperd_t) ++files_relabel_non_security_files(snapperd_t) + + fs_getattr_all_fs(snapperd_t) + fs_mount_xattr_fs(snapperd_t) diff --git a/sysstat.te b/sysstat.te index a2690e315..efb2f855c 100644 --- a/sysstat.te diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 40d3140..ec77df7 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 229%{?dist}.6 +Release: 229%{?dist}.9 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -657,6 +657,22 @@ fi %endif %changelog +* Thu Jan 17 2019 Lukas Vrabec - 3.13.1-229.9 +- Allow gssd_t domain to manage kernel keyrings of every domain. +Resolves: rhbz#1665815 +- Add new interface domain_manage_all_domains_keyrings() +Resolves: rhbz#1665815 + +* Mon Jan 14 2019 Lukas Vrabec - 3.13.1-229.8 +- Add interface domain_rw_all_domains_keyrings() +Resolves: rhbz#1665815 +- Allow gssd_t domain to read/write kernel keyrings of every domain. +Resolves: rhbz#1665815 + +* Thu Dec 20 2018 Lukas Vrabec - 3.13.1-229.7 +- Update snapperd policy to allow snapperd manage all non security dirs. +Resolves: rhbz#1661158 + * Fri Nov 02 2018 Lukas Vrabec - 3.13.1-229.6 - Allow nova_t domain to use pam Resolves: rhbz:#1645270