diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 077d9bb..192c2ec 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 526532f..671a949 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1,5 +1,5 @@ diff --git a/Makefile b/Makefile -index ec7b5cb..a027110 100644 +index ec7b5cb..e2936c6 100644 --- a/Makefile +++ b/Makefile @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule @@ -15,7 +15,7 @@ index ec7b5cb..a027110 100644 user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts openssh_contexts systemd_contexts) $(contextpath)/files/media $(user_default_contexts_names) ++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context lxc_contexts openssh_contexts systemd_contexts snapperd_contexts) $(contextpath)/files/media $(user_default_contexts_names) net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) @@ -877,47 +877,150 @@ index 3a45f23..ee7d7b3 100644 constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index a94b169..2e137e6 100644 +index a94b169..7c036a8 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors -@@ -329,6 +329,7 @@ class process - execheap - setkeycreate - setsockcreate -+ ptrace_child +@@ -121,6 +121,60 @@ common x_device } - -@@ -393,6 +394,13 @@ class system + # ++# Define a common for capability access vectors. ++# ++common cap ++{ ++ # The capabilities are defined in include/linux/capability.h ++ # Capabilities >= 32 are defined in the cap2 common. ++ # Care should be taken to ensure that these are consistent with ++ # those definitions. (Order matters) ++ ++ chown ++ dac_override ++ dac_read_search ++ fowner ++ fsetid ++ kill ++ setgid ++ setuid ++ setpcap ++ linux_immutable ++ net_bind_service ++ net_broadcast ++ net_admin ++ net_raw ++ ipc_lock ++ ipc_owner ++ sys_module ++ sys_rawio ++ sys_chroot ++ sys_ptrace ++ sys_pacct ++ sys_admin ++ sys_boot ++ sys_nice ++ sys_resource ++ sys_time ++ sys_tty_config ++ mknod ++ lease ++ audit_write ++ audit_control ++ setfcap ++} ++ ++common cap2 ++{ ++ mac_override # unused by SELinux ++ mac_admin # unused by SELinux ++ syslog ++ wake_alarm ++ block_suspend ++ audit_read ++} ++ ++# + # Define the access vectors. + # + # class class_name [ inherits common_name ] { permission_name ... } +@@ -393,62 +447,31 @@ class system syslog_mod syslog_console module_request ++ # these are overloaded userspace ++ # permissions from systemd + halt + reboot + status ++ start ++ stop ++ enable ++ disable ++ reload + undefined -+ enable -+ disable -+ reload } # -@@ -443,10 +451,13 @@ class capability - class capability2 +-# Define the access vector interpretation for controling capabilies ++# Define the access vector interpretation for controlling capabilities + # + + class capability +-{ +- # The capabilities are defined in include/linux/capability.h +- # Capabilities >= 32 are defined in the capability2 class. +- # Care should be taken to ensure that these are consistent with +- # those definitions. (Order matters) ++inherits cap + +- chown +- dac_override +- dac_read_search +- fowner +- fsetid +- kill +- setgid +- setuid +- setpcap +- linux_immutable +- net_bind_service +- net_broadcast +- net_admin +- net_raw +- ipc_lock +- ipc_owner +- sys_module +- sys_rawio +- sys_chroot +- sys_ptrace +- sys_pacct +- sys_admin +- sys_boot +- sys_nice +- sys_resource +- sys_time +- sys_tty_config +- mknod +- lease +- audit_write +- audit_control +- setfcap +-} +- +-class capability2 ++class capability2 ++inherits cap2 { - mac_override # unused by SELinux +- mac_override # unused by SELinux - mac_admin # unused by SELinux -+ mac_admin - syslog - wake_alarm +- syslog +- wake_alarm +- block_suspend + epolwakeup - block_suspend -+ compromise_kernel -+ audit_read } - +- # -@@ -690,6 +701,8 @@ class nscd + # Define the access vector interpretation for controlling + # changes to passwd information. +@@ -690,6 +713,8 @@ class nscd shmemhost getserv shmemserv @@ -926,7 +1029,7 @@ index a94b169..2e137e6 100644 } # Define the access vector interpretation for controlling -@@ -831,6 +844,38 @@ inherits socket +@@ -831,6 +856,38 @@ inherits socket attach_queue } @@ -965,7 +1068,7 @@ index a94b169..2e137e6 100644 class x_pointer inherits x_device -@@ -865,3 +910,18 @@ inherits database +@@ -865,3 +922,28 @@ inherits database implement execute } @@ -984,8 +1087,18 @@ index a94b169..2e137e6 100644 +{ + read +} ++ ++# ++# Define the access vector interpretation for controlling capabilities ++# in user namespaces ++# ++class cap_userns ++inherits cap ++ ++class cap2_userns ++inherits cap2 diff --git a/policy/flask/security_classes b/policy/flask/security_classes -index 14a4799..9bb9aa4 100644 +index 14a4799..6e16f5e 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -121,6 +121,18 @@ class kernel_service @@ -1007,7 +1120,7 @@ index 14a4799..9bb9aa4 100644 # Still More SE-X Windows stuff class x_pointer # userspace class x_keyboard # userspace -@@ -131,4 +143,11 @@ class db_view # userspace +@@ -131,4 +143,15 @@ class db_view # userspace class db_sequence # userspace class db_language # userspace @@ -1018,6 +1131,10 @@ index 14a4799..9bb9aa4 100644 +class proxy + + ++# Capability checks when on a non-init user namespace ++class cap_userns ++class cap2_userns ++ # FLASK diff --git a/policy/global_booleans b/policy/global_booleans index 66e85ea..d02654d 100644 @@ -3537,7 +3654,7 @@ index 7590165..d81185e 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8d..48f001d 100644 +index 33e0f8d..3437271 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3594,7 +3711,7 @@ index 33e0f8d..48f001d 100644 /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -101,8 +118,6 @@ ifdef(`distro_redhat',` +@@ -101,11 +118,8 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -3602,8 +3719,11 @@ index 33e0f8d..48f001d 100644 - /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) - /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -116,6 +131,9 @@ ifdef(`distro_redhat',` +-/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) + +@@ -116,6 +130,9 @@ ifdef(`distro_redhat',` /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3613,7 +3733,7 @@ index 33e0f8d..48f001d 100644 /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -@@ -128,6 +146,8 @@ ifdef(`distro_debian',` +@@ -128,6 +145,8 @@ ifdef(`distro_debian',` /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3622,7 +3742,7 @@ index 33e0f8d..48f001d 100644 # # /lib # -@@ -135,10 +155,12 @@ ifdef(`distro_debian',` +@@ -135,10 +154,12 @@ ifdef(`distro_debian',` /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -3636,7 +3756,7 @@ index 33e0f8d..48f001d 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',` +@@ -149,10 +170,12 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3650,7 +3770,7 @@ index 33e0f8d..48f001d 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',` +@@ -168,6 +191,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3658,7 +3778,7 @@ index 33e0f8d..48f001d 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',` +@@ -179,34 +203,50 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3718,7 +3838,7 @@ index 33e0f8d..48f001d 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',` +@@ -218,19 +258,32 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3758,7 +3878,7 @@ index 33e0f8d..48f001d 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',` +@@ -245,26 +298,40 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3804,7 +3924,7 @@ index 33e0f8d..48f001d 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',` +@@ -280,10 +347,14 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3819,7 +3939,7 @@ index 33e0f8d..48f001d 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',` +@@ -298,16 +369,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3844,7 +3964,7 @@ index 33e0f8d..48f001d 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,20 +403,27 @@ ifdef(`distro_redhat', ` +@@ -325,20 +402,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3873,7 +3993,7 @@ index 33e0f8d..48f001d 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -346,6 +431,7 @@ ifdef(`distro_redhat', ` +@@ -346,6 +430,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -3881,7 +4001,7 @@ index 33e0f8d..48f001d 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,17 +473,34 @@ ifdef(`distro_suse', ` +@@ -387,17 +472,34 @@ ifdef(`distro_suse', ` # # /var # @@ -3918,7 +4038,7 @@ index 33e0f8d..48f001d 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..f0aef3e 100644 +index 9e9263a..cb42593 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -4144,18 +4264,7 @@ index 9e9263a..f0aef3e 100644 ') ######################################## -@@ -1012,6 +1065,10 @@ interface(`corecmd_exec_all_executables',` - can_exec($1, exec_type) - list_dirs_pattern($1, bin_t, bin_t) - read_lnk_files_pattern($1, bin_t, exec_type) -+ -+ ifdef(`enable_mls',`',` -+ files_exec_all_base_ro_files($1) -+ ') - ') - - ######################################## -@@ -1049,6 +1106,7 @@ interface(`corecmd_manage_all_executables',` +@@ -1049,6 +1102,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -4163,7 +4272,7 @@ index 9e9263a..f0aef3e 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1149,74 @@ interface(`corecmd_mmap_all_executables',` +@@ -1091,3 +1145,74 @@ interface(`corecmd_mmap_all_executables',` mmap_files_pattern($1, bin_t, exec_type) ') @@ -6307,7 +6416,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..ed25075 100644 +index b31c054..ab7c054 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6331,24 +6440,20 @@ index b31c054..ed25075 100644 /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -44,6 +47,16 @@ +@@ -44,6 +47,12 @@ /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) /dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/infiniband/.* -c gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh) -+/dev/infiniband/issm0 -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) -+/dev/infiniband/issm1 -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) -+/dev/infiniband/umad0 -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) -+/dev/infiniband/umad1 -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) ++/dev/infiniband/issm[0-9]+ -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) ++/dev/infiniband/umad[0-9]+ -c gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) +/dev/infiniband/.* -b gen_context(system_u:object_r:infiniband_device_t,mls_systemhigh) -+/dev/infiniband/issm0 -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) -+/dev/infiniband/issm1 -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) -+/dev/infiniband/umad0 -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) -+/dev/infiniband/umad1 -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) ++/dev/infiniband/issm[0-9]+ -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) ++/dev/infiniband/umad[0-9]+ -b gen_context(system_u:object_r:infiniband_mgmt_device_t,mls_systemhigh) /dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) -@@ -61,8 +74,10 @@ +@@ -61,8 +70,10 @@ /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -6360,7 +6465,7 @@ index b31c054..ed25075 100644 /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) -@@ -72,7 +87,9 @@ +@@ -72,7 +83,9 @@ /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) @@ -6370,7 +6475,7 @@ index b31c054..ed25075 100644 /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) -@@ -80,6 +97,8 @@ +@@ -80,6 +93,8 @@ /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -6379,7 +6484,7 @@ index b31c054..ed25075 100644 /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -90,6 +109,7 @@ +@@ -90,6 +105,7 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) @@ -6387,7 +6492,7 @@ index b31c054..ed25075 100644 /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) -@@ -106,6 +126,7 @@ +@@ -106,6 +122,7 @@ /dev/snapshot -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -6395,7 +6500,7 @@ index b31c054..ed25075 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +139,12 @@ +@@ -118,6 +135,12 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') @@ -6408,7 +6513,7 @@ index b31c054..ed25075 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +156,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +152,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6423,7 +6528,7 @@ index b31c054..ed25075 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,15 +201,21 @@ ifdef(`distro_suse', ` +@@ -172,15 +197,21 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6445,7 +6550,7 @@ index b31c054..ed25075 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +233,27 @@ ifdef(`distro_debian',` +@@ -198,12 +229,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -22247,7 +22352,7 @@ index e100d88..1428581 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..5b93205 100644 +index 8dbab4c..5deb336 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -22542,7 +22647,7 @@ index 8dbab4c..5b93205 100644 ######################################## # # Unlabeled process local policy -@@ -399,14 +491,39 @@ if( ! secure_mode_insmod ) { +@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -22571,7 +22676,6 @@ index 8dbab4c..5b93205 100644 + +if( ! secure_mode_insmod ) { + allow can_load_kernmodule self:capability sys_module; -+ allow can_load_kernmodule self:capability2 compromise_kernel; + # load_module() calls stop_machine() which + # calls sched_setscheduler() + allow can_load_kernmodule self:capability sys_nice; @@ -31241,7 +31345,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..5d9d50d 100644 +index 8b40377..a1eab03 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32267,7 +32371,7 @@ index 8b40377..5d9d50d 100644 +allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; + dontaudit xserver_t self:capability chown; -+allow xserver_t self:capability2 compromise_kernel; ++#allow xserver_t self:capability2 compromise_kernel; + allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; @@ -38978,15 +39082,16 @@ index 312cd04..102b975 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..ec4c7c7 100644 +index 73a1c4e..a143623 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,22 +1,43 @@ +@@ -1,22 +1,45 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0) +/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/nftables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/lib/systemd/system/arptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) @@ -39017,6 +39122,7 @@ index 73a1c4e..ec4c7c7 100644 -/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -46612,10 +46718,10 @@ index a392fc4..79fadfc 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..6cf3942 +index 0000000..8b77d7a --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,69 @@ +@@ -0,0 +1,71 @@ +HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) +/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) + @@ -46642,6 +46748,7 @@ index 0000000..6cf3942 +/usr/lib/systemd/system/systemd-machined\.service -- gen_context(system_u:object_r:systemd_machined_unit_file_t,s0) +/usr/lib/systemd/system/systemd-networkd\.service gen_context(system_u:object_r:systemd_networkd_unit_file_t,s0) +/usr/lib/systemd/system/systemd-resolved\.service gen_context(system_u:object_r:systemd_resolved_unit_file_t,s0) ++/usr/lib/systemd/system/systemd-modules-load\.service gen_context(system_u:object_r:systemd_modules_load_unit_file_t,s0) +/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0) +/usr/lib/systemd/system/systemd-rfkill\.service -- gen_context(system_u:object_r:systemd_rfkill_unit_file_t,s0) +/usr/lib/systemd/system/systemd-time.*\.service -- gen_context(system_u:object_r:systemd_timedated_unit_file_t,s0) @@ -46664,6 +46771,7 @@ index 0000000..6cf3942 +/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) +/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) +/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) ++/usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0) +/usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0) +/usr/lib/systemd/systemd-resolve(d|-host) gen_context(system_u:object_r:systemd_resolved_exec_t,s0) + @@ -46687,10 +46795,10 @@ index 0000000..6cf3942 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..ebd6cc8 +index 0000000..513b97b --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1716 @@ +@@ -0,0 +1,1738 @@ +## SELinux policy for systemd components + +###################################### @@ -48407,12 +48515,34 @@ index 0000000..ebd6cc8 + files_search_etc($1) + allow $1 systemd_hwdb_etc_t:file read_file_perms; +') ++ ++######################################## ++## ++## Allow process to manage hwdb config file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`systemd_hwdb_manage_config',` ++ gen_require(` ++ type systemd_hwdb_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t) ++ allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto}; ++ files_etc_filetrans($1, systemd_hwdb_etc_t, file) ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f26d95b +index 0000000..7877160 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,939 @@ +@@ -0,0 +1,957 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48474,6 +48604,11 @@ index 0000000..f26d95b +type systemd_resolved_unit_file_t; +systemd_unit_file(systemd_resolved_unit_file_t) + ++systemd_domain_template(systemd_modules_load) ++ ++type systemd_modules_load_unit_file_t; ++systemd_unit_file(systemd_modules_load_unit_file_t) ++ +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components + @@ -49352,6 +49487,19 @@ index 0000000..f26d95b + +read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) +read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) ++ ++####################################### ++# ++# systemd_modules_load domain ++# ++ ++kernel_dgram_send(systemd_modules_load_t) ++ ++dev_read_sysfs(systemd_modules_load_t) ++ ++files_read_kernel_modules(systemd_modules_load_t) ++modutils_list_module_config(systemd_modules_load_t) ++ diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index f41857e..49fd32e 100644 --- a/policy/modules/system/udev.fc @@ -49650,7 +49798,7 @@ index 9a1650d..d7e8a01 100644 ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index 39f185f..5658ab4 100644 +index 39f185f..b41b341 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -49680,7 +49828,7 @@ index 39f185f..5658ab4 100644 -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; -+allow udev_t self:capability2 { block_suspend compromise_kernel }; ++allow udev_t self:capability2 { block_suspend }; dontaudit udev_t self:capability sys_tty_config; -allow udev_t self:capability2 block_suspend; -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -49812,7 +49960,7 @@ index 39f185f..5658ab4 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,9 +193,13 @@ sysnet_read_dhcpc_pid(udev_t) +@@ -169,9 +193,14 @@ sysnet_read_dhcpc_pid(udev_t) sysnet_delete_dhcpc_pid(udev_t) sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) @@ -49821,13 +49969,14 @@ index 39f185f..5658ab4 100644 + +systemd_login_read_pid_files(udev_t) +systemd_getattr_unit_files(udev_t) ++systemd_hwdb_manage_config(udev_t) userdom_dontaudit_search_user_home_content(udev_t) +userdom_rw_inherited_user_tmp_pipes(udev_t) ifdef(`distro_debian',` files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") -@@ -195,16 +223,9 @@ ifdef(`distro_gentoo',` +@@ -195,16 +224,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -49846,7 +49995,7 @@ index 39f185f..5658ab4 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -242,6 +263,7 @@ optional_policy(` +@@ -242,6 +264,7 @@ optional_policy(` optional_policy(` cups_domtrans_config(udev_t) @@ -49854,7 +50003,7 @@ index 39f185f..5658ab4 100644 ') optional_policy(` -@@ -249,17 +271,31 @@ optional_policy(` +@@ -249,17 +272,31 @@ optional_policy(` dbus_use_system_bus_fds(udev_t) optional_policy(` @@ -49888,7 +50037,7 @@ index 39f185f..5658ab4 100644 ') optional_policy(` -@@ -289,6 +325,10 @@ optional_policy(` +@@ -289,6 +326,10 @@ optional_policy(` ') optional_policy(` @@ -49899,7 +50048,7 @@ index 39f185f..5658ab4 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -303,6 +343,15 @@ optional_policy(` +@@ -303,6 +344,15 @@ optional_policy(` ') optional_policy(` @@ -49915,7 +50064,7 @@ index 39f185f..5658ab4 100644 unconfined_signal(udev_t) ') -@@ -315,6 +364,7 @@ optional_policy(` +@@ -315,6 +365,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 8dae028..d40c3d3 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -24056,7 +24056,7 @@ index 8ce99ff..1bc5d3a 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index 77a5003..b605240 100644 +index 77a5003..9e56e3e 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1) @@ -24200,7 +24200,7 @@ index 77a5003..b605240 100644 -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; -+allow devicekit_power_t self:capability2 compromise_kernel; ++#allow devicekit_power_t self:capability2 compromise_kernel; allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; @@ -26033,10 +26033,10 @@ index 0000000..d22ed69 +') diff --git a/dnssec.te b/dnssec.te new file mode 100644 -index 0000000..f186d85 +index 0000000..e44017c --- /dev/null +++ b/dnssec.te -@@ -0,0 +1,88 @@ +@@ -0,0 +1,89 @@ +policy_module(dnssec, 1.0.0) + +######################################## @@ -26118,6 +26118,7 @@ index 0000000..f186d85 +') + +optional_policy(` ++ networkmanager_dbus_chat(dnssec_trigger_t) + networkmanager_stream_connect(dnssec_trigger_t) + networkmanager_signal(dnssec_trigger_t) + networkmanager_sigchld(dnssec_trigger_t) @@ -41315,7 +41316,7 @@ index 3a00b3a..92f125f 100644 +') + diff --git a/kdump.te b/kdump.te -index 715fc21..e8792ed 100644 +index 715fc21..3cac629 100644 --- a/kdump.te +++ b/kdump.te @@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t) @@ -41350,7 +41351,7 @@ index 715fc21..e8792ed 100644 # allow kdump_t self:capability { sys_boot dac_override }; -+allow kdump_t self:capability2 compromise_kernel; ++#allow kdump_t self:capability2 compromise_kernel; + +manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) @@ -46987,7 +46988,7 @@ index 0000000..e86897d +') diff --git a/lttng-tools.te b/lttng-tools.te new file mode 100644 -index 0000000..0b9ade5 +index 0000000..1d2ca22 --- /dev/null +++ b/lttng-tools.te @@ -0,0 +1,60 @@ @@ -47017,7 +47018,7 @@ index 0000000..0b9ade5 +# + +allow lttng_sessiond_t self:capability { chown setgid setuid fsetid net_admin sys_resource }; -+ ++allow lttng_sessiond_t self:capability2 block_suspend; +allow lttng_sessiond_t self:process { setrlimit signal_perms }; +allow lttng_sessiond_t self:fifo_file rw_fifo_file_perms; +allow lttng_sessiond_t self:tcp_socket listen; @@ -82191,7 +82192,7 @@ index afc0068..589a7fd 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..4d073e9 100644 +index 8644d8b..e39f835 100644 --- a/quantum.te +++ b/quantum.te @@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0) @@ -82281,7 +82282,7 @@ index 8644d8b..4d073e9 100644 - -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) -+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; ++allow neutron_t self:capability { chown dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service}; +allow neutron_t self:capability2 block_suspend; +allow neutron_t self:process { setsched setrlimit setcap signal_perms }; + @@ -110651,14 +110652,14 @@ index 9d4d8cb..1189323 100644 tunable_policy(`varnishd_connect_any',` corenet_sendrecv_all_client_packets(varnishd_t) diff --git a/vbetool.te b/vbetool.te -index 2a61f75..02a87c0 100644 +index 2a61f75..b026ab7 100644 --- a/vbetool.te +++ b/vbetool.te @@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t; # allow vbetool_t self:capability { dac_override sys_tty_config sys_admin }; -+allow vbetool_t self:capability2 compromise_kernel; ++#allow vbetool_t self:capability2 compromise_kernel; allow vbetool_t self:process execmem; dev_wx_raw_memory(vbetool_t) @@ -113097,7 +113098,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..88489f7 100644 +index f03dcf5..cd95400 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -113751,7 +113752,7 @@ index f03dcf5..88489f7 100644 -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -+allow virtd_t self:capability2 compromise_kernel; ++#allow virtd_t self:capability2 compromise_kernel; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code @@ -114109,7 +114110,7 @@ index f03dcf5..88489f7 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +707,331 @@ optional_policy(` +@@ -746,44 +707,332 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -114185,7 +114186,7 @@ index f03dcf5..88489f7 100644 +# +# virtual domains common policy +# -+allow virt_domain self:capability2 compromise_kernel; ++#allow virt_domain self:capability2 compromise_kernel; +allow virt_domain self:process { setrlimit signal_perms getsched setsched }; +allow virt_domain self:fifo_file rw_fifo_file_perms; +allow virt_domain self:shm create_shm_perms; @@ -114280,6 +114281,7 @@ index f03dcf5..88489f7 100644 +dev_rw_kvm(virt_domain) +dev_rw_qemu(virt_domain) +dev_rw_inherited_vhost(virt_domain) ++dev_rw_infiniband_dev(virt_domain) + +domain_use_interactive_fds(virt_domain) + @@ -114463,7 +114465,7 @@ index f03dcf5..88489f7 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1042,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1043,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -114490,7 +114492,7 @@ index f03dcf5..88489f7 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1062,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1063,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -114524,7 +114526,7 @@ index f03dcf5..88489f7 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1099,20 @@ optional_policy(` +@@ -856,14 +1100,20 @@ optional_policy(` ') optional_policy(` @@ -114546,7 +114548,7 @@ index f03dcf5..88489f7 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1137,66 @@ optional_policy(` +@@ -888,49 +1138,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -114566,7 +114568,7 @@ index f03dcf5..88489f7 100644 # +allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; +allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms }; -+allow virtd_lxc_t self:capability2 compromise_kernel; ++#allow virtd_lxc_t self:capability2 compromise_kernel; -allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; @@ -114631,7 +114633,7 @@ index f03dcf5..88489f7 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1208,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1209,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -114651,7 +114653,7 @@ index f03dcf5..88489f7 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1229,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1230,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -114675,7 +114677,7 @@ index f03dcf5..88489f7 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1254,355 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1255,355 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -115172,7 +115174,7 @@ index f03dcf5..88489f7 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1615,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1616,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -115187,7 +115189,7 @@ index f03dcf5..88489f7 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1633,7 @@ optional_policy(` +@@ -1192,7 +1634,7 @@ optional_policy(` ######################################## # @@ -115196,7 +115198,7 @@ index f03dcf5..88489f7 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1642,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1643,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 45aaea4..2a75676 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 200%{?dist} +Release: 201%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,34 @@ exit 0 %endif %changelog +* Mon Jul 11 2016 Lukas Vrabec 3.13.1-201 +- Allow lttng tools to block suspending +- Allow creation of vpnaas in openstack +- remove rules with compromised_kernel permission +- Allow dnssec-trigger to chat with NetworkManager over DBUS BZ(1350100) +- Allow virtual machines to rw infiniband devices. Resolves: rhbz#1210263 +- Update makefile to support snapperd_contexts file +- Remove compromize_kernel permission Remove unused mac_admin permission Add undefined system permission +- Remove duplicate declaration of class service +- Fix typo in access_vectors file +- Merge branch 'rawhide-base-modules-load' into rawhide-base +- Add new policy for systemd-modules-load +- Add systemd access vectors. +- Revert "Revert "Revert "Missed this version of exec_all""" +- Revert "Revert "Missed this version of exec_all"" +- Revert "Missed this version of exec_all" +- Revert "Revert "Fix name of capability2 secure_firmware->compromise_kernel"" BZ(1351624) This reverts commit 3e0e7e70de481589440f3f79cccff08d6e62f644. +- Revert "Fix name of capability2 secure_firmware->compromise_kernel" BZ(1351624) This reverts commit 7a0348a2d167a72c8ab8974a1b0fc33407f72c48. +- Revert "Allow xserver to compromise_kernel access"BZ(1351624) +- Revert "Allow anyone who can load a kernel module to compromise_kernel"BZ(1351624) +- Revert "add ptrace_child access to process" (BZ1351624) +- Add user namespace capability object classes. +- Allow udev to manage systemd-hwdb files +- Add interface systemd_hwdb_manage_config() +- Fix paths to infiniband devices. This allows use more then two infiniband interfaces. +- corecmd: Remove fcontext for /etc/sysconfig/libvirtd +- iptables: add fcontext for nftables + * Tue Jul 05 2016 Lukas Vrabec 3.13.1-200 - Fix typo in brltty policy - Add new SELinux module sbd