diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c471c0e..c20f6c9 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -16174,7 +16174,7 @@ index 8416beb..19d6aba 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..3ed4189 100644 +index e7d1738..6ac60c3 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -16308,6 +16308,19 @@ index e7d1738..3ed4189 100644 ######################################## # +@@ -301,9 +322,10 @@ fs_associate_noxattr(noxattrfs) + # Unconfined access to this module + # + +-allow filesystem_unconfined_type filesystem_type:filesystem *; ++allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms; + + # Create/access other files. fs_type is to pick up various + # pseudo filesystem types that are applied to both the filesystem + # and its files. +-allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; ++allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint; ++allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *; diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc index 7be4ddf..9710b33 100644 --- a/policy/modules/kernel/kernel.fc @@ -17578,7 +17591,7 @@ index e100d88..991e1a5 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..96d9a91 100644 +index 8dbab4c..15c063c 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -17865,7 +17878,23 @@ index 8dbab4c..96d9a91 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +496,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) { + # Rules for unconfined acccess to this module + # + +-allow kern_unconfined proc_type:{ dir file lnk_file } *; ++allow kern_unconfined proc_type:{ file } ~entrypoint; ++allow kern_unconfined proc_type:{ dir lnk_file } *; + +-allow kern_unconfined sysctl_type:{ dir file } *; ++allow kern_unconfined sysctl_type:{ file } ~entrypoint; ++allow kern_unconfined sysctl_type:{ dir } *; + + allow kern_unconfined kernel_t:system *; + +-allow kern_unconfined unlabeled_t:dir_file_class_set *; ++allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *; ++allow kern_unconfined unlabeled_t:file ~entrypoint; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; diff --git a/selinux-policy.spec b/selinux-policy.spec index 9c3b13e..261ecaa 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 123%{?dist} +Release: 124%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,7 +602,10 @@ SELinux Reference policy mls base module. %endif %changelog -* Wed Apr 14 2015 Lukas Vrabec 3.13.1-123 +* Wed Apr 15 2015 Lukas Vrabec 3.13.1-124 +- Add more restriction on entrypoint for unconfined domains. + +* Tue Apr 14 2015 Lukas Vrabec 3.13.1-123 - Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)