diff --git a/container-selinux.tgz b/container-selinux.tgz index b1bd8aa..001fc23 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b7cc288..7a71a37 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6866,7 +6866,7 @@ index b31c05491..a7b0f009a 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285ea6..ac044aea2 100644 +index 76f285ea6..c28d65c08 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7649,7 +7649,15 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -2532,6 +3038,24 @@ interface(`dev_read_raw_memory',` +@@ -2525,6 +3031,7 @@ interface(`dev_read_raw_memory',` + ') + + read_chr_files_pattern($1, device_t, memory_device_t) ++ allow $1 memory_device_t:chr_file map; + + allow $1 self:capability sys_rawio; + typeattribute $1 memory_raw_read; +@@ -2532,6 +3039,24 @@ interface(`dev_read_raw_memory',` ######################################## ## @@ -7674,7 +7682,7 @@ index 76f285ea6..ac044aea2 100644 ## Do not audit attempts to read raw memory devices ## (e.g. /dev/mem). ## -@@ -2573,6 +3097,24 @@ interface(`dev_write_raw_memory',` +@@ -2573,6 +3098,24 @@ interface(`dev_write_raw_memory',` ######################################## ## @@ -7699,7 +7707,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and execute raw memory devices (e.g. /dev/mem). ## ## -@@ -2587,7 +3129,7 @@ interface(`dev_rx_raw_memory',` +@@ -2587,7 +3130,7 @@ interface(`dev_rx_raw_memory',` ') dev_read_raw_memory($1) @@ -7708,7 +7716,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -2606,7 +3148,7 @@ interface(`dev_wx_raw_memory',` +@@ -2606,7 +3149,7 @@ interface(`dev_wx_raw_memory',` ') dev_write_raw_memory($1) @@ -7717,7 +7725,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -2725,7 +3267,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3268,7 @@ interface(`dev_write_misc',` ## ## ## @@ -7726,7 +7734,7 @@ index 76f285ea6..ac044aea2 100644 ## ## # -@@ -2811,7 +3353,7 @@ interface(`dev_rw_modem',` +@@ -2811,7 +3354,7 @@ interface(`dev_rw_modem',` ######################################## ## @@ -7735,7 +7743,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -2819,17 +3361,17 @@ interface(`dev_rw_modem',` +@@ -2819,17 +3362,17 @@ interface(`dev_rw_modem',` ## ## # @@ -7757,7 +7765,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -2837,17 +3379,17 @@ interface(`dev_getattr_mouse_dev',` +@@ -2837,17 +3380,17 @@ interface(`dev_getattr_mouse_dev',` ## ## # @@ -7779,7 +7787,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -2855,12 +3397,84 @@ interface(`dev_setattr_mouse_dev',` +@@ -2855,12 +3398,84 @@ interface(`dev_setattr_mouse_dev',` ## ## # @@ -7867,7 +7875,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -2903,20 +3517,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3518,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -7892,7 +7900,7 @@ index 76f285ea6..ac044aea2 100644 ##

## ## -@@ -2925,43 +3539,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3540,34 @@ interface(`dev_getattr_mtrr_dev',` ## ## # @@ -7948,7 +7956,7 @@ index 76f285ea6..ac044aea2 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3575,32 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3576,32 @@ interface(`dev_write_mtrr',` ## ## # @@ -7984,7 +7992,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3144,6 +3768,80 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3769,80 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -8065,7 +8073,7 @@ index 76f285ea6..ac044aea2 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3861,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3862,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -8090,7 +8098,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3970,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3971,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -8117,7 +8125,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -3262,12 +3996,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3997,13 @@ interface(`dev_rw_printer',` ## ## # @@ -8134,7 +8142,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3399,7 +4134,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4135,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -8143,7 +8151,7 @@ index 76f285ea6..ac044aea2 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4148,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4149,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -8152,7 +8160,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3633,6 +4368,7 @@ interface(`dev_read_sound',` +@@ -3633,6 +4369,7 @@ interface(`dev_read_sound',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8160,7 +8168,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3669,6 +4405,7 @@ interface(`dev_read_sound_mixer',` +@@ -3669,6 +4406,7 @@ interface(`dev_read_sound_mixer',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8168,7 +8176,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -3855,7 +4592,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4593,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -8177,7 +8185,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -3863,91 +4600,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4601,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -8288,7 +8296,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -3955,60 +4690,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,60 +4691,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -8525,7 +8533,7 @@ index 76f285ea6..ac044aea2 100644 read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) -@@ -4016,6 +4906,81 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4907,81 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -8607,7 +8615,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +5078,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +5079,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -8633,7 +8641,7 @@ index 76f285ea6..ac044aea2 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +5107,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +5108,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -8642,7 +8650,7 @@ index 76f285ea6..ac044aea2 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5393,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5394,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -8654,7 +8662,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -4419,17 +5403,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5404,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -8677,7 +8685,7 @@ index 76f285ea6..ac044aea2 100644 ## ## ## -@@ -4437,12 +5421,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5422,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -8693,7 +8701,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -4539,6 +5523,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5524,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -8828,7 +8836,7 @@ index 76f285ea6..ac044aea2 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5669,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5670,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -8853,7 +8861,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write VMWare devices. ## ## -@@ -4589,7 +5719,7 @@ interface(`dev_rwx_vmware',` +@@ -4589,7 +5720,7 @@ interface(`dev_rwx_vmware',` ') dev_rw_vmware($1) @@ -8862,7 +8870,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -4630,6 +5760,24 @@ interface(`dev_write_watchdog',` +@@ -4630,6 +5761,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8887,7 +8895,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5910,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5911,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8932,7 +8940,7 @@ index 76f285ea6..ac044aea2 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4794,7 +5980,7 @@ interface(`dev_rwx_zero',` +@@ -4794,7 +5981,7 @@ interface(`dev_rwx_zero',` ') dev_rw_zero($1) @@ -8941,7 +8949,7 @@ index 76f285ea6..ac044aea2 100644 ') ######################################## -@@ -4851,3 +6037,1064 @@ interface(`dev_unconfined',` +@@ -4851,3 +6038,1064 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -39239,7 +39247,7 @@ index c42fbc329..bf211dbee 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e6c..91d1296b8 100644 +index be8ed1e6c..73e51f7ef 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,21 @@ role iptables_roles types iptables_t; @@ -39367,7 +39375,7 @@ index be8ed1e6c..91d1296b8 100644 ') optional_policy(` -@@ -110,7 +138,15 @@ optional_policy(` +@@ -110,7 +138,16 @@ optional_policy(` ') optional_policy(` @@ -39380,10 +39388,11 @@ index be8ed1e6c..91d1296b8 100644 +optional_policy(` modutils_run_insmod(iptables_t, iptables_roles) + modutils_list_module_config(iptables_t) ++ modutils_read_module_config(iptables_t) ') optional_policy(` -@@ -119,11 +155,25 @@ optional_policy(` +@@ -119,11 +156,25 @@ optional_policy(` ') optional_policy(` @@ -39409,7 +39418,7 @@ index be8ed1e6c..91d1296b8 100644 ') optional_policy(` -@@ -135,9 +185,9 @@ optional_policy(` +@@ -135,9 +186,9 @@ optional_policy(` ') optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9809300..b3a8a86 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -47515,15 +47515,19 @@ index dd8e01af3..9cd6b0b8e 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84b3..882160882 100644 +index be0ab84b3..9ca958706 100644 --- a/logrotate.te +++ b/logrotate.te -@@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) +@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0) # Declarations # -attribute_role logrotate_roles; -roleattribute system_r logrotate_roles; ++gen_require(` ++ class passwd passwd; ++') ++ +## +##

+## Allow logrotate to manage nfs files @@ -47552,7 +47556,7 @@ index be0ab84b3..882160882 100644 type logrotate_lock_t; files_lock_file(logrotate_lock_t) -@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t) +@@ -25,21 +42,33 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) @@ -47575,6 +47579,8 @@ index be0ab84b3..882160882 100644 + +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + ++allow logrotate_t self:passwd { passwd }; ++ +# Set a context other than the default one for newly created files. +allow logrotate_t self:process setfscreate; + @@ -47590,7 +47596,7 @@ index be0ab84b3..882160882 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,36 +71,54 @@ allow logrotate_t self:msg { send receive }; +@@ -48,36 +77,54 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -47650,7 +47656,7 @@ index be0ab84b3..882160882 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +136,57 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +142,58 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -47662,6 +47668,7 @@ index be0ab84b3..882160882 100644 init_all_labeled_script_domtrans(logrotate_t) +init_reload_services(logrotate_t) ++init_reload_transient_unit(logrotate_t) logging_manage_all_logs(logrotate_t) logging_send_syslog_msg(logrotate_t) @@ -47714,7 +47721,7 @@ index be0ab84b3..882160882 100644 ') optional_policy(` -@@ -135,16 +201,17 @@ optional_policy(` +@@ -135,16 +208,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -47734,7 +47741,7 @@ index be0ab84b3..882160882 100644 ') optional_policy(` -@@ -170,6 +237,11 @@ optional_policy(` +@@ -170,6 +244,11 @@ optional_policy(` ') optional_policy(` @@ -47746,7 +47753,7 @@ index be0ab84b3..882160882 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +250,8 @@ optional_policy(` +@@ -178,7 +257,8 @@ optional_policy(` ') optional_policy(` @@ -47756,7 +47763,7 @@ index be0ab84b3..882160882 100644 ') optional_policy(` -@@ -198,17 +271,18 @@ optional_policy(` +@@ -198,17 +278,18 @@ optional_policy(` ') optional_policy(` @@ -47778,7 +47785,7 @@ index be0ab84b3..882160882 100644 ') optional_policy(` -@@ -216,6 +290,14 @@ optional_policy(` +@@ -216,6 +297,14 @@ optional_policy(` ') optional_policy(` @@ -47793,7 +47800,7 @@ index be0ab84b3..882160882 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +310,50 @@ optional_policy(` +@@ -228,26 +317,50 @@ optional_policy(` ') optional_policy(` @@ -73824,7 +73831,7 @@ index 000000000..9c27847b2 +') + diff --git a/plymouthd.fc b/plymouthd.fc -index 735500fd1..2ba6832cc 100644 +index 735500fd1..7f694728c 100644 --- a/plymouthd.fc +++ b/plymouthd.fc @@ -1,15 +1,14 @@ @@ -73842,7 +73849,7 @@ index 735500fd1..2ba6832cc 100644 -/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0) +/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) -+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) ++/var/log/boot\.log.* gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) -/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh) +/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9635f28..56ba655 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 280%{?dist} +Release: 281%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,9 @@ exit 0 %endif %changelog +* Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281 +- Allow domains reading raw memory also use mmap. + * Thu Sep 07 2017 Lukas Vrabec - 3.13.1-280 - Add rules fixing installing ipa-server-install with SELinux in Enforcing. BZ(1488404) - Fix denials during ipa-server-install process on F27+