diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf
index 16faf1d..32c88ba 100644
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@@ -2546,6 +2546,13 @@ sbd = module
opendnssec = module
# Layer: contrib
+# Module: ganesha
+#
+# ganesha
+#
+ganesha = module
+
+# Layer: contrib
# Module: tlp
#
# tlp
diff --git a/SOURCES/policy-rhel-7.6.z-base.patch b/SOURCES/policy-rhel-7.6.z-base.patch
new file mode 100644
index 0000000..f63d0a4
--- /dev/null
+++ b/SOURCES/policy-rhel-7.6.z-base.patch
@@ -0,0 +1,36 @@
+diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
+index b6debf340..329eb3922 100644
+--- a/policy/modules/admin/sudo.if
++++ b/policy/modules/admin/sudo.if
+@@ -55,6 +55,7 @@ template(`sudo_role_template',`
+ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
+
+ allow $1_sudo_t $3:dir search_dir_perms;;
++ allow $1_sudo_t $3:file read_file_perms;;
+ allow $1_sudo_t $3:key search;
+
+ # Enter this derived domain from the user domain
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index c03a52c04..8569b19db 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -55,6 +55,7 @@ storage_read_scsi_generic(staff_t)
+ storage_write_scsi_generic(staff_t)
+
+ term_use_unallocated_ttys(staff_t)
++term_use_generic_ptys(staff_t)
+
+ auth_domtrans_pam_console(staff_t)
+
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index cceb511fc..f5139efd2 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -381,6 +381,7 @@ dontaudit confined_admindomain self:socket create;
+
+ allow confined_admindomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
+ term_create_pty(confined_admindomain, user_devpts_t)
++term_use_generic_ptys(confined_admindomain)
+ # avoid annoying messages on terminal hangup on role change
+ dontaudit confined_admindomain user_devpts_t:chr_file ioctl;
+
diff --git a/SOURCES/policy-rhel-7.6.z-contrib.patch b/SOURCES/policy-rhel-7.6.z-contrib.patch
new file mode 100644
index 0000000..3f343db
--- /dev/null
+++ b/SOURCES/policy-rhel-7.6.z-contrib.patch
@@ -0,0 +1,492 @@
+diff --git a/cinder.te b/cinder.te
+index 488a7a659..a05691d8f 100644
+--- a/cinder.te
++++ b/cinder.te
+@@ -159,6 +159,8 @@ kernel_read_kernel_sysctls(cinder_volume_t)
+
+ logging_send_syslog_msg(cinder_volume_t)
+
++systemd_dbus_chat_logind(cinder_volume_t)
++
+ optional_policy(`
+ lvm_domtrans(cinder_volume_t)
+ ')
+diff --git a/ganesha.fc b/ganesha.fc
+new file mode 100644
+index 000000000..c723bfb97
+--- /dev/null
++++ b/ganesha.fc
+@@ -0,0 +1,12 @@
++/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:ganesha_exec_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:ganesha_unit_file_t,s0)
++
++/var/log/ganesha.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
++/var/log/ganesha-gfapi.log.* -- gen_context(system_u:object_r:ganesha_var_log_t,s0)
++
++/var/run/ganesha(/.*)? gen_context(system_u:object_r:ganesha_var_run_t,s0)
+diff --git a/ganesha.if b/ganesha.if
+new file mode 100644
+index 000000000..4c347e5cc
+--- /dev/null
++++ b/ganesha.if
+@@ -0,0 +1,146 @@
++## policy for ganesha
++
++########################################
++##
++## Execute ganesha_exec_t in the ganesha domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ganesha_domtrans',`
++ gen_require(`
++ type ganesha_t, ganesha_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, ganesha_exec_t, ganesha_t)
++')
++
++######################################
++##
++## Execute ganesha in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ganesha_exec',`
++ gen_require(`
++ type ganesha_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, ganesha_exec_t)
++')
++########################################
++##
++## Read ganesha PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ganesha_read_pid_files',`
++ gen_require(`
++ type ganesha_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)
++')
++
++########################################
++##
++## Execute ganesha server in the ganesha domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ganesha_systemctl',`
++ gen_require(`
++ type ganesha_t;
++ type ganesha_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_passwd_run($1)
++ allow $1 ganesha_unit_file_t:file read_file_perms;
++ allow $1 ganesha_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, ganesha_t)
++')
++
++
++########################################
++##
++## Send and receive messages from
++## ganesha over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ganesha_dbus_chat',`
++ gen_require(`
++ type ganesha_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 ganesha_t:dbus send_msg;
++ allow ganesha_t $1:dbus send_msg;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an ganesha environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`ganesha_admin',`
++ gen_require(`
++ type ganesha_t;
++ type ganesha_var_run_t;
++ type ganesha_unit_file_t;
++ ')
++
++ allow $1 ganesha_t:process { signal_perms };
++ ps_process_pattern($1, ganesha_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 ganesha_t:process ptrace;
++ ')
++
++ files_search_pids($1)
++ admin_pattern($1, ganesha_var_run_t)
++
++ ganesha_systemctl($1)
++ admin_pattern($1, ganesha_unit_file_t)
++ allow $1 ganesha_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/ganesha.te b/ganesha.te
+new file mode 100644
+index 000000000..f25a3f34d
+--- /dev/null
++++ b/ganesha.te
+@@ -0,0 +1,111 @@
++policy_module(ganesha, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++##
++##
++## Allow ganesha to read/write fuse files
++##
++##
++gen_tunable(ganesha_use_fusefs, false)
++
++type ganesha_t;
++type ganesha_exec_t;
++init_daemon_domain(ganesha_t, ganesha_exec_t)
++
++type ganesha_var_log_t;
++logging_log_file(ganesha_var_log_t)
++
++type ganesha_var_run_t;
++files_pid_file(ganesha_var_run_t)
++
++type ganesha_tmp_t;
++files_tmp_file(ganesha_tmp_t)
++
++type ganesha_unit_file_t;
++systemd_unit_file(ganesha_unit_file_t)
++
++########################################
++#
++# ganesha local policy
++#
++dontaudit ganesha_t self:capability net_admin;
++
++allow ganesha_t self:capability { dac_read_search dac_override };
++allow ganesha_t self:capability2 block_suspend;
++allow ganesha_t self:process { setcap setrlimit };
++allow ganesha_t self:fifo_file rw_fifo_file_perms;
++allow ganesha_t self:unix_stream_socket create_stream_socket_perms;
++allow ganesha_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)
++files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })
++
++manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
++manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)
++logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })
++
++manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
++manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)
++files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })
++
++kernel_read_system_state(ganesha_t)
++kernel_search_network_sysctl(ganesha_t)
++kernel_read_net_sysctls(ganesha_t)
++
++auth_use_nsswitch(ganesha_t)
++
++corenet_tcp_bind_nfs_port(ganesha_t)
++corenet_tcp_connect_generic_port(ganesha_t)
++corenet_tcp_connect_gluster_port(ganesha_t)
++corenet_udp_bind_dey_keyneg_port(ganesha_t)
++corenet_tcp_bind_dey_keyneg_port(ganesha_t)
++corenet_udp_bind_nfs_port(ganesha_t)
++corenet_udp_bind_all_rpc_ports(ganesha_t)
++corenet_tcp_bind_all_rpc_ports(ganesha_t)
++corenet_tcp_bind_mountd_port(ganesha_t)
++corenet_udp_bind_mountd_port(ganesha_t)
++corenet_tcp_connect_virt_migration_port(ganesha_t)
++corenet_tcp_connect_all_rpc_ports(ganesha_t)
++
++dev_rw_infiniband_dev(ganesha_t)
++dev_read_gpfs(ganesha_t)
++dev_read_rand(ganesha_t)
++
++logging_send_syslog_msg(ganesha_t)
++
++sysnet_dns_name_resolve(ganesha_t)
++
++optional_policy(`
++ dbus_system_bus_client(ganesha_t)
++ dbus_connect_system_bus(ganesha_t)
++ unconfined_dbus_chat(ganesha_t)
++')
++
++optional_policy(`
++ glusterd_read_conf(ganesha_t)
++ glusterd_read_lib_files(ganesha_t)
++ glusterd_manage_pid(ganesha_t)
++')
++
++optional_policy(`
++ kerberos_read_keytab(ganesha_t)
++')
++
++optional_policy(`
++ rpc_manage_nfs_state_data_dir(ganesha_t)
++ rpc_read_nfs_state_data(ganesha_t)
++ rpcbind_stream_connect(ganesha_t)
++')
++
++tunable_policy(`ganesha_use_fusefs',`
++ fs_manage_fusefs_dirs(ganesha_t)
++ fs_manage_fusefs_files(ganesha_t)
++ fs_read_fusefs_symlinks(ganesha_t)
++ fs_getattr_fusefs(ganesha_t)
++')
+diff --git a/glusterd.fc b/glusterd.fc
+index e42e81f5f..9806f50ae 100644
+--- a/glusterd.fc
++++ b/glusterd.fc
+@@ -23,8 +23,3 @@
+ /var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+ /var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
+ /var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
+-
+-/var/log/ganesha(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+-/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
+-/var/log/ganesha-gfapi.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
+-
+diff --git a/glusterd.if b/glusterd.if
+index a62e355ac..291191f17 100644
+--- a/glusterd.if
++++ b/glusterd.if
+@@ -135,7 +135,6 @@ interface(`glusterd_manage_log',`
+ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
+ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
+- logging_log_named_filetrans($1, glusterd_log_t, file, "ganesha.log")
+ ')
+
+ ######################################
+diff --git a/glusterd.te b/glusterd.te
+index 7804cbaf4..2bcedd014 100644
+--- a/glusterd.te
++++ b/glusterd.te
+@@ -64,8 +64,6 @@ files_type(glusterd_var_lib_t)
+ type glusterd_brick_t;
+ files_type(glusterd_brick_t)
+
+-typealias glusterd_log_t alias ganesha_var_log_t;
+-
+ ########################################
+ #
+ # Local policy
+@@ -270,6 +268,11 @@ optional_policy(`
+ ')
+ ')
+
++optional_policy(`
++ ganesha_systemctl(glusterd_t)
++ ganesha_dbus_chat(glusterd_t)
++')
++
+ optional_policy(`
+ hostname_exec(glusterd_t)
+ ')
+@@ -310,8 +313,8 @@ optional_policy(`
+ optional_policy(`
+ rpc_systemctl_nfsd(glusterd_t)
+ rpc_systemctl_rpcd(glusterd_t)
++
+ rpc_domtrans_nfsd(glusterd_t)
+- rpc_dbus_chat_nfsd(glusterd_t)
+ rpc_domtrans_rpcd(glusterd_t)
+ rpc_manage_nfs_state_data(glusterd_t)
+ rpc_manage_nfs_state_data_dir(glusterd_t)
+diff --git a/rhcs.te b/rhcs.te
+index 0e8b031bb..c029ccd71 100644
+--- a/rhcs.te
++++ b/rhcs.te
+@@ -265,7 +265,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- rpc_dbus_chat_nfsd(cluster_t)
++ ganesha_dbus_chat(cluster_t)
+ ')
+
+ optional_policy(`
+diff --git a/rpc.fc b/rpc.fc
+index b08ec8d2d..38a2f0911 100644
+--- a/rpc.fc
++++ b/rpc.fc
+@@ -1,5 +1,3 @@
+-
+-
+ #
+ # /etc
+ #
+@@ -11,10 +9,6 @@
+ /usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+ /usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
+
+-/usr/lib/systemd/system/nfs-ganesha-config.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+-/usr/lib/systemd/system/nfs-ganesha-lock.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+-/usr/lib/systemd/system/nfs-ganesha.*e -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+-
+ #
+ # /sbin
+ #
+@@ -33,15 +27,12 @@
+ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+ /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+-/usr/bin/ganesha\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+-
+ #
+ # /var
+ #
+ /var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
+
+ /var/run/sm-notify.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
+-/var/run/ganesha.* gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
+ /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
+diff --git a/rpc.if b/rpc.if
+index 2ee527f2a..79a2a9c48 100644
+--- a/rpc.if
++++ b/rpc.if
+@@ -530,24 +530,3 @@ interface(`rpc_gssd_noatsecure',`
+
+ allow $1 gssd_t:process { noatsecure rlimitinh };
+ ')
+-
+-########################################
+-##
+-## Send and receive messages from
+-## ganesha over dbus.
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
+-interface(`rpc_dbus_chat_nfsd',`
+- gen_require(`
+- type nfsd_t;
+- class dbus send_msg;
+- ')
+-
+- allow $1 nfsd_t:dbus send_msg;
+- allow nfsd_t $1:dbus send_msg;
+-')
+diff --git a/rpc.te b/rpc.te
+index f4df4fda2..f585a7fb5 100644
+--- a/rpc.te
++++ b/rpc.te
+@@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t)
+ type var_lib_nfs_t;
+ files_mountpoint(var_lib_nfs_t)
+
+-type nfsd_tmp_t;
+-files_tmp_file(nfsd_tmp_t)
+-
+-typealias nfsd_t alias ganesha_t;
+-typealias nfsd_exec_t alias ganesha_exec_t;
+-typealias nfsd_unit_file_t alias ganesha_unit_file_t;
+-
+ ########################################
+ #
+ # Common rpc domain local policy
+@@ -234,17 +227,8 @@ optional_policy(`
+
+ allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_rawio sys_resource };
+
+-allow nfsd_t self:process { setcap };
+-
+ allow nfsd_t exports_t:file read_file_perms;
+
+-manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
+-manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)
+-files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir })
+-
+-manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t)
+-files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file })
+-
+ # for /proc/fs/nfs/exports - should we have a new type?
+ kernel_read_system_state(nfsd_t)
+ kernel_read_network_state(nfsd_t)
+@@ -318,16 +302,6 @@ tunable_policy(`nfs_export_all_ro',`
+ files_read_non_security_files(nfsd_t)
+ ')
+
+-optional_policy(`
+- glusterd_manage_log(nfsd_t)
+- glusterd_manage_pid(nfsd_t)
+-')
+-
+-optional_policy(`
+- dbus_system_bus_client(nfsd_t)
+- dbus_acquire_svc_system_dbusd(nfsd_t)
+-')
+-
+ optional_policy(`
+ mount_exec(nfsd_t)
+ mount_manage_pid_files(nfsd_t)
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index d7ddc0f..7cef457 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -20,12 +20,14 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 229%{?dist}
+Release: 229%{?dist}.5
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch0: policy-rhel-7.6-base.patch
+patch3: policy-rhel-7.6.z-base.patch
patch1: policy-rhel-7.6-contrib.patch
+patch2: policy-rhel-7.6.z-contrib.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@@ -274,9 +276,6 @@ fi; \
%define preInstall() \
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
- if [ -d %{_sysconfdir}/selinux/%1/active/modules/100/ganesha ]; then \
- %{_sbindir}/semodule -n -d ganesha; \
- fi; \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
@@ -343,9 +342,11 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch1 -p1
+%patch2 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch0 -p1
+%patch3 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
@@ -656,6 +657,26 @@ fi
%endif
%changelog
+* Fri Oct 12 2018 Lukas Vrabec - 3.13.1-229.5
+- Remove disabling ganesha module in pre install phase of installation new selinux-policy package where ganesha is again standalone module
+Resolves: rhbz#1638257
+
+* Thu Oct 11 2018 Lukas Vrabec - 3.13.1-229.4
+- Allow staff_t userdomain and confined_admindomain attribute to allow use generic ptys because of new sudo feature 'io logging'
+Resolves: rhbz#1638427
+
+* Thu Oct 11 2018 Lukas Vrabec - 3.13.1-229.3
+- Run ganesha as ganesha_t domain again, revert changes where ganesha is running as nfsd_t
+Resolves: rhbz#1638257
+
+* Wed Oct 10 2018 Lukas Vrabec - 3.13.1-229.2
+- Fix missing patch in spec file
+Resolves: rhbz#1635704
+
+* Fri Oct 05 2018 Lukas Vrabec - 3.13.1-229.1
+- Allow cinder_volume_t domain to dbus chat with systemd_logind_t domain
+Resolves: rhbz#1635704
+
* Wed Sep 26 2018 Lukas Vrabec - 3.13.1-229
- Allow neutron domain to read/write /var/run/utmp
Resolves: rhbz#1630318