diff --git a/container-selinux.tgz b/container-selinux.tgz index 08e4154..9b56a87 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index afa94bc..26d0b95 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -11256,7 +11256,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..d9660e9 100644 +index f962f76..1ac470a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13234,20 +13234,15 @@ index f962f76..d9660e9 100644 ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -4012,6 +4928,12 @@ interface(`files_read_kernel_modules',` +@@ -4012,6 +4928,7 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) + -+ # FIXME: -+ # needed for already labeled module deps by modules_dep_t -+ optional_policy(` -+ modutils_read_module_deps_files($1) -+ ') ') ######################################## -@@ -4217,78 +5139,289 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,78 +5134,289 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13577,7 +13572,7 @@ index f962f76..d9660e9 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5458,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5453,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -13585,7 +13580,7 @@ index f962f76..d9660e9 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5468,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5463,7 @@ interface(`files_list_tmp',` ## ## ## @@ -13594,7 +13589,7 @@ index f962f76..d9660e9 100644 ## ## # -@@ -4346,6 +5480,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,6 +5475,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13620,7 +13615,7 @@ index f962f76..d9660e9 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4361,6 +5514,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4361,6 +5509,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -13628,7 +13623,7 @@ index f962f76..d9660e9 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5556,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5551,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -13661,7 +13656,7 @@ index f962f76..d9660e9 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4456,6 +5636,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,6 +5631,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -13704,7 +13699,7 @@ index f962f76..d9660e9 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5690,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4474,6 +5685,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -13765,7 +13760,7 @@ index f962f76..d9660e9 100644 ## List all tmp directories. ## ## -@@ -4519,7 +5789,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4519,7 +5784,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -13774,7 +13769,7 @@ index f962f76..d9660e9 100644 ## ## # -@@ -4579,7 +5849,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4579,7 +5844,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -13783,7 +13778,7 @@ index f962f76..d9660e9 100644 ## ## # -@@ -4611,15 +5881,53 @@ interface(`files_read_all_tmp_files',` +@@ -4611,15 +5876,53 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -13841,7 +13836,7 @@ index f962f76..d9660e9 100644 ## ## The type of the object to be created. ## -@@ -4664,6 +5972,16 @@ interface(`files_purge_tmp',` +@@ -4664,6 +5967,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -13858,7 +13853,7 @@ index f962f76..d9660e9 100644 ') ######################################## -@@ -5112,6 +6430,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -5112,6 +6425,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -13883,7 +13878,7 @@ index f962f76..d9660e9 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6577,24 @@ interface(`files_list_var',` +@@ -5241,6 +6572,24 @@ interface(`files_list_var',` ######################################## ## @@ -13908,7 +13903,7 @@ index f962f76..d9660e9 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6682,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6677,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -13917,7 +13912,7 @@ index f962f76..d9660e9 100644 ') ######################################## -@@ -5419,6 +6773,24 @@ interface(`files_var_filetrans',` +@@ -5419,6 +6768,24 @@ interface(`files_var_filetrans',` filetrans_pattern($1, var_t, $2, $3, $4) ') @@ -13942,7 +13937,7 @@ index f962f76..d9660e9 100644 ######################################## ## ## Get the attributes of the /var/lib directory. -@@ -5527,6 +6899,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6894,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -13968,7 +13963,7 @@ index f962f76..d9660e9 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6987,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6982,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -13994,7 +13989,7 @@ index f962f76..d9660e9 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5619,6 +7029,42 @@ interface(`files_manage_urandom_seed',` +@@ -5619,6 +7024,42 @@ interface(`files_manage_urandom_seed',` manage_files_pattern($1, var_lib_t, var_lib_t) ') @@ -14037,7 +14032,7 @@ index f962f76..d9660e9 100644 ######################################## ## ## Allow domain to manage mount tables -@@ -5641,7 +7087,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +7082,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -14046,7 +14041,7 @@ index f962f76..d9660e9 100644 ## ## ## -@@ -5649,12 +7095,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +7090,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -14062,7 +14057,7 @@ index f962f76..d9660e9 100644 ') ######################################## -@@ -5672,6 +7119,7 @@ interface(`files_search_locks',` +@@ -5672,6 +7114,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -14070,7 +14065,7 @@ index f962f76..d9660e9 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +7146,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +7141,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -14098,7 +14093,7 @@ index f962f76..d9660e9 100644 ## ## ## -@@ -5706,13 +7173,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +7168,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -14115,7 +14110,7 @@ index f962f76..d9660e9 100644 ') ######################################## -@@ -5731,7 +7197,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +7192,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -14124,7 +14119,7 @@ index f962f76..d9660e9 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +7230,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +7225,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -14132,7 +14127,7 @@ index f962f76..d9660e9 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +7244,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +7239,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -14141,7 +14136,7 @@ index f962f76..d9660e9 100644 ## ## ## -@@ -5787,13 +7252,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +7247,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -14176,7 +14171,7 @@ index f962f76..d9660e9 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7294,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7289,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -14194,7 +14189,7 @@ index f962f76..d9660e9 100644 ') ######################################## -@@ -5834,9 +7318,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7313,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -14205,7 +14200,7 @@ index f962f76..d9660e9 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7360,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7355,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -14215,7 +14210,7 @@ index f962f76..d9660e9 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7382,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7377,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -14225,7 +14220,7 @@ index f962f76..d9660e9 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7419,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7414,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -14235,7 +14230,7 @@ index f962f76..d9660e9 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7458,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7453,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -14244,7 +14239,7 @@ index f962f76..d9660e9 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7478,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7473,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -14293,7 +14288,7 @@ index f962f76..d9660e9 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7542,43 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,6 +7537,43 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -14337,7 +14332,7 @@ index f962f76..d9660e9 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6039,7 +7593,7 @@ interface(`files_list_pids',` +@@ -6039,7 +7588,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -14346,7 +14341,7 @@ index f962f76..d9660e9 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6058,7 +7612,7 @@ interface(`files_read_generic_pids',` +@@ -6058,7 +7607,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -14355,7 +14350,7 @@ index f962f76..d9660e9 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7632,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7627,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -14364,7 +14359,7 @@ index f962f76..d9660e9 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7694,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7689,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14372,7 +14367,7 @@ index f962f76..d9660e9 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,7 +7722,7 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,7 +7717,7 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -14381,7 +14376,7 @@ index f962f76..d9660e9 100644 ## ## ## -@@ -6177,12 +7730,30 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6177,12 +7725,30 @@ interface(`files_pid_filetrans_lock_dir',` ## ## # @@ -14415,7 +14410,7 @@ index f962f76..d9660e9 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,6 +7820,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,6 +7815,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -14532,7 +14527,7 @@ index f962f76..d9660e9 100644 ## Read all process ID files. ## ## -@@ -6261,12 +7942,105 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6261,12 +7937,105 @@ interface(`files_dontaudit_ioctl_all_pids',` interface(`files_read_all_pids',` gen_require(` attribute pidfile; @@ -14640,7 +14635,7 @@ index f962f76..d9660e9 100644 ') ######################################## -@@ -6286,8 +8060,8 @@ interface(`files_delete_all_pids',` +@@ -6286,8 +8055,8 @@ interface(`files_delete_all_pids',` type var_t, var_run_t; ') @@ -14650,7 +14645,7 @@ index f962f76..d9660e9 100644 allow $1 var_run_t:dir rmdir; allow $1 var_run_t:lnk_file delete_lnk_file_perms; delete_files_pattern($1, pidfile, pidfile) -@@ -6311,36 +8085,80 @@ interface(`files_delete_all_pid_dirs',` +@@ -6311,36 +8080,80 @@ interface(`files_delete_all_pid_dirs',` type var_t, var_run_t; ') @@ -14742,7 +14737,7 @@ index f962f76..d9660e9 100644 ## ## ## -@@ -6348,12 +8166,33 @@ interface(`files_manage_all_pids',` +@@ -6348,12 +8161,33 @@ interface(`files_manage_all_pids',` ## ## # @@ -14779,7 +14774,7 @@ index f962f76..d9660e9 100644 ') ######################################## -@@ -6580,3 +8419,605 @@ interface(`files_unconfined',` +@@ -6580,3 +8414,605 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -19175,7 +19170,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..d780b64 100644 +index e100d88..ff9e7ba 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -19598,7 +19593,34 @@ index e100d88..d780b64 100644 ######################################## ## ## Read and write RPC sysctls. -@@ -2085,7 +2261,54 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2071,6 +2247,26 @@ interface(`kernel_rw_rpc_sysctls',` + + ######################################## + ## ++## Read and write RPC sysctls. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_create_rpc_sysctls',` ++ gen_require(` ++ type proc_t, proc_net_t, sysctl_rpc_t; ++ ') ++ ++ create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) ++ ++') ++ ++######################################## ++## + ## Do not audit attempts to list all sysctl directories. + ## + ## +@@ -2085,7 +2281,54 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -19654,70 +19676,56 @@ index e100d88..d780b64 100644 ') ######################################## -@@ -2282,6 +2505,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,7 +2525,7 @@ interface(`kernel_list_unlabeled',` ######################################## ## +-## Read the process state (/proc/pid) of all unlabeled_t. +## Delete unlabeled files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_delete_unlabeled',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dir delete_dir_perms; -+ allow $1 unlabeled_t:dir_file_class_set delete_file_perms; -+') -+ -+######################################## -+## - ## Read the process state (/proc/pid) of all unlabeled_t. - ## - ## -@@ -2306,7 +2548,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -2290,19 +2533,18 @@ interface(`kernel_list_unlabeled',` ## ## # -@@ -2488,21 +2730,39 @@ interface(`kernel_rw_unlabeled_blk_files',` +-interface(`kernel_read_unlabeled_state',` ++interface(`kernel_delete_unlabeled',` + gen_require(` + type unlabeled_t; + ') + +- allow $1 unlabeled_t:dir list_dir_perms; +- read_files_pattern($1, unlabeled_t, unlabeled_t) +- read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ++ allow $1 unlabeled_t:dir delete_dir_perms; ++ allow $1 unlabeled_t:dir_file_class_set delete_file_perms; + ') ######################################## ## --## Do not audit attempts by caller to get attributes for --## unlabeled character devices. -+## Read and write unlabeled sockets. +-## Do not audit attempts to list unlabeled directories. ++## Read the process state (/proc/pid) of all unlabeled_t. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -2310,6 +2552,26 @@ interface(`kernel_read_unlabeled_state',` ## ## # --interface(`kernel_dontaudit_getattr_unlabeled_chr_files',` -+interface(`kernel_rw_unlabeled_socket',` - gen_require(` - type unlabeled_t; - ') - -- dontaudit $1 unlabeled_t:chr_file getattr; -+ allow $1 unlabeled_t:socket rw_socket_perms; ++interface(`kernel_read_unlabeled_state',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir list_dir_perms; ++ read_files_pattern($1, unlabeled_t, unlabeled_t) ++ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) +') + +######################################## +## -+## Do not audit attempts by caller to get attributes for -+## unlabeled character devices. ++## Do not audit attempts to list unlabeled directories. +## +## +## @@ -19725,16 +19733,35 @@ index e100d88..d780b64 100644 +## +## +# -+interface(`kernel_dontaudit_getattr_unlabeled_chr_files',` + interface(`kernel_dontaudit_list_unlabeled',` + gen_require(` + type unlabeled_t; +@@ -2488,6 +2750,24 @@ interface(`kernel_rw_unlabeled_blk_files',` + + ######################################## + ## ++## Read and write unlabeled sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_rw_unlabeled_socket',` + gen_require(` + type unlabeled_t; + ') + -+ dontaudit $1 unlabeled_t:chr_file getattr; - ') - - ######################################## -@@ -2525,6 +2785,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ++ allow $1 unlabeled_t:socket rw_socket_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts by caller to get attributes for + ## unlabeled character devices. + ## +@@ -2525,6 +2805,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -19759,7 +19786,7 @@ index e100d88..d780b64 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2667,6 +2945,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,6 +2965,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -19784,7 +19811,7 @@ index e100d88..d780b64 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +2990,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,6 +3010,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -19810,7 +19837,7 @@ index e100d88..d780b64 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +3118,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +3138,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -19844,7 +19871,7 @@ index e100d88..d780b64 100644 ######################################## ## -@@ -2958,6 +3300,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3320,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -19869,7 +19896,7 @@ index e100d88..d780b64 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3332,649 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3352,649 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -20048,7 +20075,7 @@ index e100d88..d780b64 100644 + ') + + dontaudit $1 proc_numa_t:dir search; -+') + ') + +######################################## +## @@ -20091,7 +20118,7 @@ index e100d88..d780b64 100644 + read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) + + list_dirs_pattern($1, proc_t, proc_numa_t) - ') ++') + +######################################## +## @@ -20521,7 +20548,7 @@ index e100d88..d780b64 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..5deb336 100644 +index 8dbab4c..88c7112 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -20816,7 +20843,16 @@ index 8dbab4c..5deb336 100644 ######################################## # # Unlabeled process local policy -@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) { +@@ -388,6 +480,8 @@ optional_policy(` + if( ! secure_mode_insmod ) { + allow can_load_kernmodule self:capability sys_module; + ++ files_load_kernel_modules(can_load_kernmodule) ++ + # load_module() calls stop_machine() which + # calls sched_setscheduler() + allow can_load_kernmodule self:capability sys_nice; +@@ -399,14 +493,38 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 30ee75e..ebae6c5 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3504,10 +3504,10 @@ index 0000000..c679dd3 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..2029082 100644 +index 7caefc3..dac9ad5 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,215 @@ +@@ -1,162 +1,217 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3536,6 +3536,7 @@ index 7caefc3..2029082 100644 +/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/rt(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -3752,6 +3753,7 @@ index 7caefc3..2029082 100644 +/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/nextcloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -3863,7 +3865,7 @@ index 7caefc3..2029082 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..757b864 100644 +index f6eb485..fe461a3 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -5328,7 +5330,7 @@ index f6eb485..757b864 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1625,182 @@ interface(`apache_admin',` +@@ -1224,9 +1625,183 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -5400,6 +5402,7 @@ index f6eb485..757b864 100644 + files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig") + files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde") + files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud") ++ files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud") + filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php") + filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty") + filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads") @@ -84217,10 +84220,24 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..0ff0178 100644 +index 403a4fe..159f21e 100644 --- a/radius.te +++ b/radius.te -@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t) +@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) + # Declarations + # + ++## ++##

++## Determine whether radius can use JIT compiler. ++##

++## ++gen_tunable(radius_use_jit, false) ++ + type radiusd_t; + type radiusd_exec_t; + init_daemon_domain(radiusd_t, radiusd_exec_t) +@@ -27,6 +34,9 @@ files_type(radiusd_var_lib_t) type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) @@ -84230,7 +84247,7 @@ index 403a4fe..0ff0178 100644 ######################################## # # Local policy -@@ -49,9 +52,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) +@@ -49,9 +59,7 @@ manage_lnk_files_pattern(radiusd_t, radiusd_etc_rw_t, radiusd_etc_rw_t) filetrans_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_rw_t, { dir file lnk_file }) manage_dirs_pattern(radiusd_t, radiusd_log_t, radiusd_log_t) @@ -84241,7 +84258,7 @@ index 403a4fe..0ff0178 100644 logging_log_filetrans(radiusd_t, radiusd_log_t, { file dir }) manage_files_pattern(radiusd_t, radiusd_var_lib_t, radiusd_var_lib_t) -@@ -60,11 +61,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) +@@ -60,11 +68,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t) files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir }) @@ -84254,7 +84271,7 @@ index 403a4fe..0ff0178 100644 corenet_all_recvfrom_netlabel(radiusd_t) corenet_tcp_sendrecv_generic_if(radiusd_t) corenet_udp_sendrecv_generic_if(radiusd_t) -@@ -74,12 +75,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) +@@ -74,12 +82,22 @@ corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) corenet_udp_bind_generic_node(radiusd_t) @@ -84277,7 +84294,7 @@ index 403a4fe..0ff0178 100644 corenet_sendrecv_snmp_client_packets(radiusd_t) corenet_tcp_connect_snmp_port(radiusd_t) -@@ -97,7 +108,6 @@ domain_use_interactive_fds(radiusd_t) +@@ -97,7 +115,6 @@ domain_use_interactive_fds(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) @@ -84285,7 +84302,7 @@ index 403a4fe..0ff0178 100644 files_read_etc_runtime_files(radiusd_t) files_dontaudit_list_tmp(radiusd_t) -@@ -109,7 +119,6 @@ libs_exec_lib_files(radiusd_t) +@@ -109,7 +126,6 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) @@ -84293,7 +84310,18 @@ index 403a4fe..0ff0178 100644 miscfiles_read_generic_certs(radiusd_t) sysnet_use_ldap(radiusd_t) -@@ -122,6 +131,11 @@ optional_policy(` +@@ -117,11 +133,22 @@ sysnet_use_ldap(radiusd_t) + userdom_dontaudit_use_unpriv_user_fds(radiusd_t) + userdom_dontaudit_search_user_home_dirs(radiusd_t) + ++tunable_policy(`radius_use_jit',` ++ allow radiusd_t self:process execmem; ++',` ++ dontaudit radiusd_t self:process execmem; ++') ++ + optional_policy(` + cron_system_entry(radiusd_t, radiusd_exec_t) ') optional_policy(` @@ -84305,7 +84333,7 @@ index 403a4fe..0ff0178 100644 logrotate_exec(radiusd_t) ') -@@ -140,5 +154,10 @@ optional_policy(` +@@ -140,5 +167,10 @@ optional_policy(` ') optional_policy(` @@ -91354,7 +91382,7 @@ index 0bf13c2..ed393a0 100644 files_list_tmp($1) admin_pattern($1, gssd_tmp_t) diff --git a/rpc.te b/rpc.te -index 2da9fca..be1fab2 100644 +index 2da9fca..f97a61a 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1) @@ -91558,7 +91586,7 @@ index 2da9fca..be1fab2 100644 ') ######################################## -@@ -202,41 +232,62 @@ optional_policy(` +@@ -202,41 +232,63 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -91577,6 +91605,7 @@ index 2da9fca..be1fab2 100644 -# kernel_mounton_proc(nfsd_t) +kernel_mounton_proc(nfsd_t) +kernel_rw_rpc_sysctls_dirs(nfsd_t) ++kernel_create_rpc_sysctls(nfsd_t) -corenet_sendrecv_nfs_server_packets(nfsd_t) +corecmd_exec_shell(nfsd_t) @@ -91631,7 +91660,7 @@ index 2da9fca..be1fab2 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +296,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +297,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -91639,7 +91668,7 @@ index 2da9fca..be1fab2 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +307,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +308,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -91654,7 +91683,7 @@ index 2da9fca..be1fab2 100644 ') ######################################## -@@ -270,7 +320,7 @@ optional_policy(` +@@ -270,7 +321,7 @@ optional_policy(` # GSSD local policy # @@ -91663,7 +91692,7 @@ index 2da9fca..be1fab2 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +330,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +331,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -91671,7 +91700,7 @@ index 2da9fca..be1fab2 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +339,31 @@ kernel_signal(gssd_t) +@@ -288,25 +340,31 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -91706,7 +91735,7 @@ index 2da9fca..be1fab2 100644 ') optional_policy(` -@@ -314,9 +371,12 @@ optional_policy(` +@@ -314,9 +372,12 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 72a0954..7cf82b4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 241%{?dist} +Release: 242%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,13 @@ exit 0 %endif %changelog +* Mon Feb 27 2017 Lukas Vrabec - 3.13.1-242 +- Add radius_use_jit boolean +- Allow nfsd_t domain to create sysctls_rpc_t files +- add the policy required for nextcloud +- Allow can_load_kernmodule to load kernel modules. BZ(1426741) +- Create kernel_create_rpc_sysctls() interface + * Tue Feb 21 2017 Lukas Vrabec - 3.13.1-241 - Remove ganesha from gluster module and create own module for ganesha - FIx label for /usr/lib/libGLdispatch.so.0.0.0