diff --git a/container-selinux.tgz b/container-selinux.tgz index 47b8aa5..30bcc9d 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 53806d8..7d99ec3 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -11114,7 +11114,7 @@ index b876c48..2e591a5 100644 + +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..b64717f 100644 +index f962f76..4785fe8 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13574,7 +13574,7 @@ index f962f76..b64717f 100644 + attribute tmpfile; + ') + -+ allow $1 tmpfile:file { append read_inherited_file_perms }; ++ allow $1 tmpfile:file { append open read_inherited_file_perms }; +') + +######################################## @@ -23945,7 +23945,7 @@ index 234a940..a92415a 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..c3c0f6d 100644 +index 0fef1fc..25e60c8 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,73 @@ policy_module(staff, 2.4.0) @@ -24152,7 +24152,7 @@ index 0fef1fc..c3c0f6d 100644 ') optional_policy(` -@@ -35,15 +213,31 @@ optional_policy(` +@@ -35,20 +213,74 @@ optional_policy(` ') optional_policy(` @@ -24186,10 +24186,12 @@ index 0fef1fc..c3c0f6d 100644 ') optional_policy(` -@@ -52,11 +246,61 @@ optional_policy(` - ') - - optional_policy(` + sysadm_role_change(staff_r) + userdom_dontaudit_use_user_terminals(staff_t) ++ userdom_dontaudit_read_admin_home_files(staff_t) ++') ++ ++optional_policy(` + systemd_read_unit_files(staff_t) + systemd_exec_systemctl(staff_t) +') @@ -24224,10 +24226,10 @@ index 0fef1fc..c3c0f6d 100644 + virt_getattr_exec(staff_t) + virt_search_images(staff_t) + virt_stream_connect(staff_t) -+') -+ -+optional_policy(` - vlock_run(staff_t, staff_r) + ') + + optional_policy(` +@@ -56,7 +288,20 @@ optional_policy(` ') optional_policy(` @@ -24249,7 +24251,7 @@ index 0fef1fc..c3c0f6d 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +309,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +310,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24260,7 +24262,7 @@ index 0fef1fc..c3c0f6d 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +318,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +319,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -24271,7 +24273,7 @@ index 0fef1fc..c3c0f6d 100644 ') optional_policy(` -@@ -101,10 +337,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +338,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24282,7 +24284,7 @@ index 0fef1fc..c3c0f6d 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +357,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +358,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24293,7 +24295,7 @@ index 0fef1fc..c3c0f6d 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +369,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +370,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -24304,7 +24306,7 @@ index 0fef1fc..c3c0f6d 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +400,24 @@ ifndef(`distro_redhat',` +@@ -176,3 +401,24 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -40906,7 +40908,7 @@ index 6b91740..7724116 100644 + +/var/run/storaged(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..9e86fce 100644 +index 58bc27f..842ce28 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -1,5 +1,41 @@ @@ -40951,7 +40953,7 @@ index 58bc27f..9e86fce 100644 ######################################## ## ## Execute lvm programs in the lvm domain. -@@ -86,6 +122,50 @@ interface(`lvm_read_config',` +@@ -86,6 +122,71 @@ interface(`lvm_read_config',` ######################################## ## @@ -40999,10 +41001,31 @@ index 58bc27f..9e86fce 100644 + +######################################## +## ++## Manage LVM metadata files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`lvm_manage_metadata',` ++ gen_require(` ++ type lvm_metadata_t; ++ ') ++ ++ allow $1 lvm_metadata_t:dir list_dir_perms; ++ manage_dirs_pattern($1, lvm_metadata_t, lvm_metadata_t) ++ manage_files_pattern($1, lvm_metadata_t, lvm_metadata_t) ++') ++ ++######################################## ++## ## Manage LVM configuration files. ## ## -@@ -105,6 +185,25 @@ interface(`lvm_manage_config',` +@@ -105,6 +206,25 @@ interface(`lvm_manage_config',` manage_files_pattern($1, lvm_etc_t, lvm_etc_t) ') @@ -41028,7 +41051,7 @@ index 58bc27f..9e86fce 100644 ###################################### ## ## Execute a domain transition to run clvmd. -@@ -123,3 +222,175 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +243,175 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b2f3b0f..832df90 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10917,7 +10917,7 @@ index 02fefaa..308616e 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 687d4c4..bce6267 100644 +index 687d4c4..ff57137 100644 --- a/boinc.te +++ b/boinc.te @@ -1,4 +1,4 @@ @@ -11112,7 +11112,7 @@ index 687d4c4..bce6267 100644 -files_read_usr_files(boinc_t) -fs_getattr_all_fs(boinc_t) -+auth_read_passwd(boinc_t) ++auth_use_nsswitch(boinc_t) term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) @@ -25555,7 +25555,7 @@ index 0000000..b3784d8 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..fa74f85 +index 0000000..6cca2dd --- /dev/null +++ b/dirsrv.te @@ -0,0 +1,204 @@ @@ -25611,7 +25611,7 @@ index 0000000..fa74f85 +# +# dirsrv local policy +# -+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; ++allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms}; +allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner }; +allow dirsrv_t self:fifo_file manage_fifo_file_perms; +allow dirsrv_t self:sem create_sem_perms; @@ -29362,7 +29362,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..0235724 100644 +index 98072a3..e6904e2 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -29413,7 +29413,7 @@ index 98072a3..0235724 100644 corecmd_exec_bin(firewalld_t) corecmd_exec_shell(firewalld_t) -@@ -63,20 +79,26 @@ dev_search_sysfs(firewalld_t) +@@ -63,20 +79,27 @@ dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -29430,6 +29430,7 @@ index 98072a3..0235724 100644 -miscfiles_read_localization(firewalld_t) +libs_exec_ldconfig(firewalld_t) ++libs_dontaudit_write_lib_dirs(firewalld_t) -seutil_exec_setfiles(firewalld_t) -seutil_read_file_contexts(firewalld_t) @@ -29447,7 +29448,7 @@ index 98072a3..0235724 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -91,10 +113,15 @@ optional_policy(` +@@ -91,10 +114,15 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(firewalld_t) @@ -51463,7 +51464,7 @@ index b1ac8b5..24782b3 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..2055876 100644 +index d15eb5b..ad481ce 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -51486,16 +51487,17 @@ index d15eb5b..2055876 100644 kernel_read_system_state(modemmanager_t) +-dev_read_sysfs(modemmanager_t) +-dev_rw_modem(modemmanager_t) +auth_read_passwd(modemmanager_t) -+ + +-files_read_etc_files(modemmanager_t) +corecmd_exec_bin(modemmanager_t) + - dev_read_sysfs(modemmanager_t) ++dev_rw_sysfs(modemmanager_t) +dev_read_urand(modemmanager_t) - dev_rw_modem(modemmanager_t) ++dev_rw_modem(modemmanager_t) --files_read_etc_files(modemmanager_t) -- term_use_generic_ptys(modemmanager_t) term_use_unallocated_ttys(modemmanager_t) +term_use_usb_ttys(modemmanager_t) @@ -57508,7 +57510,7 @@ index 687af38..5381f1b 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..1443a3a 100644 +index 7584bbe..318ee4d 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1) @@ -57707,7 +57709,7 @@ index 7584bbe..1443a3a 100644 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; -allow mysqld_safe_t mysqld_t:process signull; -+allow mysqld_safe_t mysqld_t:process { rlimitinh }; ++allow mysqld_safe_t mysqld_t:process { rlimitinh noatsecure }; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) @@ -107947,10 +107949,10 @@ index 0000000..a6e216c + diff --git a/targetd.te b/targetd.te new file mode 100644 -index 0000000..0315421 +index 0000000..4cc8557 --- /dev/null +++ b/targetd.te -@@ -0,0 +1,81 @@ +@@ -0,0 +1,91 @@ +policy_module(targetd, 1.0.0) + +######################################## @@ -107995,6 +107997,7 @@ index 0000000..0315421 +kernel_get_sysvipc_info(targetd_t) +kernel_read_system_state(targetd_t) +kernel_read_network_state(targetd_t) ++kernel_load_module(targetd_t) + +rpc_read_exports(targetd_t) + @@ -108023,12 +108026,21 @@ index 0000000..0315421 +optional_policy(` + lvm_read_config(targetd_t) + lvm_write_metadata(targetd_t) ++ lvm_manage_metadata(targetd_t) + lvm_manage_lock(targetd_t) + lvm_rw_pipes(targetd_t) + lvm_stream_connect(targetd_t) +') + +optional_policy(` ++ modutils_read_module_config(targetd_t) ++') ++ ++optional_policy(` ++ rpc_manage_nfs_state_data(targetd_t) ++') ++ ++optional_policy(` + udev_read_pid_files(targetd_t) +') + @@ -110135,10 +110147,10 @@ index 0000000..9524b50 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..ab916b7 +index 0000000..d366c8b --- /dev/null +++ b/thumb.te -@@ -0,0 +1,167 @@ +@@ -0,0 +1,168 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -110177,6 +110189,7 @@ index 0000000..ab916b7 + +allow thumb_t self:fifo_file manage_fifo_file_perms; +allow thumb_t self:unix_stream_socket create_stream_socket_perms; ++allow thumb_t self:unix_dgram_socket create_socket_perms; +allow thumb_t self:netlink_route_socket r_netlink_socket_perms; +allow thumb_t self:netlink_kobject_uevent_socket create_socket_perms; +allow thumb_t self:udp_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index a05d64d..2d9d0d1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 260%{?dist} +Release: 261%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -690,6 +690,18 @@ exit 0 %endif %changelog +* Fri Jun 23 2017 Lukas Vrabec - 3.13.1-261 +- Allow boinc_t nsswitch +- Dontaudit firewalld to write to lib_t dirs +- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t +- Allow thumb_t domain to allow create dgram sockets +- Disable mysqld_safe_t secure mode environment cleansing +- Allow couple rules needed to start targetd daemon with SELinux in enforcing mode +- Allow dirsrv domain setrlimit +- Dontaudit staff_t user read admin_home_t files. +- Add interface lvm_manage_metadata +- Add permission open to files_read_inherited_tmp_files() interface + * Mon Jun 19 2017 Lukas Vrabec - 3.13.1-260 - Allow sssd_t to read realmd lib files. - Fix init interface file. init_var_run_t is type not attribute