diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 5cb9828..1799d9e 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 8bb1cc6..9112bf0 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -15455,7 +15455,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..f3dd0f6 100644 +index 8416beb..99002ca 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15607,7 +15607,32 @@ index 8416beb..f3dd0f6 100644 dev_search_sysfs($1) ') -@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',` +@@ -920,6 +990,24 @@ interface(`fs_getattr_cifs',` + + ######################################## + ## ++## Set the attributes of cifs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_setattr_cifs_dirs',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:dir setattr; ++') ++ ++######################################## ++## + ## Search directories on a CIFS or SMB filesystem. + ## + ## +@@ -1107,6 +1195,24 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## @@ -15632,7 +15657,7 @@ index 8416beb..f3dd0f6 100644 ## Do not audit attempts to read all ## noxattrfs files. ## -@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',` +@@ -1245,7 +1351,7 @@ interface(`fs_append_cifs_files',` ######################################## ## @@ -15641,7 +15666,7 @@ index 8416beb..f3dd0f6 100644 ## on a CIFS filesystem. ## ## -@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1265,6 +1371,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -15684,7 +15709,7 @@ index 8416beb..f3dd0f6 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1279,7 +1421,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -15693,7 +15718,7 @@ index 8416beb..f3dd0f6 100644 ') ######################################## -@@ -1542,6 +1666,63 @@ interface(`fs_cifs_domtrans',` +@@ -1542,6 +1684,63 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -15757,7 +15782,7 @@ index 8416beb..f3dd0f6 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1582,6 +1763,24 @@ interface(`fs_manage_configfs_files',` +@@ -1582,6 +1781,24 @@ interface(`fs_manage_configfs_files',` ######################################## ## @@ -15782,7 +15807,7 @@ index 8416beb..f3dd0f6 100644 ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## -@@ -1793,63 +1992,70 @@ interface(`fs_read_eventpollfs',` +@@ -1793,63 +2010,70 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -15878,7 +15903,7 @@ index 8416beb..f3dd0f6 100644 ## on a FUSEFS filesystem. ## ## -@@ -1859,18 +2065,19 @@ interface(`fs_mounton_fusefs',` +@@ -1859,18 +2083,19 @@ interface(`fs_mounton_fusefs',` ## ## # @@ -15903,7 +15928,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -1878,135 +2085,721 @@ interface(`fs_search_fusefs',` +@@ -1878,135 +2103,740 @@ interface(`fs_search_fusefs',` ## ## # @@ -16023,55 +16048,48 @@ index 8416beb..f3dd0f6 100644 ## -## Domain allowed access. +## Domain allowed to transition. -+## -+## -+## -+## -+## The type of the new process. ## ## -## - # +-# -interface(`fs_exec_fusefs_files',` -+interface(`fs_ecryptfs_domtrans',` - gen_require(` +- gen_require(` - type fusefs_t; ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`fs_ecryptfs_domtrans',` ++ gen_require(` + type ecryptfs_t; - ') - -- exec_files_pattern($1, fusefs_t, fusefs_t) ++ ') ++ + allow $1 ecryptfs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, ecryptfs_t, $2) - ') - - ######################################## - ## --## Create, read, write, and delete files --## on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Mount a FUSE filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_manage_fusefs_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_mount_fusefs',` - gen_require(` - type fusefs_t; - ') - -- manage_files_pattern($1, fusefs_t, fusefs_t) ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:filesystem mount; - ') - - ######################################## - ## --## Do not audit attempts to create, --## read, write, and delete files --## on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Unmount a FUSE filesystem. +## +## @@ -16631,87 +16649,93 @@ index 8416beb..f3dd0f6 100644 +interface(`fs_hugetlbfs_filetrans',` + gen_require(` + type hugetlbfs_t; -+ ') -+ + ') + +- exec_files_pattern($1, fusefs_t, fusefs_t) + allow $2 hugetlbfs_t:filesystem associate; + filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete files +-## on a FUSEFS filesystem. +## Mount an iso9660 filesystem, which +## is usually used on CDs. ## ## ## --## Domain to not audit. -+## Domain allowed access. + ## Domain allowed access. ## ## +-## # --interface(`fs_dontaudit_manage_fusefs_files',` +-interface(`fs_manage_fusefs_files',` +interface(`fs_mount_iso9660_fs',` gen_require(` - type fusefs_t; + type iso9660_t; ') -- dontaudit $1 fusefs_t:file manage_file_perms; +- manage_files_pattern($1, fusefs_t, fusefs_t) + allow $1 iso9660_t:filesystem mount; ') ######################################## ## --## Read symbolic links on a FUSEFS filesystem. +-## Do not audit attempts to create, +-## read, write, and delete files +-## on a FUSEFS filesystem. +## Remount an iso9660 filesystem, which +## is usually used on CDs. This allows +## some mount options to be changed. ## ## ## -@@ -2014,19 +2807,18 @@ interface(`fs_dontaudit_manage_fusefs_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`fs_read_fusefs_symlinks',` +-interface(`fs_dontaudit_manage_fusefs_files',` +interface(`fs_remount_iso9660_fs',` gen_require(` - type fusefs_t; + type iso9660_t; ') -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) +- dontaudit $1 fusefs_t:file manage_file_perms; + allow $1 iso9660_t:filesystem remount; ') ######################################## ## --## Get the attributes of an hugetlbfs --## filesystem. +-## Read symbolic links on a FUSEFS filesystem. +## Unmount an iso9660 filesystem, which +## is usually used on CDs. ## ## ## -@@ -2034,35 +2826,38 @@ interface(`fs_read_fusefs_symlinks',` +@@ -2014,37 +2844,38 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # --interface(`fs_getattr_hugetlbfs',` +-interface(`fs_read_fusefs_symlinks',` +interface(`fs_unmount_iso9660_fs',` gen_require(` -- type hugetlbfs_t; +- type fusefs_t; + type iso9660_t; ') -- allow $1 hugetlbfs_t:filesystem getattr; +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 iso9660_t:filesystem unmount; ') ######################################## ## --## List hugetlbfs. +-## Get the attributes of an hugetlbfs +-## filesystem. +## Get the attributes of an iso9660 +## filesystem, which is usually used on CDs. ## @@ -16722,61 +16746,61 @@ index 8416beb..f3dd0f6 100644 ## +## # --interface(`fs_list_hugetlbfs',` +-interface(`fs_getattr_hugetlbfs',` +interface(`fs_getattr_iso9660_fs',` gen_require(` - type hugetlbfs_t; + type iso9660_t; ') -- allow $1 hugetlbfs_t:dir list_dir_perms; +- allow $1 hugetlbfs_t:filesystem getattr; + allow $1 iso9660_t:filesystem getattr; ') ######################################## ## --## Manage hugetlbfs dirs. +-## List hugetlbfs. +## Read files on an iso9660 filesystem, which +## is usually used on CDs. ## ## ## -@@ -2070,17 +2865,19 @@ interface(`fs_list_hugetlbfs',` +@@ -2052,17 +2883,19 @@ interface(`fs_getattr_hugetlbfs',` ## ## # --interface(`fs_manage_hugetlbfs_dirs',` +-interface(`fs_list_hugetlbfs',` +interface(`fs_getattr_iso9660_files',` gen_require(` - type hugetlbfs_t; + type iso9660_t; ') -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 hugetlbfs_t:dir list_dir_perms; + allow $1 iso9660_t:dir list_dir_perms; + allow $1 iso9660_t:file getattr; ') ######################################## ## --## Read and write hugetlbfs files. +-## Manage hugetlbfs dirs. +## Read files on an iso9660 filesystem, which +## is usually used on CDs. ## ## ## -@@ -2088,35 +2885,38 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2070,17 +2903,20 @@ interface(`fs_list_hugetlbfs',` ## ## # --interface(`fs_rw_hugetlbfs_files',` +-interface(`fs_manage_hugetlbfs_dirs',` +interface(`fs_read_iso9660_files',` gen_require(` - type hugetlbfs_t; + type iso9660_t; ') -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + allow $1 iso9660_t:dir list_dir_perms; + read_files_pattern($1, iso9660_t, iso9660_t) + read_lnk_files_pattern($1, iso9660_t, iso9660_t) @@ -16785,9 +16809,31 @@ index 8416beb..f3dd0f6 100644 + ######################################## ## --## Allow the type to associate to hugetlbfs filesystems. +-## Read and write hugetlbfs files. +## Mount kdbus filesystems. ## + ## + ## +@@ -2088,35 +2924,35 @@ interface(`fs_manage_hugetlbfs_dirs',` + ## + ## + # +-interface(`fs_rw_hugetlbfs_files',` ++interface(`fs_mount_kdbus', ` + gen_require(` +- type hugetlbfs_t; ++ type kdbusfs_t; + ') + +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ allow $1 kdbusfs_t:filesystem mount; + ') + + ######################################## + ## +-## Allow the type to associate to hugetlbfs filesystems. ++## Remount kdbus filesystems. + ## -## +## ## @@ -16797,64 +16843,64 @@ index 8416beb..f3dd0f6 100644 ## # -interface(`fs_associate_hugetlbfs',` -+interface(`fs_mount_kdbus', ` ++interface(`fs_remount_kdbus', ` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; ') - allow $1 hugetlbfs_t:filesystem associate; -+ allow $1 kdbusfs_t:filesystem mount; ++ allow $1 kdbusfs_t:filesystem remount; ') ######################################## ## -## Search inotifyfs filesystem. -+## Remount kdbus filesystems. ++## Unmount kdbus filesystems. ## ## ## -@@ -2124,17 +2924,17 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,17 +2960,17 @@ interface(`fs_associate_hugetlbfs',` ## ## # -interface(`fs_search_inotifyfs',` -+interface(`fs_remount_kdbus', ` ++interface(`fs_unmount_kdbus', ` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ') - allow $1 inotifyfs_t:dir search_dir_perms; -+ allow $1 kdbusfs_t:filesystem remount; ++ allow $1 kdbusfs_t:filesystem unmount; ') ######################################## ## -## List inotifyfs filesystem. -+## Unmount kdbus filesystems. ++## Get attributes of kdbus filesystems. ## ## ## -@@ -2142,71 +2942,134 @@ interface(`fs_search_inotifyfs',` +@@ -2142,71 +2978,136 @@ interface(`fs_search_inotifyfs',` ## ## # -interface(`fs_list_inotifyfs',` -+interface(`fs_unmount_kdbus', ` ++interface(`fs_getattr_kdbus',` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ') - allow $1 inotifyfs_t:dir list_dir_perms; -+ allow $1 kdbusfs_t:filesystem unmount; ++ allow $1 kdbusfs_t:filesystem getattr; ') ######################################## ## -## Dontaudit List inotifyfs filesystem. -+## Get attributes of kdbus filesystems. ++## Search kdbusfs directories. ## ## ## @@ -16864,21 +16910,24 @@ index 8416beb..f3dd0f6 100644 ## # -interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_getattr_kdbus',` ++interface(`fs_search_kdbus_dirs',` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ++ ') - dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ allow $1 kdbusfs_t:filesystem getattr; ++ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -+## Search kdbusfs directories. ++## Relabel kdbusfs directories. ## ## ## @@ -16887,29 +16936,6 @@ index 8416beb..f3dd0f6 100644 ## -## +# -+interface(`fs_search_kdbus_dirs',` -+ gen_require(` -+ type kdbusfs_t; -+ -+ ') -+ -+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+######################################## -+## -+## Relabel kdbusfs directories. -+## -+## - ## --## The type of the object to be created. -+## Domain allowed access. - ## - ## --## -+# +interface(`fs_relabel_kdbus_dirs',` + gen_require(` + type cgroup_t; @@ -16925,11 +16951,11 @@ index 8416beb..f3dd0f6 100644 +## +## ## --## The object class of the object being created. +-## The type of the object to be created. +## Domain allowed access. ## ## --## +-## +# +interface(`fs_list_kdbus_dirs',` + gen_require(` @@ -16966,21 +16992,44 @@ index 8416beb..f3dd0f6 100644 +## +## ## +-## The object class of the object being created. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`fs_delete_kdbus_dirs', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++######################################## ++## ++## Manage kdbusfs directories. ++## ++## + ## -## The name of the object being created. +## Domain allowed access. ## ## # -interface(`fs_hugetlbfs_filetrans',` -+interface(`fs_delete_kdbus_dirs', ` ++interface(`fs_manage_kdbus_dirs',` gen_require(` - type hugetlbfs_t; +- ') + type kdbusfs_t; - ') - allow $2 hugetlbfs_t:filesystem associate; - filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) -+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ ') ++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -16989,24 +17038,25 @@ index 8416beb..f3dd0f6 100644 ## -## Mount an iso9660 filesystem, which -## is usually used on CDs. -+## Manage kdbusfs directories. ++## Read kdbusfs files. ## ## ## -@@ -2214,19 +3077,19 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3115,21 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # -interface(`fs_mount_iso9660_fs',` -+interface(`fs_manage_kdbus_dirs',` ++interface(`fs_read_kdbus_files',` gen_require(` - type iso9660_t; -- ') -+ type kdbusfs_t; ++ type cgroup_t; ++ + ') - allow $1 iso9660_t:filesystem mount; -+ ') -+ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17016,25 +17066,23 @@ index 8416beb..f3dd0f6 100644 -## Remount an iso9660 filesystem, which -## is usually used on CDs. This allows -## some mount options to be changed. -+## Read kdbusfs files. ++## Write kdbusfs files. ## ## ## -@@ -2234,18 +3097,21 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3137,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # -interface(`fs_remount_iso9660_fs',` -+interface(`fs_read_kdbus_files',` ++interface(`fs_write_kdbus_files', ` gen_require(` - type iso9660_t; -+ type cgroup_t; -+ ++ type kdbusfs_t; ') - allow $1 iso9660_t:filesystem remount; -+ read_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17043,23 +17091,25 @@ index 8416beb..f3dd0f6 100644 ## -## Unmount an iso9660 filesystem, which -## is usually used on CDs. -+## Write kdbusfs files. ++## Read and write kdbusfs files. ## ## ## -@@ -2253,38 +3119,61 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3157,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # -interface(`fs_unmount_iso9660_fs',` -+interface(`fs_write_kdbus_files', ` ++interface(`fs_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; ++ ') - allow $1 iso9660_t:filesystem unmount; -+ write_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -17068,59 +17118,38 @@ index 8416beb..f3dd0f6 100644 ## -## Get the attributes of an iso9660 -## filesystem, which is usually used on CDs. -+## Read and write kdbusfs files. ++## Do not audit attempts to open, ++## get attributes, read and write ++## cgroup files. ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -## # -interface(`fs_getattr_iso9660_fs',` -+interface(`fs_rw_kdbus_files',` ++interface(`fs_dontaudit_rw_kdbus_files',` gen_require(` - type iso9660_t; + type kdbusfs_t; -+ ') - allow $1 iso9660_t:filesystem getattr; -+ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) ++ dontaudit $1 kdbusfs_t:file rw_file_perms; ') ######################################## ## -## Read files on an iso9660 filesystem, which -## is usually used on CDs. -+## Do not audit attempts to open, -+## get attributes, read and write -+## cgroup files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_rw_kdbus_files',` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ dontaudit $1 kdbusfs_t:file rw_file_perms; -+') -+ -+######################################## -+## +## Manage kdbusfs files. ## ## ## -@@ -2292,19 +3181,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3199,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -17148,7 +17177,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -2312,16 +3203,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3221,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -17169,7 +17198,7 @@ index 8416beb..f3dd0f6 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2356,44 +3246,62 @@ interface(`fs_remount_nfs',` +@@ -2356,44 +3264,62 @@ interface(`fs_remount_nfs',` type nfs_t; ') @@ -17240,7 +17269,7 @@ index 8416beb..f3dd0f6 100644 ') ######################################## -@@ -2485,6 +3393,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3411,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -17248,7 +17277,7 @@ index 8416beb..f3dd0f6 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3432,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3450,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -17256,7 +17285,7 @@ index 8416beb..f3dd0f6 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3459,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3477,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -17301,7 +17330,7 @@ index 8416beb..f3dd0f6 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3517,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3535,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -17310,7 +17339,7 @@ index 8416beb..f3dd0f6 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3537,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3555,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -17353,7 +17382,7 @@ index 8416beb..f3dd0f6 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3587,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3605,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -17362,7 +17391,7 @@ index 8416beb..f3dd0f6 100644 ') ######################################## -@@ -2627,7 +3611,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3629,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -17371,7 +17400,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -2719,6 +3703,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3721,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -17437,7 +17466,7 @@ index 8416beb..f3dd0f6 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3784,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3802,7 @@ interface(`fs_search_removable',` ## ## ## @@ -17446,7 +17475,7 @@ index 8416beb..f3dd0f6 100644 ## ## # -@@ -2777,7 +3820,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3838,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -17455,7 +17484,7 @@ index 8416beb..f3dd0f6 100644 ## ## # -@@ -2970,6 +4013,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4031,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -17463,7 +17492,7 @@ index 8416beb..f3dd0f6 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4054,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4072,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -17471,7 +17500,7 @@ index 8416beb..f3dd0f6 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4095,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4113,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -17479,7 +17508,7 @@ index 8416beb..f3dd0f6 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4183,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4201,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -17504,7 +17533,7 @@ index 8416beb..f3dd0f6 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3263,7 +4327,25 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,7 +4345,25 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -17531,7 +17560,7 @@ index 8416beb..f3dd0f6 100644 ## ## Read and write NFS server files. ## -@@ -3283,6 +4365,59 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +4383,59 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -17591,7 +17620,7 @@ index 8416beb..f3dd0f6 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +4527,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4545,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -17600,7 +17629,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -3429,7 +4564,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4582,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -17609,7 +17638,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -3447,7 +4582,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4600,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -17618,7 +17647,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -3779,6 +4914,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +4932,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -17643,7 +17672,7 @@ index 8416beb..f3dd0f6 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +4968,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4986,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -17668,7 +17697,7 @@ index 8416beb..f3dd0f6 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3839,39 +5010,76 @@ interface(`fs_getattr_tmpfs',` +@@ -3839,39 +5028,76 @@ interface(`fs_getattr_tmpfs',` ## ## ## @@ -17754,7 +17783,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -3879,36 +5087,35 @@ interface(`fs_relabelfrom_tmpfs',` +@@ -3879,36 +5105,35 @@ interface(`fs_relabelfrom_tmpfs',` ## ## # @@ -17798,7 +17827,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -3916,35 +5123,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,35 +5141,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -17842,7 +17871,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -3952,17 +5160,17 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5178,17 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -17863,7 +17892,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -3970,31 +5178,30 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5196,30 @@ interface(`fs_search_tmpfs',` ## ## # @@ -17901,7 +17930,7 @@ index 8416beb..f3dd0f6 100644 ') ######################################## -@@ -4105,7 +5312,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +5330,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -17910,7 +17939,7 @@ index 8416beb..f3dd0f6 100644 ') ######################################## -@@ -4165,6 +5372,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +5390,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -17935,7 +17964,7 @@ index 8416beb..f3dd0f6 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +5427,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +5445,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -17944,7 +17973,7 @@ index 8416beb..f3dd0f6 100644 ## ## ## -@@ -4221,6 +5446,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +5464,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -18005,7 +18034,7 @@ index 8416beb..f3dd0f6 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5557,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5575,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -18050,7 +18079,7 @@ index 8416beb..f3dd0f6 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5614,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5632,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -18076,7 +18105,7 @@ index 8416beb..f3dd0f6 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4407,6 +5743,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5761,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -18102,7 +18131,7 @@ index 8416beb..f3dd0f6 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5858,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5876,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -18111,7 +18140,7 @@ index 8416beb..f3dd0f6 100644 ') ######################################## -@@ -4549,7 +5906,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5924,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -18120,7 +18149,7 @@ index 8416beb..f3dd0f6 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5953,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5971,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -18147,7 +18176,7 @@ index 8416beb..f3dd0f6 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6048,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6066,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -18173,7 +18202,7 @@ index 8416beb..f3dd0f6 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6308,63 @@ interface(`fs_unconfined',` +@@ -4912,3 +6326,63 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -23386,10 +23415,10 @@ index 0000000..b680867 +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..4165608 +index 0000000..03faeac --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,689 @@ +@@ -0,0 +1,708 @@ +## Unconfined user role + +######################################## @@ -24079,12 +24108,31 @@ index 0000000..4165608 + allow unconfined_t $2:file entrypoint; + allow $1 unconfined_t:process signal_perms; +') ++ ++######################################## ++## ++## unconfined_t domain typebounds calling domain. ++## ++## ++## ++## Domain to be typebound. ++## ++## ++# ++interface(`unconfined_typebounds',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ typebounds unconfined_t $1; ++') ++ diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..c0d61f3 +index 0000000..31076d7 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,340 @@ +@@ -0,0 +1,345 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -24280,6 +24328,10 @@ index 0000000..c0d61f3 +') + +optional_policy(` ++ docker_entrypoint(unconfined_t) ++') ++ ++optional_policy(` + dbus_role_template(unconfined, unconfined_r, unconfined_t) + role system_r types unconfined_dbusd_t; + @@ -24415,6 +24467,7 @@ index 0000000..c0d61f3 +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) + virt_transition_svirt_sandbox(unconfined_t, unconfined_r) ++ virt_sandbox_entrypoint(unconfined_t) +') + +optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e61fc87..b30f250 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -106682,10 +106682,10 @@ index 97cd155..49321a5 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f..9b0ab2b 100644 +index 585a77f..948bc5b 100644 --- a/tmpreaper.te +++ b/tmpreaper.te -@@ -5,9 +5,25 @@ policy_module(tmpreaper, 1.7.1) +@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1) # Declarations # @@ -106697,6 +106697,15 @@ index 585a77f..9b0ab2b 100644 +## +gen_tunable(tmpreaper_use_nfs, false) + ++ ++## ++##

    ++## Determine whether tmpreaper can use ++## cifs file systems. ++##

    ++##
    ++gen_tunable(tmpreaper_use_cifs, false) ++ +## +##

    +## Determine whether tmpreaper can use samba_share files @@ -106711,7 +106720,7 @@ index 585a77f..9b0ab2b 100644 ######################################## # -@@ -19,6 +35,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms; +@@ -19,6 +44,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms; kernel_list_unlabeled(tmpreaper_t) kernel_read_system_state(tmpreaper_t) @@ -106719,7 +106728,7 @@ index 585a77f..9b0ab2b 100644 dev_read_urand(tmpreaper_t) -@@ -27,15 +44,19 @@ corecmd_exec_shell(tmpreaper_t) +@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) fs_list_all(tmpreaper_t) @@ -106743,7 +106752,7 @@ index 585a77f..9b0ab2b 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -45,7 +66,6 @@ init_use_inherited_script_ptys(tmpreaper_t) +@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t) logging_send_syslog_msg(tmpreaper_t) @@ -106751,7 +106760,7 @@ index 585a77f..9b0ab2b 100644 miscfiles_delete_man_pages(tmpreaper_t) ifdef(`distro_debian',` -@@ -53,10 +73,23 @@ ifdef(`distro_debian',` +@@ -53,10 +82,33 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -106773,10 +106782,20 @@ index 585a77f..9b0ab2b 100644 + tunable_policy(`tmpreaper_use_samba',` + samba_setattr_samba_share_dirs(tmpreaper_t) + ') ++') ++ ++tunable_policy(`tmpreaper_use_cifs',` ++ fs_setattr_cifs_dirs(tmpreaper_t) ++') ++ ++ optional_policy(` ++ tunable_policy(`tmpreaper_use_samba',` ++ samba_setattr_samba_share_dirs(tmpreaper_t) ++ ') ') optional_policy(` -@@ -64,6 +97,7 @@ optional_policy(` +@@ -64,6 +116,7 @@ optional_policy(` ') optional_policy(` @@ -106784,7 +106803,7 @@ index 585a77f..9b0ab2b 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -79,7 +113,19 @@ optional_policy(` +@@ -79,7 +132,19 @@ optional_policy(` ') optional_policy(` @@ -106805,7 +106824,7 @@ index 585a77f..9b0ab2b 100644 ') optional_policy(` -@@ -89,3 +135,8 @@ optional_policy(` +@@ -89,3 +154,8 @@ optional_policy(` optional_policy(` rpm_manage_cache(tmpreaper_t) ') @@ -109388,7 +109407,7 @@ index a4f20bc..58f9c69 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..65b5a0d 100644 +index facdee8..52ece13 100644 --- a/virt.if +++ b/virt.if @@ -1,318 +1,226 @@ @@ -110210,7 +110229,7 @@ index facdee8..65b5a0d 100644 ##

## ## -@@ -673,54 +534,454 @@ interface(`virt_home_filetrans',` +@@ -673,54 +534,472 @@ interface(`virt_home_filetrans',` ## ## # @@ -110580,6 +110599,24 @@ index facdee8..65b5a0d 100644 + can_exec($1, svirt_sandbox_file_t) +') + ++######################################## ++## ++## Allow any svirt_sandbox_file_t to be an entrypoint of this domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`virt_sandbox_entrypoint',` ++ gen_require(` ++ type svirt_sandbox_file_t; ++ ') ++ allow $1 svirt_sandbox_file_t:file entrypoint; ++') ++ +####################################### +## +## Read Sandbox Files @@ -110690,7 +110727,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -728,52 +989,80 @@ interface(`virt_manage_generic_virt_home_content',` +@@ -728,52 +1007,80 @@ interface(`virt_manage_generic_virt_home_content',` ## ## # @@ -110791,7 +110828,7 @@ index facdee8..65b5a0d 100644 ##
## ## -@@ -781,19 +1070,17 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +1088,17 @@ interface(`virt_home_filetrans_virt_home',` ## ## # @@ -110815,7 +110852,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -801,18 +1088,17 @@ interface(`virt_read_pid_files',` +@@ -801,18 +1106,17 @@ interface(`virt_read_pid_files',` ## ## # @@ -110838,7 +110875,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -820,18 +1106,17 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +1124,17 @@ interface(`virt_manage_pid_files',` ## ## # @@ -110861,7 +110898,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -839,20 +1124,17 @@ interface(`virt_search_lib',` +@@ -839,20 +1142,17 @@ interface(`virt_search_lib',` ## ## # @@ -110886,7 +110923,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -860,74 +1142,123 @@ interface(`virt_read_lib_files',` +@@ -860,74 +1160,123 @@ interface(`virt_read_lib_files',` ## ## # @@ -111034,7 +111071,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -935,117 +1266,134 @@ interface(`virt_read_log',` +@@ -935,117 +1284,134 @@ interface(`virt_read_log',` ## ## # @@ -111221,7 +111258,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -1053,15 +1401,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1419,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -111244,7 +111281,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -1069,21 +1419,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1437,17 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -111270,7 +111307,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -1091,36 +1437,36 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1455,36 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -111327,7 +111364,7 @@ index facdee8..65b5a0d 100644 ## ## ## -@@ -1136,50 +1482,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1500,76 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` diff --git a/selinux-policy.spec b/selinux-policy.spec index ee49a62..17cfb8a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 175%{?dist} +Release: 176%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -670,6 +670,21 @@ exit 0 %endif %changelog +* Thu Mar 03 2016 Lukas Vrabec 3.13.1-176 +- Add new boolean tmpreaper_use_cifs() to allow tmpreaper to run on local directories being shared with Samba. +- Merge pull request #105 from rhatdan/NO_NEW_PRIV +- Fix new rkt policy +- Remove some redundant rules. +- Fix cosmetic issues in interface file. +- Merge pull request #100 from rhatdan/rawhide-contrib +- Add interface fs_setattr_cifs_dirs(). +- Merge pull request #106 from rhatdan/NO_NEW_PRIV_BASE +- Fixed to make SELinux work with docker and prctl(NO_NEW_PRIVS) +-Build file_contexts.bin file_context.local.bin file_context.homedir.bin during build phase. + This fix issue in Fedora live images when selinux-policy-targeted is not installed but just unpackaged, since there's no .bin files, + file_contexts is parsed in selabel_open(). +Resolves: rhbz#1314372 + * Fri Feb 26 2016 Lukas Vrabec 3.13.1-175 - Fix new rkt policy (Remove some redundant rules, Fix cosmetic issues in interface file) - Add policy for rkt services