diff --git a/container-selinux.tgz b/container-selinux.tgz index 9b07a0f..734bfcd 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c2288f8..9b14adf 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -10068,7 +10068,7 @@ index 0b1a871..29965c3 100644 +dev_getattr_all(devices_unconfined_type) + diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..1a2713b 100644 +index 6a1e4d1..f23f6a6 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -10107,15 +10107,6 @@ index 6a1e4d1..1a2713b 100644 ') ######################################## -@@ -128,7 +103,7 @@ interface(`domain_entry_file',` - ') - - allow $1 $2:file entrypoint; -- allow $1 $2:file { mmap_file_perms ioctl lock }; -+ allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans }; - - typeattribute $2 entry_type; - @@ -513,6 +488,26 @@ interface(`domain_signull_all_domains',` ######################################## @@ -39984,7 +39975,7 @@ index c42fbc3..bf211db 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..218750e 100644 +index be8ed1e..aa38f90 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,21 @@ role iptables_roles types iptables_t; @@ -40120,7 +40111,16 @@ index be8ed1e..218750e 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +154,16 @@ optional_policy(` +@@ -119,11 +149,25 @@ optional_policy(` + ') + + optional_policy(` ++ plymouthd_exec_plymouth(iptables_t) ++') ++ ++optional_policy(` + ppp_dontaudit_use_fds(iptables_t) + ') optional_policy(` psad_rw_tmp_files(iptables_t) @@ -40137,7 +40137,7 @@ index be8ed1e..218750e 100644 ') optional_policy(` -@@ -135,9 +175,9 @@ optional_policy(` +@@ -135,9 +179,9 @@ optional_policy(` ') optional_policy(` @@ -40184,7 +40184,7 @@ index 0000000..c814795 +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..549c41b 100644 +index 73bb3c0..fffae71 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -40222,7 +40222,12 @@ index 73bb3c0..549c41b 100644 /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -103,6 +106,12 @@ ifdef(`distro_redhat',` +@@ -99,10 +102,17 @@ ifdef(`distro_redhat',` + # /sbin + # + /sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) ++/sbin/sln -- gen_context(system_u:object_r:ldconfig_exec_t,s0) + # # /usr # @@ -40235,7 +40240,7 @@ index 73bb3c0..549c41b 100644 /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -111,12 +120,12 @@ ifdef(`distro_redhat',` +@@ -111,12 +121,12 @@ ifdef(`distro_redhat',` /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0) /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -40250,7 +40255,7 @@ index 73bb3c0..549c41b 100644 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) -@@ -125,10 +134,12 @@ ifdef(`distro_redhat',` +@@ -125,10 +135,12 @@ ifdef(`distro_redhat',` /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40263,7 +40268,7 @@ index 73bb3c0..549c41b 100644 /usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -141,19 +152,23 @@ ifdef(`distro_redhat',` +@@ -141,19 +153,23 @@ ifdef(`distro_redhat',` /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40292,7 +40297,7 @@ index 73bb3c0..549c41b 100644 /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -182,11 +197,13 @@ ifdef(`distro_redhat',` +@@ -182,11 +198,13 @@ ifdef(`distro_redhat',` # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40306,7 +40311,7 @@ index 73bb3c0..549c41b 100644 /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -241,13 +258,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -241,13 +259,11 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40322,7 +40327,7 @@ index 73bb3c0..549c41b 100644 # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -269,20 +284,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -269,20 +285,19 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40353,7 +40358,7 @@ index 73bb3c0..549c41b 100644 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +313,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +314,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 70263d8..e10ed4d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -20522,7 +20522,7 @@ index b25b01d..06895f3 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..47199aa 100644 +index 001b502..9892b34 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -20576,7 +20576,7 @@ index 001b502..47199aa 100644 kernel_read_network_state(ctdbd_t) kernel_read_system_state(ctdbd_t) kernel_rw_net_sysctls(ctdbd_t) -@@ -72,9 +89,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t) +@@ -72,10 +89,16 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -20588,9 +20588,12 @@ index 001b502..47199aa 100644 +corenet_tcp_bind_smbd_port(ctdbd_t) +corenet_tcp_connect_ctdb_port(ctdbd_t) corenet_tcp_sendrecv_ctdb_port(ctdbd_t) ++corenet_tcp_connect_gluster_port(ctdbd_t) ++corenet_tcp_connect_nfs_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,14 +106,18 @@ dev_read_urand(ctdbd_t) + corecmd_exec_shell(ctdbd_t) +@@ -85,14 +108,18 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -20611,10 +20614,14 @@ index 001b502..47199aa 100644 optional_policy(` consoletype_exec(ctdbd_t) ') -@@ -106,9 +131,16 @@ optional_policy(` +@@ -106,9 +133,20 @@ optional_policy(` ') optional_policy(` ++ rpc_read_nfs_state_data(ctdbd_t) ++') ++ ++optional_policy(` + samba_signull_smbd(ctdbd_t) samba_initrc_domtrans(ctdbd_t) samba_domtrans_net(ctdbd_t) @@ -32116,10 +32123,10 @@ index 5cd0909..bd3c3d2 100644 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..52b4110 +index 0000000..a3633cd --- /dev/null +++ b/glusterd.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,29 @@ +/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + +/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) @@ -32128,6 +32135,13 @@ index 0000000..52b4110 +/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + ++/usr/sbin/glustereventsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++/usr/sbin/gluster-eventsapi -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ ++ ++/usr/libexec/glusterfs/peer_eventsapi.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++/usr/libexec/glusterfs/events/glustereventsd.py -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ +/usr/bin/ganesha.nfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + +/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) @@ -32411,10 +32425,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..0a33da3 +index 0000000..40c6ade --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,305 @@ +@@ -0,0 +1,307 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32604,6 +32618,7 @@ index 0000000..0a33da3 +init_rw_script_tmp_files(glusterd_t) +init_manage_script_status_files(glusterd_t) +init_status(glusterd_t) ++init_stop_transient_unit(glusterd_t) + +systemd_config_systemd_services(glusterd_t) +systemd_signal_passwd_agent(glusterd_t) @@ -32622,6 +32637,7 @@ index 0000000..0a33da3 +userdom_delete_user_tmp_files(glusterd_t) +userdom_rw_user_tmp_files(glusterd_t) +userdom_kill_all_users(glusterd_t) ++userdom_signal_unpriv_users(glusterd_t) + +mount_domtrans(glusterd_t) + @@ -76636,7 +76652,7 @@ index cd8b8b9..2cfa88a 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index d616ca3..b03d137 100644 +index d616ca3..76f9b25 100644 --- a/ppp.te +++ b/ppp.te @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0) @@ -76911,7 +76927,7 @@ index d616ca3..b03d137 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +266,45 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +266,46 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -76942,6 +76958,7 @@ index d616ca3..b03d137 100644 +dev_read_sysfs(pptp_t) +dev_read_rand(pptp_t) +dev_read_urand(pptp_t) ++dev_read_rand(pptp_t) + corecmd_exec_shell(pptp_t) corecmd_read_bin_symlinks(pptp_t) @@ -76970,7 +76987,7 @@ index d616ca3..b03d137 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +312,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +313,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -76985,7 +77002,7 @@ index d616ca3..b03d137 100644 sysnet_exec_ifconfig(pptp_t) userdom_dontaudit_use_unpriv_user_fds(pptp_t) -@@ -299,6 +329,10 @@ optional_policy(` +@@ -299,6 +330,10 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index ea5883e..add1429 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 230%{?dist} +Release: 231%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -675,6 +675,14 @@ exit 0 %endif %changelog +* Wed Dec 14 2016 Lukas Vrabec - 3.13.1-231 +- Allow pptp_t to read /dev/random BZ(1404248) +- Allow glusterd_t send signals to userdomain. Label new glusterd binaries as glusterd_exec_t +- Allow systemd to stop glusterd_t domains. +- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base +- Label /usr/sbin/sln as ldconfig_exec_t BZ(1378323) +- Revert "Allow an domain that has an entrypoint from a type to be allowed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs." + * Thu Dec 08 2016 Lukas Vrabec - 3.13.1-230 - Label /usr/bin/rpcbind as rpcbind_exec_t - Dontaudit mozilla plugin rawip socket creation. BZ(1275961)