diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 59592da..2480dc5 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -32228,10 +32228,10 @@ index 17eda24..d4113cc 100644 + ') + ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..fc34e78 100644 +index 662e79b..353c3b7 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -1,14 +1,24 @@ +@@ -1,14 +1,25 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) @@ -32251,13 +32251,14 @@ index 662e79b..fc34e78 100644 /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) ++/etc/strongimcv(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) + /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) +/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,16 +36,26 @@ +@@ -26,16 +37,26 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) @@ -37267,10 +37268,35 @@ index d43f3b1..870bc36 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..270bde3 100644 +index 3822072..8686e0a 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if -@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` +@@ -135,6 +135,24 @@ interface(`seutil_exec_loadpolicy',` + + ######################################## + ## ++## Dontaudit access check on load_policy. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_dontaudit_access_check_load_policy',` ++ gen_require(` ++ type load_policy_exec_t; ++ ') ++ ++ dontaudit $1 load_policy_exec_t:file audit_access; ++') ++ ++######################################## ++## + ## Read the load_policy program file. + ## + ## +@@ -192,11 +210,22 @@ interface(`seutil_domtrans_newrole',` # interface(`seutil_run_newrole',` gen_require(` @@ -37295,7 +37321,7 @@ index 3822072..270bde3 100644 ') ######################################## -@@ -359,6 +370,27 @@ interface(`seutil_exec_restorecon',` +@@ -359,6 +388,27 @@ interface(`seutil_exec_restorecon',` ######################################## ## @@ -37323,7 +37349,7 @@ index 3822072..270bde3 100644 ## Execute run_init in the run_init domain. ## ## -@@ -425,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',` +@@ -425,11 +475,20 @@ interface(`seutil_init_script_domtrans_runinit',` # interface(`seutil_run_runinit',` gen_require(` @@ -37347,7 +37373,7 @@ index 3822072..270bde3 100644 ') ######################################## -@@ -461,11 +502,19 @@ interface(`seutil_run_runinit',` +@@ -461,11 +520,19 @@ interface(`seutil_run_runinit',` # interface(`seutil_init_script_run_runinit',` gen_require(` @@ -37370,7 +37396,7 @@ index 3822072..270bde3 100644 ') ######################################## -@@ -535,6 +584,53 @@ interface(`seutil_run_setfiles',` +@@ -535,6 +602,53 @@ interface(`seutil_run_setfiles',` ######################################## ## @@ -37424,7 +37450,32 @@ index 3822072..270bde3 100644 ## Execute setfiles in the caller domain. ## ## -@@ -680,10 +776,115 @@ interface(`seutil_manage_config',` +@@ -555,6 +669,24 @@ interface(`seutil_exec_setfiles',` + + ######################################## + ## ++## Dontaudit access check on setfiles. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_dontaudit_access_check_setfiles',` ++ gen_require(` ++ type setfiles_exec_t; ++ ') ++ ++ dontaudit $1 setfiles_exec_t:file audit_access; ++') ++ ++######################################## ++## + ## Do not audit attempts to search the SELinux + ## configuration directory (/etc/selinux). + ## +@@ -680,10 +812,115 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -37540,7 +37591,7 @@ index 3822072..270bde3 100644 ####################################### ## ## Create, read, write, and delete -@@ -694,15 +895,62 @@ interface(`seutil_manage_config',` +@@ -694,15 +931,62 @@ interface(`seutil_manage_config',` ## Domain allowed access. ## ## @@ -37606,7 +37657,7 @@ index 3822072..270bde3 100644 ') ######################################## -@@ -746,6 +994,29 @@ interface(`seutil_read_default_contexts',` +@@ -746,6 +1030,29 @@ interface(`seutil_read_default_contexts',` read_files_pattern($1, default_context_t, default_context_t) ') @@ -37636,7 +37687,7 @@ index 3822072..270bde3 100644 ######################################## ## ## Create, read, write, and delete the default_contexts files. -@@ -784,7 +1055,9 @@ interface(`seutil_read_file_contexts',` +@@ -784,7 +1091,9 @@ interface(`seutil_read_file_contexts',` files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; @@ -37646,7 +37697,7 @@ index 3822072..270bde3 100644 ') ######################################## -@@ -999,6 +1272,26 @@ interface(`seutil_domtrans_semanage',` +@@ -999,6 +1308,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -37673,7 +37724,7 @@ index 3822072..270bde3 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1017,11 +1310,67 @@ interface(`seutil_domtrans_semanage',` +@@ -1017,11 +1346,67 @@ interface(`seutil_domtrans_semanage',` # interface(`seutil_run_semanage',` gen_require(` @@ -37743,7 +37794,7 @@ index 3822072..270bde3 100644 ') ######################################## -@@ -1043,7 +1392,11 @@ interface(`seutil_manage_module_store',` +@@ -1043,7 +1428,11 @@ interface(`seutil_manage_module_store',` files_search_etc($1) manage_dirs_pattern($1, selinux_config_t, semanage_store_t) manage_files_pattern($1, semanage_store_t, semanage_store_t) @@ -37755,7 +37806,32 @@ index 3822072..270bde3 100644 ') ####################################### -@@ -1137,3 +1490,122 @@ interface(`seutil_dontaudit_libselinux_linked',` +@@ -1067,6 +1456,24 @@ interface(`seutil_get_semanage_read_lock',` + + ####################################### + ## ++## Dontaudit access check on module store ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`seutil_dontaudit_access_check_semanage_read_lock',` ++ gen_require(` ++ type semanage_read_lock_t; ++ ') ++ ++ dontaudit $1 semanage_read_lock_t:file audit_access; ++') ++ ++####################################### ++## + ## Get trans lock on module store + ## + ## +@@ -1137,3 +1544,122 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -39289,7 +39365,7 @@ index 2cea692..e094fc0 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..4302955 100644 +index a392fc4..ca1b2bc 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -39648,12 +39724,13 @@ index a392fc4..4302955 100644 ') optional_policy(` -@@ -350,7 +450,15 @@ optional_policy(` +@@ -350,7 +450,16 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(ifconfig_t) + kdump_dontaudit_read_config(ifconfig_t) ++ kdump_rw_inherited_kdumpctl_tmp_pipes(ifconfig_t) +') + +optional_policy(` @@ -39665,7 +39742,7 @@ index a392fc4..4302955 100644 ') optional_policy(` -@@ -371,3 +479,13 @@ optional_policy(` +@@ -371,3 +480,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9cc8bac..99e193a 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12502,7 +12502,7 @@ index 32e8265..0de4af3 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index e5b621c..f975594 100644 +index e5b621c..fc150e9 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -12533,7 +12533,7 @@ index e5b621c..f975594 100644 allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +83,24 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +83,29 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -12559,6 +12559,11 @@ index e5b621c..f975594 100644 optional_policy(` - mta_send_mail(chronyd_t) + timemaster_stream_connect(chronyd_t) ++ timemaster_rw_shm(chronyd_t) ++') ++ ++optional_policy(` ++ ptp4l_rw_shm(chronyd_t) ') diff --git a/cinder.fc b/cinder.fc new file mode 100644 @@ -37843,7 +37848,7 @@ index a49ae4e..0c0e987 100644 + +/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0) diff --git a/kdump.if b/kdump.if -index 3a00b3a..21efcc4 100644 +index 3a00b3a..6043fd6 100644 --- a/kdump.if +++ b/kdump.if @@ -1,4 +1,4 @@ @@ -37984,7 +37989,7 @@ index 3a00b3a..21efcc4 100644 ## ## ## -@@ -76,10 +177,69 @@ interface(`kdump_manage_config',` +@@ -76,10 +177,88 @@ interface(`kdump_manage_config',` allow $1 kdump_etc_t:file manage_file_perms; ') @@ -38009,6 +38014,25 @@ index 3a00b3a..21efcc4 100644 + +################################### +## ++## Read/write inherited kdump /var/tmp named pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_rw_inherited_kdumpctl_tmp_pipes',` ++ gen_require(` ++ type kdumpctl_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++################################### ++## +## Manage kdump /var/tmp files. +## +## @@ -38056,7 +38080,7 @@ index 3a00b3a..21efcc4 100644 ## ## ## -@@ -88,19 +248,24 @@ interface(`kdump_manage_config',` +@@ -88,19 +267,24 @@ interface(`kdump_manage_config',` ## ## ## @@ -38086,7 +38110,7 @@ index 3a00b3a..21efcc4 100644 init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -110,6 +275,10 @@ interface(`kdump_admin',` +@@ -110,6 +294,10 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) @@ -39886,16 +39910,18 @@ index 628b78b..fe65617 100644 - -miscfiles_read_localization(keyboardd_t) diff --git a/keystone.fc b/keystone.fc -index b273d80..6a07210 100644 +index b273d80..9b6e9bd 100644 --- a/keystone.fc +++ b/keystone.fc -@@ -1,3 +1,5 @@ +@@ -1,7 +1,13 @@ +/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0) + /etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0) /usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0) -@@ -5,3 +7,5 @@ + ++/usr/share/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0) ++ /var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0) /var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0) @@ -41912,10 +41938,10 @@ index 0000000..d2061a9 +/var/run/timemaster(/.*)? gen_context(system_u:object_r:timemaster_var_run_t,s0) diff --git a/linuxptp.if b/linuxptp.if new file mode 100644 -index 0000000..8d6873f +index 0000000..236707b --- /dev/null +++ b/linuxptp.if -@@ -0,0 +1,59 @@ +@@ -0,0 +1,103 @@ +## implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. + +######################################## @@ -41975,12 +42001,56 @@ index 0000000..8d6873f + stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t) +') + ++######################################## ++## ++## Read and write timemaster shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`timemaster_rw_shm',` ++ gen_require(` ++ type timemaster_t, timemaster_tmpfs_t; ++ ') ++ ++ allow $1 timemaster_t:shm rw_shm_perms; ++ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) ++ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) ++ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) ++ fs_search_tmpfs($1) ++') ++ ++######################################## ++## ++## Read and write ptp4l_t shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ptp4l_rw_shm',` ++ gen_require(` ++ type ptp4l_t, timemaster_tmpfs_t; ++ ') ++ ++ allow $1 ptp4l_t:shm rw_shm_perms; ++ list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) ++ rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) ++ read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) ++ fs_search_tmpfs($1) ++') ++ diff --git a/linuxptp.te b/linuxptp.te new file mode 100644 -index 0000000..5a1445c +index 0000000..affa9bd --- /dev/null +++ b/linuxptp.te -@@ -0,0 +1,144 @@ +@@ -0,0 +1,173 @@ +policy_module(linuxptp, 1.0.0) + + @@ -41996,6 +42066,9 @@ index 0000000..5a1445c +type timemaster_var_run_t; +files_pid_file(timemaster_var_run_t) + ++type timemaster_tmpfs_t; ++files_tmpfs_file(timemaster_tmpfs_t) ++ +type timemaster_unit_file_t; +systemd_unit_file(timemaster_unit_file_t) + @@ -42028,11 +42101,17 @@ index 0000000..5a1445c +allow timemaster_t ptp4l_t:process signal; +allow timemaster_t phc2sys_t:process signal; + ++allow timemaster_t ptp4l_t:shm rw_shm_perms; ++ +manage_dirs_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t) +manage_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t) +manage_sock_files_pattern(timemaster_t, timemaster_var_run_t, timemaster_var_run_t) +files_pid_filetrans(timemaster_t, timemaster_var_run_t, { dir file sock_file }) + ++manage_dirs_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t) ++manage_files_pattern(timemaster_t, timemaster_tmpfs_t, timemaster_tmpfs_t) ++fs_tmpfs_filetrans(timemaster_t, timemaster_tmpfs_t, { dir file }) ++ +kernel_read_network_state(timemaster_t) + +auth_use_nsswitch(timemaster_t) @@ -42040,11 +42119,17 @@ index 0000000..5a1445c +corenet_udp_bind_generic_node(timemaster_t) +corenet_udp_bind_ntp_port(timemaster_t) + ++dev_read_urand(timemaster_t) ++ +logging_send_syslog_msg(timemaster_t) + +sysnet_read_config(timemaster_t) + +optional_policy(` ++ ntp_domtrans(timemaster_t) ++') ++ ++optional_policy(` + chronyd_domtrans(timemaster_t) + chronyd_rw_shm(timemaster_t) +') @@ -42074,11 +42159,19 @@ index 0000000..5a1445c + +allow phc2sys_t ptp4l_t:unix_dgram_socket sendto; + ++allow phc2sys_t timemaster_t:shm rw_shm_perms; ++ +manage_dirs_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t) +manage_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t) +manage_sock_files_pattern(phc2sys_t, timemaster_var_run_t, timemaster_var_run_t) +files_pid_filetrans(phc2sys_t, timemaster_var_run_t, { dir file sock_file }) + ++manage_dirs_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t) ++manage_files_pattern(phc2sys_t, timemaster_tmpfs_t, timemaster_tmpfs_t) ++fs_tmpfs_filetrans(phc2sys_t, timemaster_tmpfs_t, { dir file }) ++ ++dev_rw_realtime_clock(phc2sys_t) ++ +logging_send_syslog_msg(phc2sys_t) + +optional_policy(` @@ -42112,9 +42205,15 @@ index 0000000..5a1445c +manage_sock_files_pattern(ptp4l_t, timemaster_var_run_t, timemaster_var_run_t) +files_pid_filetrans(ptp4l_t, timemaster_var_run_t, { dir file sock_file }) + ++manage_dirs_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t) ++manage_files_pattern(ptp4l_t, timemaster_tmpfs_t, timemaster_tmpfs_t) ++fs_tmpfs_filetrans(ptp4l_t, timemaster_tmpfs_t, { dir file }) ++ +corenet_udp_bind_generic_node(ptp4l_t) +corenet_udp_bind_reserved_port(ptp4l_t) + ++dev_rw_realtime_clock(ptp4l_t) ++ +logging_send_syslog_msg(ptp4l_t) + +optional_policy(` @@ -67101,7 +67200,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index ee91778..b00a474 100644 +index ee91778..945a36f 100644 --- a/policykit.te +++ b/policykit.te @@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0) @@ -67297,7 +67396,7 @@ index ee91778..b00a474 100644 userdom_dontaudit_read_user_home_content_files(policykit_auth_t) +userdom_dontaudit_write_user_tmp_files(policykit_auth_t) -+userdom_dontaudit_manage_user_home_dirs(policykit_auth_t) ++userdom_dontaudit_access_check_user_content(policykit_auth_t) +userdom_read_admin_home_files(policykit_auth_t) optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 86271b7..af9250f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 91%{?dist} +Release: 92%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -604,6 +604,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Nov 10 2014 Lukas Vrabec 3.12.1-92 +- Add kdump_rw_inherited_kdumpctl_tmp_pipes() +- Added fixes related to linuxptp. BZ (1149693) +- Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424 +- Dontaudit policykit_auth_t to access to user home dirs. BZ (1157256) +- Fix seutil_dontaudit_access_check_load_policy() +- Add dontaudit interfaces for audit_access in seutil +- Label /etc/strongimcv as ipsec_conf_file_t. + * Fri Nov 07 2014 Lukas Vrabec 3.13.1-91 - Added interface userdom_dontaudit_manage_user_home_dirs - Fix unconfined_server_dbus_chat() interface.