diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 251805a..3a4a272 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 337540a..23edb1d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -10226,7 +10226,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..7b76b77 100644 +index cf04cb5..b5fe8e5 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10379,7 +10379,14 @@ index cf04cb5..7b76b77 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +242,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -160,11 +236,379 @@ allow unconfined_domain_type domain:msg { send receive }; + + # For /proc/pid + allow unconfined_domain_type domain:dir list_dir_perms; +-allow unconfined_domain_type domain:file rw_file_perms; ++allow unconfined_domain_type domain:file manage_file_perms; + allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; + # act on all domains keys allow unconfined_domain_type domain:key *; @@ -35025,7 +35032,7 @@ index bc0ffc8..37b8ea5 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..e69fa39 100644 +index 79a45f6..cf6add7 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -35740,7 +35747,7 @@ index 79a45f6..e69fa39 100644 ## ## ## -@@ -1133,7 +1382,83 @@ interface(`init_getattr_all_script_files',` +@@ -1133,7 +1382,102 @@ interface(`init_getattr_all_script_files',` ## ## # @@ -35813,6 +35820,25 @@ index 79a45f6..e69fa39 100644 + +######################################## +## ++## Allow the specified domain to modify the systemd configuration of ++## transient scripts. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_config_transient_files',` ++ gen_require(` ++ attribute init_var_run_t; ++ ') ++ ++ allow $1 init_var_run_t:service all_service_perms; ++') ++ ++######################################## ++## +## Read all init script files. +## +## @@ -35825,7 +35851,7 @@ index 79a45f6..e69fa39 100644 gen_require(` attribute init_script_file_type; ') -@@ -1144,6 +1469,24 @@ interface(`init_read_all_script_files',` +@@ -1144,6 +1488,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -35850,7 +35876,7 @@ index 79a45f6..e69fa39 100644 ## Dontaudit read all init script files. ## ## -@@ -1195,12 +1538,7 @@ interface(`init_read_script_state',` +@@ -1195,12 +1557,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -35864,7 +35890,7 @@ index 79a45f6..e69fa39 100644 ') ######################################## -@@ -1314,6 +1652,24 @@ interface(`init_signal_script',` +@@ -1314,6 +1671,24 @@ interface(`init_signal_script',` ######################################## ## @@ -35889,7 +35915,7 @@ index 79a45f6..e69fa39 100644 ## Send null signals to init scripts. ## ## -@@ -1440,6 +1796,27 @@ interface(`init_dbus_send_script',` +@@ -1440,6 +1815,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -35917,7 +35943,7 @@ index 79a45f6..e69fa39 100644 ## init scripts over dbus. ## ## -@@ -1547,6 +1924,25 @@ interface(`init_getattr_script_status_files',` +@@ -1547,6 +1943,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -35943,7 +35969,7 @@ index 79a45f6..e69fa39 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1605,6 +2001,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1605,6 +2020,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -35968,7 +35994,7 @@ index 79a45f6..e69fa39 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1677,6 +2091,43 @@ interface(`init_read_utmp',` +@@ -1677,6 +2110,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -36012,7 +36038,7 @@ index 79a45f6..e69fa39 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1765,7 +2216,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1765,7 +2235,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -36021,12 +36047,14 @@ index 79a45f6..e69fa39 100644 ') ######################################## -@@ -1806,6 +2257,133 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,37 +2276,672 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') +-######################################## +###################################### -+## + ## +-## Allow the specified domain to connect to daemon with a tcp socket +## Allow search directory in the /run/systemd directory. +## +## @@ -36085,8 +36113,8 @@ index 79a45f6..e69fa39 100644 +## Create objects in /run/systemd directory +## with an automatic type transition to +## a specified private type. -+## -+## + ## + ## +## +## Domain allowed access. +## @@ -36102,31 +36130,39 @@ index 79a45f6..e69fa39 100644 +## +## +## -+## + ## +-## Domain allowed access. +## The name of the object being created. -+## -+## -+# + ## + ## + # +-interface(`init_tcp_recvfrom_all_daemons',` +- gen_require(` +- attribute daemon; +- ') +interface(`init_pid_filetrans',` + gen_require(` + type init_var_run_t; + ') -+ + +- corenet_tcp_recvfrom_labeled($1, daemon) + files_search_pids($1) + filetrans_pattern($1, init_var_run_t, $2, $3, $4) -+') -+ + ') + +-######################################## +####################################### -+## + ## +-## Allow the specified domain to connect to daemon with a udp socket +## Create objects in /run/systemd directory +## with an automatic type transition to +## a specified private type. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## +## +## The type of the object to create. @@ -36142,23 +36178,53 @@ index 79a45f6..e69fa39 100644 +## The name of the object being created. +## +## -+# + # +-interface(`init_udp_recvfrom_all_daemons',` +interface(`init_named_pid_filetrans',` -+ gen_require(` + gen_require(` +- attribute daemon; + type init_var_run_t; -+ ') + ') +- corenet_udp_recvfrom_labeled($1, daemon) + + files_search_pids($1) + filetrans_pattern($1, init_var_run_t, $2, $3, $4) +') + - ######################################## - ## - ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1840,3 +2418,511 @@ interface(`init_udp_recvfrom_all_daemons',` - ') - corenet_udp_recvfrom_labeled($1, daemon) - ') ++######################################## ++## ++## Allow the specified domain to connect to daemon with a tcp socket ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_tcp_recvfrom_all_daemons',` ++ gen_require(` ++ attribute daemon; ++ ') ++ ++ corenet_tcp_recvfrom_labeled($1, daemon) ++') ++ ++######################################## ++## ++## Allow the specified domain to connect to daemon with a udp socket ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_udp_recvfrom_all_daemons',` ++ gen_require(` ++ attribute daemon; ++ ') ++ corenet_udp_recvfrom_labeled($1, daemon) ++') + +######################################## +## @@ -36666,7 +36732,7 @@ index 79a45f6..e69fa39 100644 + + files_search_var_lib($1) + allow $1 init_var_lib_t:dir search_dir_perms; -+') + ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 17eda24..f09c5ae 100644 --- a/policy/modules/system/init.te @@ -45402,7 +45468,7 @@ index 40edc18..95f4458 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..bf86a31 100644 +index 2cea692..8edb742 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -45819,7 +45885,7 @@ index 2cea692..bf86a31 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +1053,125 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +1053,143 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -45945,6 +46011,24 @@ index 2cea692..bf86a31 100644 + + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') ++ ++######################################## ++## ++## Transition to sysnet ifconfig named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_filetrans_net_conf',` ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ files_etc_filetrans($1, net_conf_t, file) ++') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index a392fc4..155d5ce 100644 --- a/policy/modules/system/sysnetwork.te @@ -48142,10 +48226,10 @@ index 0000000..ebd6cc8 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..0be65c0 +index 0000000..8c07053 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,930 @@ +@@ -0,0 +1,931 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48375,6 +48459,7 @@ index 0000000..0be65c0 +init_signal_script(systemd_logind_t) +init_getattr_script_status_files(systemd_logind_t) +init_read_utmp(systemd_logind_t) ++init_config_transient_files(systemd_logind_t) + +getty_systemctl(systemd_logind_t) + @@ -49674,7 +49759,7 @@ index 0abaf84..8b34dbc 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 5ca20a9..99a38b0 100644 +index 5ca20a9..5454d16 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,57 @@ @@ -49701,7 +49786,8 @@ index 5ca20a9..99a38b0 100644 + allow $1 self:process { dyntransition transition }; # Write access is for setting attributes under /proc/self/attr. - allow $1 self:file rw_file_perms; +- allow $1 self:file rw_file_perms; ++ allow $1 self:file manage_file_perms; + allow $1 self:dir rw_dir_perms; # Userland object managers @@ -55573,7 +55659,7 @@ index 9dc60c6..595ad40 100644 + ') ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..d7cbcec 100644 +index f4ac38d..1589d60 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -55662,7 +55748,7 @@ index f4ac38d..d7cbcec 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,395 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,396 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -55729,6 +55815,7 @@ index f4ac38d..d7cbcec 100644 +# Nautilus causes this avc +domain_dontaudit_access_check(unpriv_userdomain) +dontaudit unpriv_userdomain self:dir setattr; ++allow unpriv_userdomain self:file manage_file_perms; +allow unpriv_userdomain self:key manage_key_perms; + +mount_dontaudit_write_mount_pid(unpriv_userdomain) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 0203074..ff0837a 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -58759,7 +58759,7 @@ index 86dc29d..7380935 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..ab2d757 100644 +index 55f2009..debb78b 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -58965,7 +58965,7 @@ index 55f2009..ab2d757 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +205,36 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +205,37 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -58973,6 +58973,7 @@ index 55f2009..ab2d757 100644 sysnet_manage_config(NetworkManager_t) -sysnet_etc_filetrans_config(NetworkManager_t) +sysnet_filetrans_named_content(NetworkManager_t) ++sysnet_filetrans_net_conf(NetworkManager_t) -# certificates in user home directories (cert_home_t in ~/\.pki) -userdom_read_user_home_content_files(NetworkManager_t) @@ -59006,7 +59007,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -196,10 +250,6 @@ optional_policy(` +@@ -196,10 +251,6 @@ optional_policy(` ') optional_policy(` @@ -59017,7 +59018,7 @@ index 55f2009..ab2d757 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,31 +260,34 @@ optional_policy(` +@@ -210,31 +261,34 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -59060,7 +59061,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -246,10 +299,26 @@ optional_policy(` +@@ -246,10 +300,26 @@ optional_policy(` ') optional_policy(` @@ -59087,7 +59088,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -257,15 +326,19 @@ optional_policy(` +@@ -257,15 +327,19 @@ optional_policy(` ') optional_policy(` @@ -59109,7 +59110,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -274,10 +347,17 @@ optional_policy(` +@@ -274,10 +348,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -59127,7 +59128,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -286,9 +366,12 @@ optional_policy(` +@@ -286,9 +367,12 @@ optional_policy(` openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) openvpn_signull(NetworkManager_t) @@ -59140,7 +59141,7 @@ index 55f2009..ab2d757 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +379,7 @@ optional_policy(` +@@ -296,7 +380,7 @@ optional_policy(` ') optional_policy(` @@ -59149,7 +59150,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -307,6 +390,7 @@ optional_policy(` +@@ -307,6 +391,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -59157,7 +59158,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -320,14 +404,21 @@ optional_policy(` +@@ -320,14 +405,21 @@ optional_policy(` ') optional_policy(` @@ -59184,7 +59185,7 @@ index 55f2009..ab2d757 100644 ') optional_policy(` -@@ -338,6 +429,13 @@ optional_policy(` +@@ -338,6 +430,13 @@ optional_policy(` vpn_relabelfrom_tun_socket(NetworkManager_t) ') @@ -59198,7 +59199,7 @@ index 55f2009..ab2d757 100644 ######################################## # # wpa_cli local policy -@@ -357,6 +455,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +456,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -112661,7 +112662,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..5b78d90 100644 +index f03dcf5..8d090ad 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -114235,7 +114236,7 @@ index f03dcf5..5b78d90 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1250,354 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1250,355 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -114300,6 +114301,7 @@ index f03dcf5..5b78d90 100644 +dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) + +fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) ++fs_rw_onload_sockets(svirt_sandbox_domain) + +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; @@ -114731,7 +114733,7 @@ index f03dcf5..5b78d90 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1610,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1611,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -114746,7 +114748,7 @@ index f03dcf5..5b78d90 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1628,7 @@ optional_policy(` +@@ -1192,7 +1629,7 @@ optional_policy(` ######################################## # @@ -114755,7 +114757,7 @@ index f03dcf5..5b78d90 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1637,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1638,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 12b5672..945fe28 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 195%{?dist} +Release: 196%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,13 @@ exit 0 %endif %changelog +* Mon Jun 13 2016 Lukas Vrabec 3.13.1-196 +- Allow svirt_sandbox_domains to r/w onload sockets +- Add filetrans rule that NetworkManager_t can create net_conf_t files in /etc. +- Add interface sysnet_filetrans_named_net_conf() +- Rawhide fails to boot, systemd-logind needs to config transient config files +- User Namespace is requires create on process domains + * Thu Jun 08 2016 Lukas Vrabec 3.13.1-195 - Add hwloc-dump-hwdata SELinux policy - Add labels for mediawiki123