diff --git a/docker-selinux.tgz b/docker-selinux.tgz index f1022ab..fd92246 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 736b123..26f2fe8 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -40564,7 +40564,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 446fa99..22f539c 100644 +index 446fa99..d66491c 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -40588,7 +40588,7 @@ index 446fa99..22f539c 100644 +') + +ifdef(`enable_mls',` -+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh) ++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mls_systemhigh) +') + ######################################## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 522ac0c..ff08db5 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2275,7 +2275,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..0f871e6 100644 +index 519051c..69a4c66 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2313,7 +2313,15 @@ index 519051c..0f871e6 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms; + + manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) + manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t) ++files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir) + + manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t) + manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t) +@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2330,7 +2338,7 @@ index 519051c..0f871e6 100644 corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) +@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) @@ -2338,7 +2346,7 @@ index 519051c..0f871e6 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -130,6 +137,7 @@ fs_list_all(amanda_t) +@@ -130,6 +138,7 @@ fs_list_all(amanda_t) storage_raw_read_fixed_disk(amanda_t) storage_read_tape(amanda_t) storage_write_tape(amanda_t) @@ -2346,7 +2354,7 @@ index 519051c..0f871e6 100644 auth_use_nsswitch(amanda_t) auth_read_shadow(amanda_t) -@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2354,7 +2362,7 @@ index 519051c..0f871e6 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -37938,10 +37946,18 @@ index fbb54e7..05c3777 100644 ######################################## diff --git a/inetd.te b/inetd.te -index c6450df..6304b00 100644 +index c6450df..ed6af79 100644 --- a/inetd.te +++ b/inetd.te -@@ -37,9 +37,9 @@ ifdef(`enable_mcs',` +@@ -21,6 +21,7 @@ files_pid_file(inetd_var_run_t) + type inetd_child_t; + type inetd_child_exec_t; + inetd_service_domain(inetd_child_t, inetd_child_exec_t) ++init_daemon_domain(inetd_child_t, inetd_child_exec_t) + + type inetd_child_tmp_t; + files_tmp_file(inetd_child_tmp_t) +@@ -37,9 +38,9 @@ ifdef(`enable_mcs',` # Local policy # @@ -37953,7 +37969,7 @@ index c6450df..6304b00 100644 allow inetd_t self:fifo_file rw_fifo_file_perms; allow inetd_t self:tcp_socket { accept listen }; allow inetd_t self:fd use; -@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t) +@@ -61,6 +62,7 @@ kernel_read_system_state(inetd_t) kernel_tcp_recvfrom_unlabeled(inetd_t) corecmd_bin_domtrans(inetd_t, inetd_child_t) @@ -37961,7 +37977,7 @@ index c6450df..6304b00 100644 corenet_all_recvfrom_unlabeled(inetd_t) corenet_all_recvfrom_netlabel(inetd_t) -@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) +@@ -98,6 +100,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t) corenet_tcp_bind_inetd_child_port(inetd_t) corenet_udp_bind_inetd_child_port(inetd_t) @@ -37973,7 +37989,7 @@ index c6450df..6304b00 100644 corenet_sendrecv_ircd_server_packets(inetd_t) corenet_tcp_bind_ircd_port(inetd_t) -@@ -141,6 +147,9 @@ corenet_sendrecv_git_server_packets(inetd_t) +@@ -141,6 +148,9 @@ corenet_sendrecv_git_server_packets(inetd_t) corenet_tcp_bind_git_port(inetd_t) corenet_udp_bind_git_port(inetd_t) @@ -37983,7 +37999,7 @@ index c6450df..6304b00 100644 dev_read_sysfs(inetd_t) domain_use_interactive_fds(inetd_t) -@@ -157,8 +166,6 @@ auth_use_nsswitch(inetd_t) +@@ -157,8 +167,6 @@ auth_use_nsswitch(inetd_t) logging_send_syslog_msg(inetd_t) @@ -37992,7 +38008,7 @@ index c6450df..6304b00 100644 mls_fd_share_all_levels(inetd_t) mls_socket_read_to_clearance(inetd_t) mls_socket_write_to_clearance(inetd_t) -@@ -188,17 +195,13 @@ optional_policy(` +@@ -188,17 +196,13 @@ optional_policy(` ') optional_policy(` @@ -38011,7 +38027,7 @@ index c6450df..6304b00 100644 ######################################## # # Child local policy -@@ -220,6 +223,16 @@ kernel_read_kernel_sysctls(inetd_child_t) +@@ -220,6 +224,16 @@ kernel_read_kernel_sysctls(inetd_child_t) kernel_read_network_state(inetd_child_t) kernel_read_system_state(inetd_child_t) @@ -38028,7 +38044,7 @@ index c6450df..6304b00 100644 dev_read_urand(inetd_child_t) fs_getattr_xattr_fs(inetd_child_t) -@@ -230,7 +243,15 @@ auth_use_nsswitch(inetd_child_t) +@@ -230,7 +244,15 @@ auth_use_nsswitch(inetd_child_t) logging_send_syslog_msg(inetd_child_t) @@ -79153,10 +79169,10 @@ index 6643b49..dd0c3d3 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..2542f5a 100644 +index d68e26d..3b08cfd 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,18 +1,22 @@ +@@ -1,18 +1,23 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppetlabs(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) @@ -79178,6 +79194,7 @@ index d68e26d..2542f5a 100644 -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) ++/usr/bin/puppet -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) @@ -93000,10 +93017,10 @@ index f1140ef..642e062 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302..6836678 100644 +index abeb302..b27a479 100644 --- a/rsync.te +++ b/rsync.te -@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0) +@@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0) # ## @@ -93076,11 +93093,11 @@ index abeb302..6836678 100644 type rsync_t; type rsync_exec_t; --init_daemon_domain(rsync_t, rsync_exec_t) --application_domain(rsync_t, rsync_exec_t) --role rsync_roles types rsync_t; +application_executable_file(rsync_exec_t) +role system_r types rsync_t; + init_daemon_domain(rsync_t, rsync_exec_t) +-application_domain(rsync_t, rsync_exec_t) +-role rsync_roles types rsync_t; type rsync_etc_t; files_config_file(rsync_etc_t) @@ -93090,7 +93107,7 @@ index abeb302..6836678 100644 files_type(rsync_data_t) type rsync_log_t; -@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t) +@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t) allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot }; allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; @@ -93121,7 +93138,7 @@ index abeb302..6836678 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,46 +96,55 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,46 +97,55 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -93195,7 +93212,7 @@ index abeb302..6836678 100644 ') tunable_policy(`rsync_export_all_ro',` -@@ -161,38 +158,24 @@ tunable_policy(`rsync_export_all_ro',` +@@ -161,38 +159,24 @@ tunable_policy(`rsync_export_all_ro',` auth_tunable_read_shadow(rsync_t) ') @@ -111608,10 +111625,10 @@ index 3d11c6a..b19a117 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..f3d5b04 100644 +index a4f20bc..17edb35 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,111 @@ +@@ -1,51 +1,114 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -111756,13 +111773,16 @@ index a4f20bc..f3d5b04 100644 + +/var/lib/kubelet(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) + ++/var/lib/docker/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) ++/var/lib/docker-latest/vfs(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) ++ +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) + +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..816d860 100644 +index facdee8..12e74f1 100644 --- a/virt.if +++ b/virt.if @@ -1,318 +1,231 @@ @@ -112589,7 +112609,7 @@ index facdee8..816d860 100644 ## ## ## -@@ -673,54 +539,472 @@ interface(`virt_home_filetrans',` +@@ -673,107 +539,607 @@ interface(`virt_home_filetrans',` ## ## # @@ -112625,14 +112645,8 @@ index facdee8..816d860 100644 gen_require(` - type virt_home_t; + type virt_var_lib_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 virt_home_t:dir manage_dir_perms; -- allow $1 virt_home_t:file manage_file_perms; -- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; -- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; -- allow $1 virt_home_t:sock_file manage_sock_file_perms; ++ ') ++ + dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; +') + @@ -112777,20 +112791,14 @@ index facdee8..816d860 100644 + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + read_blk_files_pattern($1, virt_image_type, virt_image_type) + read_chr_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_manage_nfs_symlinks($1) ++ ++ tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs($1) -- fs_manage_cifs_files($1) -- fs_manage_cifs_symlinks($1) ++ ') ++ ++ tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) @@ -112957,14 +112965,13 @@ index facdee8..816d860 100644 +interface(`virt_exec_sandbox_files',` + gen_require(` + type svirt_sandbox_file_t; - ') ++ ') + + can_exec($1, svirt_sandbox_file_t) - ') - - ######################################## - ## --## Relabel virt home content. ++') ++ ++######################################## ++## +## Allow any svirt_sandbox_file_t to be an entrypoint of this domain +## +## @@ -113081,19 +113088,97 @@ index facdee8..816d860 100644 +####################################### +## +## Connect to virt over a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_stream_connect_sandbox',` ++ gen_require(` ++ attribute svirt_sandbox_domain; ++ type svirt_sandbox_file_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) ++ ps_process_pattern(svirt_sandbox_domain, $1) ++') ++ ++######################################## ++## ++## Execute qemu in the svirt domain, and ++## allow the specified role the svirt domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ++## ++## ++## ++# ++interface(`virt_transition_svirt',` ++ gen_require(` ++ attribute virt_domain; ++ type virt_bridgehelper_t; ++ type svirt_image_t; ++ type svirt_socket_t; + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir manage_dir_perms; +- allow $1 virt_home_t:file manage_file_perms; +- allow $1 virt_home_t:fifo_file manage_fifo_file_perms; +- allow $1 virt_home_t:lnk_file manage_lnk_file_perms; +- allow $1 virt_home_t:sock_file manage_sock_file_perms; ++ allow $1 virt_domain:process transition; ++ role $2 types virt_domain; ++ role $2 types virt_bridgehelper_t; ++ role $2 types svirt_socket_t; + +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) +- ') ++ allow $1 virt_domain:process { sigkill sigstop signull signal }; ++ allow $1 svirt_image_t:file { relabelfrom relabelto }; ++ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; ++ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; ++ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) ++ optional_policy(` ++ ptchown_run(virt_domain, $2) + ') + ') + + ######################################## + ## +-## Relabel virt home content. ++## Do not audit attempts to write virt daemon unnamed pipes. ## ## ## -@@ -728,52 +1012,80 @@ interface(`virt_manage_generic_virt_home_content',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`virt_relabel_generic_virt_home_content',` -+interface(`virt_stream_connect_sandbox',` ++interface(`virt_dontaudit_write_pipes',` gen_require(` - type virt_home_t; -+ attribute svirt_sandbox_domain; -+ type svirt_sandbox_file_t; ++ type virtd_t; ') - userdom_search_user_home_dirs($1) @@ -113102,9 +113187,8 @@ index facdee8..816d860 100644 - allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_home_t:sock_file relabel_sock_file_perms; -+ files_search_pids($1) -+ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) -+ ps_process_pattern(svirt_sandbox_domain, $1) ++ dontaudit $1 virtd_t:fd use; ++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ') ######################################## @@ -113112,214 +113196,213 @@ index facdee8..816d860 100644 -## Create specified objects in user home -## directories with the generic virt -## home type. -+## Execute qemu in the svirt domain, and -+## allow the specified role the svirt domain. ++## Send a sigkill to virtual machines ## ## ## --## Domain allowed access. -+## Domain allowed access + ## Domain allowed access. ## ## -## -+## ++# ++interface(`virt_kill_svirt',` ++ gen_require(` ++ attribute virt_domain; ++ ') ++ ++ allow $1 virt_domain:process sigkill; ++') ++ ++######################################## ++## ++## Send a sigkill to virtd daemon. ++## ++## ## -## Class of the object being created. -+## The role to be allowed the sandbox domain. ++## Domain allowed access. ## ## -## -+## +# -+interface(`virt_transition_svirt',` ++interface(`virt_kill',` + gen_require(` -+ attribute virt_domain; -+ type virt_bridgehelper_t; -+ type svirt_image_t; -+ type svirt_socket_t; ++ type virtd_t; + ') + -+ allow $1 virt_domain:process transition; -+ role $2 types virt_domain; -+ role $2 types virt_bridgehelper_t; -+ role $2 types svirt_socket_t; -+ -+ allow $1 virt_domain:process { sigkill sigstop signull signal }; -+ allow $1 svirt_image_t:file { relabelfrom relabelto }; -+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; -+ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; -+ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; -+ -+ optional_policy(` -+ ptchown_run(virt_domain, $2) -+ ') ++ allow $1 virtd_t:process sigkill; +') + +######################################## +## -+## Do not audit attempts to write virt daemon unnamed pipes. ++## Send a signal to virtd daemon. +## +## ## -## The name of the object being created. -+## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`virt_home_filetrans_virt_home',` -+interface(`virt_dontaudit_write_pipes',` ++interface(`virt_signal',` gen_require(` - type virt_home_t; + type virtd_t; ') - userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) -+ dontaudit $1 virtd_t:fd use; -+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ++ allow $1 virtd_t:process signal; ') ######################################## ## -## Read virt pid files. -+## Send a sigkill to virtual machines ++## Send null signal to virtd daemon. ## ## ## -@@ -781,19 +1093,17 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +1147,17 @@ interface(`virt_home_filetrans_virt_home',` ## ## # -interface(`virt_read_pid_files',` -+interface(`virt_kill_svirt',` ++interface(`virt_signull',` gen_require(` - type virt_var_run_t; -+ attribute virt_domain; ++ type virtd_t; ') - files_search_pids($1) - read_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ allow $1 virt_domain:process sigkill; ++ allow $1 virtd_t:process signull; ') ######################################## ## -## Create, read, write, and delete -## virt pid files. -+## Send a sigkill to virtd daemon. ++## Send a signal to virtual machines ## ## ## -@@ -801,18 +1111,17 @@ interface(`virt_read_pid_files',` +@@ -801,18 +1165,17 @@ interface(`virt_read_pid_files',` ## ## # -interface(`virt_manage_pid_files',` -+interface(`virt_kill',` ++interface(`virt_signal_svirt',` gen_require(` - type virt_var_run_t; -+ type virtd_t; ++ attribute virt_domain; ') - files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -+ allow $1 virtd_t:process sigkill; ++ allow $1 virt_domain:process signal; ') ######################################## ## -## Search virt lib directories. -+## Send a signal to virtd daemon. ++## Send a signal to sandbox domains ## ## ## -@@ -820,18 +1129,17 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +1183,17 @@ interface(`virt_manage_pid_files',` ## ## # -interface(`virt_search_lib',` -+interface(`virt_signal',` ++interface(`virt_signal_sandbox',` gen_require(` - type virt_var_lib_t; -+ type virtd_t; ++ attribute svirt_sandbox_domain; ') - files_search_var_lib($1) - allow $1 virt_var_lib_t:dir search_dir_perms; -+ allow $1 virtd_t:process signal; ++ allow $1 svirt_sandbox_domain:process signal; ') ######################################## ## -## Read virt lib files. -+## Send null signal to virtd daemon. ++## Manage virt home files. ## ## ## -@@ -839,20 +1147,17 @@ interface(`virt_search_lib',` +@@ -839,192 +1201,243 @@ interface(`virt_search_lib',` ## ## # -interface(`virt_read_lib_files',` -+interface(`virt_signull',` ++interface(`virt_manage_home_files',` gen_require(` - type virt_var_lib_t; -+ type virtd_t; ++ type virt_home_t; ') - files_search_var_lib($1) - read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ allow $1 virtd_t:process signull; ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, virt_home_t, virt_home_t) ') ######################################## ## -## Create, read, write, and delete -## virt lib files. -+## Send a signal to virtual machines ++## allow domain to read ++## virt tmpfs files ## ## ## -@@ -860,74 +1165,123 @@ interface(`virt_read_lib_files',` +-## Domain allowed access. ++## Domain allowed access ## ## # -interface(`virt_manage_lib_files',` -+interface(`virt_signal_svirt',` ++interface(`virt_read_tmpfs_files',` gen_require(` - type virt_var_lib_t; -+ attribute virt_domain; ++ attribute virt_tmpfs_type; ') - files_search_var_lib($1) - manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -+ allow $1 virt_domain:process signal; ++ allow $1 virt_tmpfs_type:file read_file_perms; ') ######################################## ## -## Create objects in virt pid -## directories with a private type. -+## Send a signal to sandbox domains ++## allow domain to manage ++## virt tmpfs files ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain allowed access ## ## -## +# -+interface(`virt_signal_sandbox',` ++interface(`virt_manage_tmpfs_files',` + gen_require(` -+ attribute svirt_sandbox_domain; ++ attribute virt_tmpfs_type; + ') + -+ allow $1 svirt_sandbox_domain:process signal; ++ allow $1 virt_tmpfs_type:file manage_file_perms; +') + +######################################## +## -+## Manage virt home files. ++## Create .virt directory in the user home directory ++## with an correct label. +## +## ## @@ -113329,204 +113412,213 @@ index facdee8..816d860 100644 ## -## +# -+interface(`virt_manage_home_files',` ++interface(`virt_filetrans_home_content',` + gen_require(` + type virt_home_t; ++ type svirt_home_t; + ') + -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, virt_home_t, virt_home_t) ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") ++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") ++ ++ optional_policy(` ++ gnome_config_filetrans($1, virt_home_t, dir, "libvirt") ++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") ++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") ++ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") ++ gnome_data_filetrans($1, svirt_home_t, dir, "images") ++ gnome_data_filetrans($1, svirt_home_t, dir, "boot") ++ ') +') + +######################################## +## -+## allow domain to read -+## virt tmpfs files ++## Dontaudit attempts to Read virt_image_type devices. +## +## ## -## The object class of the object being created. -+## Domain allowed access ++## Domain allowed access. ## ## -## +# -+interface(`virt_read_tmpfs_files',` ++interface(`virt_dontaudit_read_chr_dev',` + gen_require(` -+ attribute virt_tmpfs_type; ++ attribute virt_image_type; + ') + -+ allow $1 virt_tmpfs_type:file read_file_perms; ++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms; +') + +######################################## +## -+## allow domain to manage -+## virt tmpfs files ++## Creates types and rules for a basic ++## virt_lxc process domain. +## -+## ++## ## -## The name of the object being created. -+## Domain allowed access ++## Prefix for the domain. ## ## -## # -interface(`virt_pid_filetrans',` -+interface(`virt_manage_tmpfs_files',` ++template(`virt_sandbox_domain_template',` gen_require(` - type virt_var_run_t; -+ attribute virt_tmpfs_type; ++ attribute svirt_sandbox_domain; ') - files_search_pids($1) - filetrans_pattern($1, virt_var_run_t, $2, $3, $4) -+ allow $1 virt_tmpfs_type:file manage_file_perms; ++ type $1_t, svirt_sandbox_domain; ++ domain_type($1_t) ++ domain_user_exemption_target($1_t) ++ mls_rangetrans_target($1_t) ++ mcs_constrained($1_t) ++ role system_r types $1_t; ++ ++ logging_send_syslog_msg($1_t) ++ ++ kernel_read_system_state($1_t) ++ kernel_read_all_proc($1_t) ') ######################################## ## -## Read virt log files. -+## Create .virt directory in the user home directory -+## with an correct label. ++## Make the specified type usable as a lxc domain ## - ## +-## ++## ## - ## Domain allowed access. +-## Domain allowed access. ++## Type to be used as a lxc domain ## ## -## # -interface(`virt_read_log',` -+interface(`virt_filetrans_home_content',` ++template(`virt_sandbox_domain',` gen_require(` - type virt_log_t; -+ type virt_home_t; -+ type svirt_home_t; ++ attribute svirt_sandbox_domain; ') - logging_search_logs($1) - read_files_pattern($1, virt_log_t, virt_log_t) -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") -+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") -+ -+ optional_policy(` -+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt") -+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") -+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") -+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") -+ gnome_data_filetrans($1, svirt_home_t, dir, "images") -+ gnome_data_filetrans($1, svirt_home_t, dir, "boot") -+ ') ++ typeattribute $1 svirt_sandbox_domain; ') ######################################## ## -## Append virt log files. -+## Dontaudit attempts to Read virt_image_type devices. ++## Make the specified type usable as a lxc network domain ## - ## +-## ++## ## -@@ -935,117 +1289,153 @@ interface(`virt_read_log',` +-## Domain allowed access. ++## Type to be used as a lxc network domain ## ## # -interface(`virt_append_log',` -+interface(`virt_dontaudit_read_chr_dev',` ++template(`virt_sandbox_net_domain',` gen_require(` - type virt_log_t; -+ attribute virt_image_type; ++ attribute sandbox_net_domain; ') - logging_search_logs($1) - append_files_pattern($1, virt_log_t, virt_log_t) -+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ++ virt_sandbox_domain($1) ++ typeattribute $1 sandbox_net_domain; ') ######################################## ## -## Create, read, write, and delete -## virt log files. -+## Creates types and rules for a basic -+## virt_lxc process domain. ++## Execute a qemu_exec_t in the callers domain ## --## -+## - ## --## Domain allowed access. -+## Prefix for the domain. - ## + ## +-## ++## + ## Domain allowed access. +-## ++## ## # -interface(`virt_manage_log',` -+template(`virt_sandbox_domain_template',` ++interface(`virt_exec_qemu',` gen_require(` - type virt_log_t; -+ attribute svirt_sandbox_domain; ++ type qemu_exec_t; ') - logging_search_logs($1) - manage_dirs_pattern($1, virt_log_t, virt_log_t) - manage_files_pattern($1, virt_log_t, virt_log_t) - manage_lnk_files_pattern($1, virt_log_t, virt_log_t) -+ type $1_t, svirt_sandbox_domain; -+ domain_type($1_t) -+ domain_user_exemption_target($1_t) -+ mls_rangetrans_target($1_t) -+ mcs_constrained($1_t) -+ role system_r types $1_t; -+ -+ logging_send_syslog_msg($1_t) -+ -+ kernel_read_system_state($1_t) -+ kernel_read_all_proc($1_t) ++ can_exec($1, qemu_exec_t) ') ######################################## ## -## Search virt image directories. -+## Make the specified type usable as a lxc domain ++## Transition to virt named content ## --## -+## + ## ## -## Domain allowed access. -+## Type to be used as a lxc domain ++## Domain allowed access. ## ## # -interface(`virt_search_images',` -+template(`virt_sandbox_domain',` ++interface(`virt_filetrans_named_content',` gen_require(` - attribute virt_image_type; -+ attribute svirt_sandbox_domain; ++ type virt_lxc_var_run_t; ++ type virt_var_run_t; ') - virt_search_lib($1) - allow $1 virt_image_type:dir search_dir_perms; -+ typeattribute $1 svirt_sandbox_domain; ++ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ++ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") ++ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") ') ######################################## ## -## Read virt image files. -+## Make the specified type usable as a lxc network domain ++## Execute qemu in the svirt domain, and ++## allow the specified role the svirt domain. ## --## -+## + ## ## -## Domain allowed access. -+## Type to be used as a lxc network domain ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ## ## ++## # -interface(`virt_read_images',` -+template(`virt_sandbox_net_domain',` ++interface(`virt_transition_svirt_sandbox',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -+ attribute sandbox_net_domain; ++ attribute svirt_sandbox_domain; ') - virt_search_lib($1) @@ -113535,79 +113627,41 @@ index facdee8..816d860 100644 - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) -+ virt_sandbox_domain($1) -+ typeattribute $1 sandbox_net_domain; -+') ++ allow $1 svirt_sandbox_domain:process { transition signal_perms }; ++ role $2 types svirt_sandbox_domain; ++ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) -+######################################## -+## -+## Execute a qemu_exec_t in the callers domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_exec_qemu',` -+ gen_require(` -+ type qemu_exec_t; - ') +- ') ++ allow svirt_sandbox_domain $1:fd use; - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) -+ can_exec($1, qemu_exec_t) -+') -+ -+######################################## -+## -+## Transition to virt named content -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_filetrans_named_content',` -+ gen_require(` -+ type virt_lxc_var_run_t; -+ type virt_var_run_t; - ') -+ -+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") -+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") -+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") +- ') ++ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; ++ allow svirt_sandbox_domain $1:process sigchld; ++ ps_process_pattern($1, svirt_sandbox_domain) ') ######################################## ## -## Read and write all virt image -## character files. -+## Execute qemu in the svirt domain, and -+## allow the specified role the svirt domain. ++## Read the process state of virt sandbox containers ## ## ## --## Domain allowed access. -+## Domain allowed access -+## -+## -+## -+## -+## The role to be allowed the sandbox domain. +@@ -1032,20 +1445,17 @@ interface(`virt_read_images',` ## ## -+## # -interface(`virt_rw_all_image_chr_files',` -+interface(`virt_transition_svirt_sandbox',` ++interface(`virt_sandbox_read_state',` gen_require(` - attribute virt_image_type; + attribute svirt_sandbox_domain; @@ -113616,12 +113670,6 @@ index facdee8..816d860 100644 - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - rw_chr_files_pattern($1, virt_image_type, virt_image_type) -+ allow $1 svirt_sandbox_domain:process { transition signal_perms }; -+ role $2 types svirt_sandbox_domain; -+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; -+ -+ allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; -+ allow svirt_sandbox_domain $1:process sigchld; + ps_process_pattern($1, svirt_sandbox_domain) ') @@ -113629,23 +113677,23 @@ index facdee8..816d860 100644 ## -## Create, read, write, and delete -## svirt cache files. -+## Read the process state of virt sandbox containers ++## Read and write to svirt_image devices. ## ## ## -@@ -1053,15 +1443,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1463,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # -interface(`virt_manage_svirt_cache',` - refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') - virt_manage_virt_cache($1) -+interface(`virt_sandbox_read_state',` ++interface(`virt_rw_svirt_dev',` + gen_require(` -+ attribute svirt_sandbox_domain; ++ type svirt_image_t; + ') + -+ ps_process_pattern($1, svirt_sandbox_domain) ++ allow $1 svirt_image_t:chr_file rw_file_perms; ') ######################################## @@ -113656,22 +113704,22 @@ index facdee8..816d860 100644 ## ## ## -@@ -1069,21 +1461,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1481,17 @@ interface(`virt_manage_svirt_cache',` ## ## # -interface(`virt_manage_virt_cache',` -+interface(`virt_rw_svirt_dev',` ++interface(`virt_rlimitinh',` gen_require(` - type virt_cache_t; -+ type svirt_image_t; ++ type virtd_t; ') - files_search_var($1) - manage_dirs_pattern($1, virt_cache_t, virt_cache_t) - manage_files_pattern($1, virt_cache_t, virt_cache_t) - manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) -+ allow $1 svirt_image_t:chr_file rw_file_perms; ++ allow $1 virtd_t:process { rlimitinh }; ') ######################################## @@ -113682,43 +113730,28 @@ index facdee8..816d860 100644 ## ## ## -@@ -1091,36 +1479,36 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1499,18 @@ interface(`virt_manage_virt_cache',` ## ## # -interface(`virt_manage_images',` -+interface(`virt_rlimitinh',` ++interface(`virt_noatsecure',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -+ type virtd_t; - ') - +- ') +- - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_type, virt_image_type) - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) -+ allow $1 virtd_t:process { rlimitinh }; -+') - +- - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) -+######################################## -+## -+## Read and write to svirt_image devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`virt_noatsecure',` -+ gen_require(` + type virtd_t; ') @@ -113739,7 +113772,7 @@ index facdee8..816d860 100644 ## ## ## -@@ -1136,50 +1524,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1526,76 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -113849,7 +113882,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..a4e5bf6 100644 +index f03dcf5..75d9fa0 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -115431,7 +115464,7 @@ index f03dcf5..a4e5bf6 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1258,357 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1258,359 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -115486,6 +115519,7 @@ index f03dcf5..a4e5bf6 100644 + +allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; +allow svirt_sandbox_domain self:fifo_file manage_file_perms; ++allow svirt_sandbox_domain self:msg all_msg_perms; +allow svirt_sandbox_domain self:sem create_sem_perms; +allow svirt_sandbox_domain self:shm create_shm_perms; +allow svirt_sandbox_domain self:msgq create_msgq_perms; @@ -115619,6 +115653,7 @@ index f03dcf5..a4e5bf6 100644 +kernel_list_all_proc(svirt_sandbox_domain) +kernel_read_all_sysctls(svirt_sandbox_domain) +kernel_rw_net_sysctls(svirt_sandbox_domain) ++kernel_rw_unix_sysctls(svirt_sandbox_domain) +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) +kernel_dontaudit_access_check_proc(svirt_sandbox_domain) +kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) @@ -115930,7 +115965,7 @@ index f03dcf5..a4e5bf6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1623,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -115945,7 +115980,7 @@ index f03dcf5..a4e5bf6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1639,7 @@ optional_policy(` +@@ -1192,7 +1641,7 @@ optional_policy(` ######################################## # @@ -115954,7 +115989,7 @@ index f03dcf5..a4e5bf6 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1648,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1650,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 25f2f24..2242d57 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 212%{?dist} +Release: 213%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,12 @@ exit 0 %endif %changelog +* Fri Sep 02 2016 Lukas Vrabec 3.13.1-213 +- Label /var/lib/docker/vfs as svirt_sandbox_file_t in virt SELinux module +- Label /usr/bin/pappet as puppetagent_exec_t +- Allow amanda to create dir in /var/lib/ with amanda_var_lib_t label +- Allow run sulogin_t in range mls_systemlow-mls_systemhigh. + * Wed Aug 31 2016 Lukas Vrabec 3.13.1-212 - udisk2 module is part of devicekit module now - Fix file context for /etc/pki/pki-tomcat/ca/