[selinux-policy/f21] * Tue Aug 26 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-76 - Label ~/tmp and ~/.tmp directories i
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Aug 26 15:42:01 UTC 2014
commit f9c213ace69948f6e4a04280af9259584d25490e
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Aug 26 17:41:52 2014 +0200
* Tue Aug 26 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-76
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
- Add a port definition for shellinaboxd
- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories
- Allow thumb_t to read/write video devices
- fail2ban 0.9 reads the journal by default.
- Allow sandbox net domains to bind to rawip socket
policy-rawhide-base.patch | 35 +++++++++++++++++++++--------------
policy-rawhide-contrib.patch | 20 ++++++++++++--------
selinux-policy.spec | 10 +++++++++-
3 files changed, 42 insertions(+), 23 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2c29dbf..ab46f09 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5461,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..9ae3918 100644
+index b191055..68b9da6 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5721,7 +5721,7 @@ index b191055..9ae3918 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -213,68 +267,78 @@ network_port(postgrey, tcp,60000,s0)
+@@ -213,68 +267,79 @@ network_port(postgrey, tcp,60000,s0)
network_port(pptp, tcp,1723,s0, udp,1723,s0)
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@@ -5758,6 +5758,7 @@ index b191055..9ae3918 100644
+network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0)
network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
+network_port(sge, tcp,6444,s0, tcp,6445,s0)
++network_port(shellinaboxd, tcp,4200,s0)
network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
@@ -5811,7 +5812,7 @@ index b191055..9ae3918 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -288,19 +352,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -288,19 +353,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -5838,7 +5839,7 @@ index b191055..9ae3918 100644
########################################
#
-@@ -333,6 +401,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +402,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5847,7 +5848,7 @@ index b191055..9ae3918 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -345,9 +415,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +416,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -44850,10 +44851,10 @@ index 5fe902d..fcc9efe 100644
+ rpm_transition_script(unconfined_service_t, system_r)
')
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..8f5380f 100644
+index db75976..1ee08ec 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,34 @@
+@@ -1,4 +1,36 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -44877,6 +44878,8 @@ index db75976..8f5380f 100644
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
++HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
+
+/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0)
+/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
@@ -44890,7 +44893,7 @@ index db75976..8f5380f 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..c198c77 100644
+index 9dc60c6..ce8b28d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -48183,7 +48186,7 @@ index 9dc60c6..c198c77 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3435,4 +4482,1684 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4482,1686 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -48206,7 +48209,7 @@ index 9dc60c6..c198c77 100644
+ ')
+
+ allow $1 userdomain:process rlimitinh;
- ')
++')
+
+########################################
+## <summary>
@@ -49669,6 +49672,7 @@ index 9dc60c6..c198c77 100644
+ type home_bin_t;
+ type audio_home_t;
+ type home_cert_t;
++ type user_tmp_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
@@ -49677,6 +49681,8 @@ index 9dc60c6..c198c77 100644
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp")
++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp")
+')
+
+########################################
@@ -49866,10 +49872,9 @@ index 9dc60c6..c198c77 100644
+ optional_policy(`
+ samhain_run($1, $2)
+ ')
-+')
-+
+ ')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index f4ac38d..6c2695d 100644
+index f4ac38d..7f49cde 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
@@ -49958,7 +49963,7 @@ index f4ac38d..6c2695d 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,392 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,394 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -50131,6 +50136,8 @@ index f4ac38d..6c2695d 100644
+userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
+
+optional_policy(`
+ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 257921b..556ffe5 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -26998,7 +26998,7 @@ index 50d0084..94e1936 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..a743483 100644
+index cf0e567..9ebb247 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -27026,12 +27026,13 @@ index cf0e567..a743483 100644
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
-@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t)
+@@ -92,24 +90,38 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
++logging_read_syslog_pid(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t)
-miscfiles_read_localization(fail2ban_t)
@@ -27068,7 +27069,7 @@ index cf0e567..a743483 100644
iptables_domtrans(fail2ban_t)
')
-@@ -118,6 +129,10 @@ optional_policy(`
+@@ -118,6 +130,10 @@ optional_policy(`
')
optional_policy(`
@@ -27079,7 +27080,7 @@ index cf0e567..a743483 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +147,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -98911,10 +98912,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..ebb001b
+index 0000000..bc96302
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,158 @@
+@@ -0,0 +1,160 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -98990,6 +98991,8 @@ index 0000000..ebb001b
+dev_read_urand(thumb_t)
+dev_dontaudit_rw_dri(thumb_t)
+dev_rw_xserver_misc(thumb_t)
++dev_read_video_dev(thumb_t)
++dev_write_video_dev(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+domain_dontaudit_read_all_domains_state(thumb_t)
@@ -103604,7 +103607,7 @@ index facdee8..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..eef3cb7 100644
+index f03dcf5..329e056 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,227 @@
@@ -105568,7 +105571,7 @@ index f03dcf5..eef3cb7 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1508,218 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1508,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -105774,6 +105777,7 @@ index f03dcf5..eef3cb7 100644
+
+corenet_tcp_bind_generic_node(sandbox_net_domain)
+corenet_udp_bind_generic_node(sandbox_net_domain)
++corenet_raw_bind_generic_node(sandbox_net_domain)
+corenet_tcp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_bind_all_ports(sandbox_net_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e399af4..8281b79 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 75%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 26 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-76
+- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
+- Add a port definition for shellinaboxd
+- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories
+- Allow thumb_t to read/write video devices
+- fail2ban 0.9 reads the journal by default.
+- Allow sandbox net domains to bind to rawip socket
+
* Fri Aug 22 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-75
- Allow haproxy to read /dev/random and /dev/urandom.
- Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.
More information about the scm-commits
mailing list