[selinux-policy/f20] * Wed Aug 27 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-182 - Allow pppd to connect to http port.
Lukas Vrabec
lvrabec at fedoraproject.org
Wed Aug 27 13:28:12 UTC 2014
commit b89cea80209525c65bd908121813e573a7594d73
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Aug 27 15:27:55 2014 +0200
* Wed Aug 27 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-182
- Allow pppd to connect to http port. (#1128947)
- Allow fail2ban to read audit logs
- Dontaudit svirt_sandbox_domain doing access checks on /proc
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories.
- Allow domains to are allowed to mounton proc to mount on files as
well as dirs
- Allow programs to use pam to search through user_tmp_t dires
(/tmp/.X11-unix)
policy-f20-base.patch | 112 +++++++++++++++++++++++++--------------------
policy-f20-contrib.patch | 68 ++++++++++++++++++----------
selinux-policy.spec | 11 ++++-
3 files changed, 115 insertions(+), 76 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index fdd54a6..a03f04d 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -17370,7 +17370,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..847133d 100644
+index 649e458..d2a0da5 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -17560,7 +17560,7 @@ index 649e458..847133d 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
## </summary>
-@@ -1458,6 +1565,24 @@ interface(`kernel_list_all_proc',`
+@@ -1458,6 +1565,25 @@ interface(`kernel_list_all_proc',`
########################################
## <summary>
@@ -17578,6 +17578,7 @@ index 649e458..847133d 100644
+ ')
+
+ allow $1 proc_type:dir mounton;
++ allow $1 proc_type:file mounton;
+')
+
+########################################
@@ -17585,7 +17586,7 @@ index 649e458..847133d 100644
## Do not audit attempts to list all proc directories.
## </summary>
## <param name="domain">
-@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1603,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -17610,7 +17611,7 @@ index 649e458..847133d 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1816,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17619,7 +17620,7 @@ index 649e458..847133d 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1837,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17628,7 +17629,7 @@ index 649e458..847133d 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1859,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -17636,7 +17637,7 @@ index 649e458..847133d 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -2085,9 +2227,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2228,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -17666,7 +17667,7 @@ index 649e458..847133d 100644
########################################
## <summary>
## Allow caller to read all sysctls.
-@@ -2282,6 +2443,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2444,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -17692,7 +17693,7 @@ index 649e458..847133d 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2486,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2487,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -17701,7 +17702,7 @@ index 649e458..847133d 100644
## </summary>
## </param>
#
-@@ -2488,6 +2668,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2669,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -17726,7 +17727,7 @@ index 649e458..847133d 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2723,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2724,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -17751,7 +17752,7 @@ index 649e458..847133d 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2632,7 +2848,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2849,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -17760,7 +17761,7 @@ index 649e458..847133d 100644
')
########################################
-@@ -2670,6 +2886,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2887,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -17785,7 +17786,7 @@ index 649e458..847133d 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2697,6 +2931,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2932,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -17811,7 +17812,7 @@ index 649e458..847133d 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2806,6 +3059,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +3060,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -17845,7 +17846,7 @@ index 649e458..847133d 100644
########################################
## <summary>
-@@ -2961,6 +3241,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3242,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -17870,7 +17871,7 @@ index 649e458..847133d 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2975,5 +3273,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3274,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -28308,7 +28309,7 @@ index 28ad538..ed25543 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..42803b7 100644
+index 3efd5b6..c6007d1 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -28330,7 +28331,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -53,10 +59,13 @@ interface(`auth_use_pam',`
+@@ -53,13 +59,18 @@ interface(`auth_use_pam',`
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
@@ -28345,7 +28346,12 @@ index 3efd5b6..42803b7 100644
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-@@ -78,8 +87,19 @@ interface(`auth_use_pam',`
++ userdom_search_user_tmp_dirs($1)
++
+ optional_policy(`
+ dbus_system_bus_client($1)
+
+@@ -78,8 +89,19 @@ interface(`auth_use_pam',`
')
optional_policy(`
@@ -28365,7 +28371,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -95,48 +115,20 @@ interface(`auth_use_pam',`
+@@ -95,48 +117,20 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -28419,7 +28425,7 @@ index 3efd5b6..42803b7 100644
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
-@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',`
+@@ -146,18 +140,43 @@ interface(`auth_login_pgm_domain',`
mls_fd_share_all_levels($1)
auth_use_pam($1)
@@ -28471,7 +28477,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +250,25 @@ interface(`auth_domtrans_login_program',`
########################################
## <summary>
@@ -28497,7 +28503,7 @@ index 3efd5b6..42803b7 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -322,6 +358,24 @@ interface(`auth_rw_cache',`
+@@ -322,6 +360,24 @@ interface(`auth_rw_cache',`
########################################
## <summary>
@@ -28522,7 +28528,7 @@ index 3efd5b6..42803b7 100644
## Manage authentication cache
## </summary>
## <param name="domain">
-@@ -402,6 +456,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +458,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -28531,7 +28537,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -428,6 +484,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +486,24 @@ interface(`auth_domtrans_chkpwd',`
########################################
## <summary>
@@ -28556,7 +28562,7 @@ index 3efd5b6..42803b7 100644
## Execute chkpwd programs in the chkpwd domain.
## </summary>
## <param name="domain">
-@@ -448,6 +522,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +524,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -28582,7 +28588,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -467,7 +560,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -28590,7 +28596,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -664,6 +756,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +758,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -28601,7 +28607,7 @@ index 3efd5b6..42803b7 100644
')
#######################################
-@@ -763,7 +859,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +861,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -28653,7 +28659,7 @@ index 3efd5b6..42803b7 100644
')
#######################################
-@@ -824,9 +963,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +965,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -28684,7 +28690,7 @@ index 3efd5b6..42803b7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -834,12 +993,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +995,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@@ -28715,7 +28721,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -854,15 +1028,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1030,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -28734,7 +28740,7 @@ index 3efd5b6..42803b7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -875,13 +1049,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1051,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@@ -28772,7 +28778,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -959,9 +1153,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1155,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -28806,7 +28812,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -1040,6 +1255,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1257,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -28817,7 +28823,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -1176,6 +1395,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1397,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -28825,7 +28831,7 @@ index 3efd5b6..42803b7 100644
')
#######################################
-@@ -1576,6 +1796,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1798,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -28851,7 +28857,7 @@ index 3efd5b6..42803b7 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1726,24 +1965,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1967,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -28877,7 +28883,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -1767,11 +1989,17 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1991,17 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -28898,7 +28904,7 @@ index 3efd5b6..42803b7 100644
')
########################################
-@@ -1805,3 +2033,262 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2035,262 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -43977,10 +43983,10 @@ index 0280b32..61f19e9 100644
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..4ca3a28 100644
+index db75976..cb4a211 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,28 @@
+@@ -1,4 +1,30 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -44004,6 +44010,8 @@ index db75976..4ca3a28 100644
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
+HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
++HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
+
@@ -44011,7 +44019,7 @@ index db75976..4ca3a28 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..0eec4d9 100644
+index 3c5dba7..ff283b4 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -46942,7 +46950,7 @@ index 3c5dba7..0eec4d9 100644
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4382,1661 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4382,1663 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -47092,7 +47100,7 @@ index 3c5dba7..0eec4d9 100644
+
+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
+ dontaudit $1 admin_home_t:dir list_dir_perms;
- ')
++')
+
+########################################
+## <summary>
@@ -48405,6 +48413,7 @@ index 3c5dba7..0eec4d9 100644
+ type home_bin_t;
+ type audio_home_t;
+ type home_cert_t;
++ type user_tmp_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
@@ -48413,6 +48422,8 @@ index 3c5dba7..0eec4d9 100644
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp")
++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp")
+')
+
+########################################
@@ -48602,10 +48613,9 @@ index 3c5dba7..0eec4d9 100644
+ optional_policy(`
+ samhain_run($1, $2)
+ ')
-+')
-+
+ ')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..4027ca7 100644
+index e2b538b..37730c1 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
@@ -48694,7 +48704,7 @@ index e2b538b..4027ca7 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +83,386 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,388 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -48862,6 +48872,8 @@ index e2b538b..4027ca7 100644
+userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
+
+optional_policy(`
+ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index c361d6e..8ed8f78 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -1660,7 +1660,7 @@ index 01cbb67..94a4a24 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 4b28ab3..f781a7a 100644
+index 4b28ab3..a8e2f01 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1671,12 +1671,13 @@ index 4b28ab3..f781a7a 100644
role aide_roles types aide_t;
type aide_log_t;
-@@ -23,22 +24,30 @@ files_type(aide_db_t)
+@@ -23,22 +24,34 @@ files_type(aide_db_t)
# Local policy
#
-allow aide_t self:capability { dac_override fowner };
+allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
++allow aide_t self:process signal;
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
@@ -1687,6 +1688,9 @@ index 4b28ab3..f781a7a 100644
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
logging_log_filetrans(aide_t, aide_log_t, file)
++dev_read_rand(aide_t)
++dev_read_urand(aide_t)
++
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
+files_getattr_all_pipes(aide_t)
@@ -26538,7 +26542,7 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..0cb0a7b 100644
+index 0872e50..37dfeb3 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -26566,9 +26570,11 @@ index 0872e50..0cb0a7b 100644
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
-@@ -91,23 +89,35 @@ auth_use_nsswitch(fail2ban_t)
+@@ -90,24 +88,37 @@ fs_getattr_all_fs(fail2ban_t)
+ auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
++logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t)
@@ -26606,7 +26612,7 @@ index 0872e50..0cb0a7b 100644
iptables_domtrans(fail2ban_t)
')
-@@ -116,6 +126,10 @@ optional_policy(`
+@@ -116,6 +127,10 @@ optional_policy(`
')
optional_policy(`
@@ -26617,7 +26623,7 @@ index 0872e50..0cb0a7b 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -129,22 +143,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -129,22 +144,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -26644,7 +26650,7 @@ index 0872e50..0cb0a7b 100644
logging_search_all_logs(fail2ban_client_t)
-
-miscfiles_read_localization(fail2ban_client_t)
-+logging_dontaudit_search_audit_logs(fail2ban_client_t)
++logging_read_audit_log(fail2ban_client_t)
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
@@ -68604,7 +68610,7 @@ index cd8b8b9..6c73980 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..9bc465c 100644
+index b2b5dba..0d1dd3c 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -68766,11 +68772,12 @@ index b2b5dba..9bc465c 100644
corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_generic_if(pppd_t)
corenet_raw_sendrecv_generic_if(pppd_t)
-@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t)
+@@ -135,9 +145,22 @@ corenet_raw_sendrecv_generic_node(pppd_t)
corenet_udp_sendrecv_generic_node(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t)
-
++corenet_tcp_connect_http_port(pppd_t)
+# Access /dev/ppp.
corenet_rw_ppp_dev(pppd_t)
@@ -68789,7 +68796,7 @@ index b2b5dba..9bc465c 100644
corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t)
-@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t)
+@@ -147,36 +170,31 @@ files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
@@ -68835,7 +68842,7 @@ index b2b5dba..9bc465c 100644
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
-@@ -186,11 +203,13 @@ optional_policy(`
+@@ -186,11 +204,13 @@ optional_policy(`
l2tpd_dgram_send(pppd_t)
l2tpd_rw_socket(pppd_t)
l2tpd_stream_connect(pppd_t)
@@ -68850,7 +68857,7 @@ index b2b5dba..9bc465c 100644
')
')
-@@ -218,16 +237,19 @@ optional_policy(`
+@@ -218,16 +238,19 @@ optional_policy(`
########################################
#
@@ -68873,7 +68880,7 @@ index b2b5dba..9bc465c 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +259,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -68930,7 +68937,7 @@ index b2b5dba..9bc465c 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +303,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@@ -68945,7 +68952,7 @@ index b2b5dba..9bc465c 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +319,10 @@ optional_policy(`
+@@ -299,6 +320,10 @@ optional_policy(`
')
optional_policy(`
@@ -87717,10 +87724,10 @@ index 0000000..03bdcef
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..330fea5
+index 0000000..a2883c9
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,503 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -87875,6 +87882,7 @@ index 0000000..330fea5
+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
++allow sandbox_x_domain sandbox_file_t:file execmod;
+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
@@ -91560,10 +91568,18 @@ index a8b1aaf..4689a59 100644
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..f074b4d 100644
+index 9c8f9a5..d8d4623 100644
--- a/smoltclient.te
+++ b/smoltclient.te
-@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
+@@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t)
+
+ corenet_sendrecv_http_client_packets(smoltclient_t)
+ corenet_tcp_connect_http_port(smoltclient_t)
++corenet_tcp_connect_http_cache_port(smoltclient_t)
+ corenet_tcp_sendrecv_http_port(smoltclient_t)
+
+ dev_read_sysfs(smoltclient_t)
+@@ -51,14 +52,12 @@ fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
files_read_etc_runtime_files(smoltclient_t)
@@ -91578,7 +91594,7 @@ index 9c8f9a5..f074b4d 100644
optional_policy(`
abrt_stream_connect(smoltclient_t)
-@@ -77,6 +75,10 @@ optional_policy(`
+@@ -77,6 +76,10 @@ optional_policy(`
')
optional_policy(`
@@ -103035,7 +103051,7 @@ index 9dec06c..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..b3121c0 100644
+index 1f22fba..34b36bc 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,224 @@
@@ -104498,7 +104514,7 @@ index 1f22fba..b3121c0 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1141,314 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1141,315 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -104669,6 +104685,7 @@ index 1f22fba..b3121c0 100644
+kernel_read_all_sysctls(svirt_sandbox_domain)
+kernel_rw_net_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
@@ -104950,7 +104967,7 @@ index 1f22fba..b3121c0 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1461,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1462,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -104965,7 +104982,7 @@ index 1f22fba..b3121c0 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1479,8 @@ optional_policy(`
+@@ -1183,9 +1480,8 @@ optional_policy(`
########################################
#
@@ -104976,7 +104993,7 @@ index 1f22fba..b3121c0 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1493,218 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1494,219 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -105182,6 +105199,7 @@ index 1f22fba..b3121c0 100644
+
+corenet_tcp_bind_generic_node(sandbox_net_domain)
+corenet_udp_bind_generic_node(sandbox_net_domain)
++corenet_raw_bind_generic_node(sandbox_net_domain)
+corenet_tcp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_bind_all_ports(sandbox_net_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b196087..521857e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 181%{?dist}
+Release: 182%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Aug 27 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-182
+- Allow pppd to connect to http port. (#1128947)
+- Allow fail2ban to read audit logs
+- Dontaudit svirt_sandbox_domain doing access checks on /proc
+- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
+- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories.
+- Allow domains to are allowed to mounton proc to mount on files as well as dirs
+- Allow programs to use pam to search through user_tmp_t dires (/tmp/.X11-unix)
+
* Wed Aug 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-181
- Allow docker lots more access.
- Added interface kernel_dontaudit_setsched
More information about the scm-commits
mailing list