[selinux-policy/f21] * Thu Aug 28 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-77 - Allow aide to read random number gen

Lukas Vrabec lvrabec at fedoraproject.org
Thu Aug 28 13:38:10 UTC 2014 

commit 01a336c70f6e3a398aab647704d684dcd8aa4361
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Thu Aug 28 15:37:59 2014 +0200

    * Thu Aug 28 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-77
    - Allow aide to read random number generator
    - Allow pppd to connect to http port. (#1128947)
    - sssd needs to be able write krb5.conf.
    - Labeli initial-setup as install_exec_t.
    - Allow domains to are allowed to mounton proc to mount on files as well as dirs
    - Allow bacula to connect to postgresql if is configured for that as a back end.

 policy-rawhide-base.patch    |   41 +++++++++++++++--------------
 policy-rawhide-contrib.patch |   57 ++++++++++++++++++++++++++++-------------
 selinux-policy.spec          |   10 ++++++-
 3 files changed, 69 insertions(+), 39 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index ab46f09..d3c0391 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -17459,7 +17459,7 @@ index 7be4ddf..71e675a 100644
 +/sys/class/net/ib.* 	  --	gen_context(system_u:object_r:sysctl_net_t,s0)
 +/sys/kernel/uevent_helper --	gen_context(system_u:object_r:usermodehelper_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..a4648ed 100644
+index e100d88..227ae89 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -17648,7 +17648,7 @@ index e100d88..a4648ed 100644
  ##	Allow caller to get the attributes of kernel message
  ##	interface (/proc/kmsg).
  ## </summary>
-@@ -1458,6 +1564,24 @@ interface(`kernel_list_all_proc',`
+@@ -1458,6 +1564,25 @@ interface(`kernel_list_all_proc',`
  
  ########################################
  ## <summary>
@@ -17666,6 +17666,7 @@ index e100d88..a4648ed 100644
 +	')
 +
 +	allow $1 proc_type:dir mounton;
++	allow $1 proc_type:file mounton;
 +')
 +
 +########################################
@@ -17673,7 +17674,7 @@ index e100d88..a4648ed 100644
  ##	Do not audit attempts to list all proc directories.
  ## </summary>
  ## <param name="domain">
-@@ -1477,6 +1601,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',`
  
  ########################################
  ## <summary>
@@ -17698,7 +17699,7 @@ index e100d88..a4648ed 100644
  ##	Do not audit attempts by caller to search
  ##	the base directory of sysctls.
  ## </summary>
-@@ -1672,7 +1814,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',`
  	')
  
  	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17707,7 +17708,7 @@ index e100d88..a4648ed 100644
  	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
  ')
  
-@@ -1693,7 +1835,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',`
  	')
  
  	rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17716,7 +17717,7 @@ index e100d88..a4648ed 100644
  	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
  ')
  
-@@ -1715,7 +1857,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',`
  	')
  
  	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -17724,7 +17725,7 @@ index e100d88..a4648ed 100644
  	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
  ')
  
-@@ -1750,16 +1891,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1892,9 @@ interface(`kernel_rw_unix_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17742,7 +17743,7 @@ index e100d88..a4648ed 100644
  ')
  
  ########################################
-@@ -1771,16 +1905,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1906,9 @@ interface(`kernel_read_hotplug_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17760,7 +17761,7 @@ index e100d88..a4648ed 100644
  ')
  
  ########################################
-@@ -1792,16 +1919,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1920,9 @@ interface(`kernel_rw_hotplug_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17778,7 +17779,7 @@ index e100d88..a4648ed 100644
  ')
  
  ########################################
-@@ -1813,16 +1933,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1934,9 @@ interface(`kernel_read_modprobe_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17796,7 +17797,7 @@ index e100d88..a4648ed 100644
  ')
  
  ########################################
-@@ -2085,9 +2198,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2199,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -17826,7 +17827,7 @@ index e100d88..a4648ed 100644
  ########################################
  ## <summary>
  ##	Allow caller to read all sysctls.
-@@ -2282,6 +2414,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2415,25 @@ interface(`kernel_list_unlabeled',`
  
  ########################################
  ## <summary>
@@ -17852,7 +17853,7 @@ index e100d88..a4648ed 100644
  ##	Read the process state (/proc/pid) of all unlabeled_t.
  ## </summary>
  ## <param name="domain">
-@@ -2306,7 +2457,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2458,7 @@ interface(`kernel_read_unlabeled_state',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17861,7 +17862,7 @@ index e100d88..a4648ed 100644
  ##	</summary>
  ## </param>
  #
-@@ -2488,6 +2639,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2640,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
  ## <summary>
@@ -17886,7 +17887,7 @@ index e100d88..a4648ed 100644
  ##	Do not audit attempts by caller to get attributes for
  ##	unlabeled character devices.
  ## </summary>
-@@ -2525,6 +2694,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2695,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
  
  ########################################
  ## <summary>
@@ -17911,7 +17912,7 @@ index e100d88..a4648ed 100644
  ##	Allow caller to relabel unlabeled files.
  ## </summary>
  ## <param name="domain">
-@@ -2667,6 +2854,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2855,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -17936,7 +17937,7 @@ index e100d88..a4648ed 100644
  ##	Receive TCP packets from an unlabeled connection.
  ## </summary>
  ## <desc>
-@@ -2694,6 +2899,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2900,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -17962,7 +17963,7 @@ index e100d88..a4648ed 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2803,20 +3027,47 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,20 +3028,47 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -18017,7 +18018,7 @@ index e100d88..a4648ed 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -2958,6 +3209,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3210,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -18042,7 +18043,7 @@ index e100d88..a4648ed 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2972,5 +3241,565 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3242,565 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 556ffe5..d927793 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1594,7 +1594,7 @@ index 01cbb67..94a4a24 100644
  
  	files_list_etc($1)
 diff --git a/aide.te b/aide.te
-index 03831e6..cfc9115 100644
+index 03831e6..94a723f 100644
 --- a/aide.te
 +++ b/aide.te
 @@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1605,12 +1605,13 @@ index 03831e6..cfc9115 100644
  role aide_roles types aide_t;
  
  type aide_log_t;
-@@ -23,22 +24,30 @@ files_type(aide_db_t)
+@@ -23,22 +24,34 @@ files_type(aide_db_t)
  # Local policy
  #
  
 -allow aide_t self:capability { dac_override fowner };
 +allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
++allow aide_t self:process signal;
  
  manage_files_pattern(aide_t, aide_db_t, aide_db_t)
 +files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
@@ -1621,6 +1622,9 @@ index 03831e6..cfc9115 100644
 +manage_files_pattern(aide_t, aide_log_t, aide_log_t)
  logging_log_filetrans(aide_t, aide_log_t, file)
  
++dev_read_rand(aide_t)
++dev_read_urand(aide_t)
++
  files_read_all_files(aide_t)
  files_read_all_symlinks(aide_t)
 +files_getattr_all_pipes(aide_t)
@@ -2365,15 +2369,16 @@ index 16d0d66..60abfd0 100644
  optional_policy(`
  	nscd_dontaudit_search_pid(amtu_t)
 diff --git a/anaconda.fc b/anaconda.fc
-index b098089..358c9f9 100644
+index b098089..37d428c 100644
 --- a/anaconda.fc
 +++ b/anaconda.fc
-@@ -1 +1,11 @@
+@@ -1 +1,12 @@
  # No file context specifications.
 +
 +/usr/libexec/anaconda/anaconda-yum  --  gen_context(system_u:object_r:install_exec_t,s0)
 +/usr/sbin/anaconda      --  gen_context(system_u:object_r:install_exec_t,s0)
 +
++/usr/bin/initial-setup  --  gen_context(system_u:object_r:install_exec_t,s0)
 +/usr/bin/ostree         --  gen_context(system_u:object_r:install_exec_t,s0)
 +/usr/bin/rpm-ostree     --  gen_context(system_u:object_r:install_exec_t,s0)
 +
@@ -8711,7 +8716,7 @@ index dcd774e..c240ffa 100644
  
  	allow $1 bacula_t:process { ptrace signal_perms };
 diff --git a/bacula.te b/bacula.te
-index f16b000..373576e 100644
+index f16b000..812f5bf 100644
 --- a/bacula.te
 +++ b/bacula.te
 @@ -43,16 +43,18 @@ role bacula_admin_roles types bacula_admin_t;
@@ -8753,16 +8758,30 @@ index f16b000..373576e 100644
  auth_read_shadow(bacula_t)
  
  logging_send_syslog_msg(bacula_t)
-@@ -148,9 +155,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -125,6 +132,10 @@ optional_policy(`
+ 	ldap_stream_connect(bacula_t)
+ ')
+ 
++optional_policy(`
++    postgresql_tcp_connect(bacula_t)
++')
++
+ ########################################
+ #
+ # Client local policy
+@@ -148,11 +159,8 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
  
  domain_use_interactive_fds(bacula_admin_t)
  
 -files_read_etc_files(bacula_admin_t)
- 
+-
 -miscfiles_read_localization(bacula_admin_t)
- 
+-
  sysnet_dns_name_resolve(bacula_admin_t)
  
+ userdom_dontaudit_search_user_home_dirs(bacula_admin_t)
+ userdom_use_user_ptys(bacula_admin_t)
++
 diff --git a/bcfg2.fc b/bcfg2.fc
 index fb42e35..8af0e14 100644
 --- a/bcfg2.fc
@@ -69388,7 +69407,7 @@ index cd8b8b9..6c73980 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ppp.te b/ppp.te
-index d616ca3..fd72341 100644
+index d616ca3..979a6e0 100644
 --- a/ppp.te
 +++ b/ppp.te
 @@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -69544,11 +69563,12 @@ index d616ca3..fd72341 100644
  corenet_all_recvfrom_netlabel(pppd_t)
  corenet_tcp_sendrecv_generic_if(pppd_t)
  corenet_raw_sendrecv_generic_if(pppd_t)
-@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t)
+@@ -135,9 +145,22 @@ corenet_raw_sendrecv_generic_node(pppd_t)
  corenet_udp_sendrecv_generic_node(pppd_t)
  corenet_tcp_sendrecv_all_ports(pppd_t)
  corenet_udp_sendrecv_all_ports(pppd_t)
 -
++corenet_tcp_connect_http_port(pppd_t)
 +# Access /dev/ppp.
  corenet_rw_ppp_dev(pppd_t)
  
@@ -69567,7 +69587,7 @@ index d616ca3..fd72341 100644
  corecmd_exec_bin(pppd_t)
  corecmd_exec_shell(pppd_t)
  
-@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t)
+@@ -147,36 +170,31 @@ files_exec_etc_files(pppd_t)
  files_manage_etc_runtime_files(pppd_t)
  files_dontaudit_write_etc_files(pppd_t)
  
@@ -69613,7 +69633,7 @@ index d616ca3..fd72341 100644
  
  optional_policy(`
  	ddclient_run(pppd_t, pppd_roles)
-@@ -186,11 +203,13 @@ optional_policy(`
+@@ -186,11 +204,13 @@ optional_policy(`
  	l2tpd_dgram_send(pppd_t)
  	l2tpd_rw_socket(pppd_t)
  	l2tpd_stream_connect(pppd_t)
@@ -69628,7 +69648,7 @@ index d616ca3..fd72341 100644
  	')
  ')
  
-@@ -218,16 +237,19 @@ optional_policy(`
+@@ -218,16 +238,19 @@ optional_policy(`
  
  ########################################
  #
@@ -69651,7 +69671,7 @@ index d616ca3..fd72341 100644
  
  allow pptp_t pppd_etc_t:dir list_dir_perms;
  allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +259,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
  allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
  allow pptp_t pppd_etc_rw_t:file read_file_perms;
  allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -69708,7 +69728,7 @@ index d616ca3..fd72341 100644
  fs_getattr_all_fs(pptp_t)
  fs_search_auto_mountpoints(pptp_t)
  
-@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +303,12 @@ term_ioctl_generic_ptys(pptp_t)
  term_search_ptys(pptp_t)
  term_use_ptmx(pptp_t)
  
@@ -69723,7 +69743,7 @@ index d616ca3..fd72341 100644
  sysnet_exec_ifconfig(pptp_t)
  
  userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +319,10 @@ optional_policy(`
+@@ -299,6 +320,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -95540,7 +95560,7 @@ index a240455..16a04bf 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..1f205fe 100644
+index 2d8db1f..e1c568a 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -95631,7 +95651,7 @@ index 2d8db1f..1f205fe 100644
  
  init_read_utmp(sssd_t)
  
-@@ -112,18 +109,35 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +109,36 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -95656,6 +95676,7 @@ index 2d8db1f..1f205fe 100644
 -	kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0")
 +	kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
 +	kerberos_read_home_content(sssd_t)
++    kerberos_rw_config(sssd_t)
 +')
 +
 +optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8281b79..6b0d961 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 76%{?dist}
+Release: 77%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,14 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Aug 28 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-77
+- Allow aide to read random number generator
+- Allow pppd to connect to http port. (#1128947)
+- sssd needs to be able write krb5.conf.
+- Labeli initial-setup as install_exec_t.
+- Allow domains to are allowed to mounton proc to mount on files as well as dirs
+- Allow bacula to connect to postgresql if is configured for that as a back end.
+
 * Tue Aug 26 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-76
 - Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
 - Add a port definition for shellinaboxd

More information about the scm-commits mailing list