[selinux-policy] * Wed Nov 19 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-94 - Allow openvpn to create uuid connect
Lukas Vrabec
lvrabec at fedoraproject.org
Wed Nov 19 15:33:41 UTC 2014
commit c88e657c3d92acb5a3cea103566dda6931796316
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Nov 19 16:33:35 2014 +0100
* Wed Nov 19 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-94
- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
- Allow sendmail to create dead.letter. BZ(1165443)
- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active.
- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
- Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
policy-rawhide-base.patch | 113 +++++++++++++++++++++++++++++++++++-------
policy-rawhide-contrib.patch | 43 +++++++++++-----
selinux-policy.spec | 10 +++-
3 files changed, 133 insertions(+), 33 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2480dc5..b9c8b31 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -32228,7 +32228,7 @@ index 17eda24..d4113cc 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..353c3b7 100644
+index 662e79b..ad9ef4e 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,14 +1,25 @@
@@ -32258,7 +32258,7 @@ index 662e79b..353c3b7 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +37,26 @@
+@@ -26,16 +37,27 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -32281,6 +32281,7 @@ index 662e79b..353c3b7 100644
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/charon\.vici -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -37268,13 +37269,31 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..8686e0a 100644
+index 3822072..1b9a765 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
-@@ -135,6 +135,24 @@ interface(`seutil_exec_loadpolicy',`
+@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
########################################
## <summary>
++## Allow access check on load_policy.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_access_check_load_policy',`
++ gen_require(`
++ type load_policy_exec_t;
++ ')
++
++ allow $1 load_policy_exec_t:file audit_access;
++')
++
++########################################
++## <summary>
+## Dontaudit access check on load_policy.
+## </summary>
+## <param name="domain">
@@ -37296,7 +37315,7 @@ index 3822072..8686e0a 100644
## Read the load_policy program file.
## </summary>
## <param name="domain">
-@@ -192,11 +210,22 @@ interface(`seutil_domtrans_newrole',`
+@@ -192,11 +228,22 @@ interface(`seutil_domtrans_newrole',`
#
interface(`seutil_run_newrole',`
gen_require(`
@@ -37321,7 +37340,7 @@ index 3822072..8686e0a 100644
')
########################################
-@@ -359,6 +388,27 @@ interface(`seutil_exec_restorecon',`
+@@ -359,6 +406,27 @@ interface(`seutil_exec_restorecon',`
########################################
## <summary>
@@ -37349,7 +37368,7 @@ index 3822072..8686e0a 100644
## Execute run_init in the run_init domain.
## </summary>
## <param name="domain">
-@@ -425,11 +475,20 @@ interface(`seutil_init_script_domtrans_runinit',`
+@@ -425,11 +493,20 @@ interface(`seutil_init_script_domtrans_runinit',`
#
interface(`seutil_run_runinit',`
gen_require(`
@@ -37373,7 +37392,7 @@ index 3822072..8686e0a 100644
')
########################################
-@@ -461,11 +520,19 @@ interface(`seutil_run_runinit',`
+@@ -461,11 +538,19 @@ interface(`seutil_run_runinit',`
#
interface(`seutil_init_script_run_runinit',`
gen_require(`
@@ -37396,7 +37415,7 @@ index 3822072..8686e0a 100644
')
########################################
-@@ -535,6 +602,53 @@ interface(`seutil_run_setfiles',`
+@@ -535,6 +620,53 @@ interface(`seutil_run_setfiles',`
########################################
## <summary>
@@ -37450,10 +37469,28 @@ index 3822072..8686e0a 100644
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -555,6 +669,24 @@ interface(`seutil_exec_setfiles',`
+@@ -555,6 +687,42 @@ interface(`seutil_exec_setfiles',`
########################################
## <summary>
++## Allow access check on setfiles.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_access_check_setfiles',`
++ gen_require(`
++ type setfiles_exec_t;
++ ')
++
++ allow $1 setfiles_exec_t:file audit_access;
++')
++
++########################################
++## <summary>
+## Dontaudit access check on setfiles.
+## </summary>
+## <param name="domain">
@@ -37475,7 +37512,7 @@ index 3822072..8686e0a 100644
## Do not audit attempts to search the SELinux
## configuration directory (/etc/selinux).
## </summary>
-@@ -680,10 +812,115 @@ interface(`seutil_manage_config',`
+@@ -680,10 +848,115 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -37591,7 +37628,7 @@ index 3822072..8686e0a 100644
#######################################
## <summary>
## Create, read, write, and delete
-@@ -694,15 +931,62 @@ interface(`seutil_manage_config',`
+@@ -694,15 +967,62 @@ interface(`seutil_manage_config',`
## Domain allowed access.
## </summary>
## </param>
@@ -37657,7 +37694,7 @@ index 3822072..8686e0a 100644
')
########################################
-@@ -746,6 +1030,29 @@ interface(`seutil_read_default_contexts',`
+@@ -746,6 +1066,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
@@ -37687,7 +37724,7 @@ index 3822072..8686e0a 100644
########################################
## <summary>
## Create, read, write, and delete the default_contexts files.
-@@ -784,7 +1091,9 @@ interface(`seutil_read_file_contexts',`
+@@ -784,7 +1127,9 @@ interface(`seutil_read_file_contexts',`
files_search_etc($1)
allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
@@ -37697,7 +37734,7 @@ index 3822072..8686e0a 100644
')
########################################
-@@ -999,6 +1308,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1344,26 @@ interface(`seutil_domtrans_semanage',`
########################################
## <summary>
@@ -37724,7 +37761,7 @@ index 3822072..8686e0a 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1346,67 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1382,87 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -37773,6 +37810,26 @@ index 3822072..8686e0a 100644
+
+########################################
+## <summary>
++## List of the semanage
++## module store.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_access_check_module_store',`
++ gen_require(`
++ type semanage_store_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 semanage_store_t:dir_file_class_set audit_access;
++')
++
++########################################
++## <summary>
+## Full management of the semanage
+## module store.
+## </summary>
@@ -37794,7 +37851,7 @@ index 3822072..8686e0a 100644
')
########################################
-@@ -1043,7 +1428,11 @@ interface(`seutil_manage_module_store',`
+@@ -1043,7 +1484,11 @@ interface(`seutil_manage_module_store',`
files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
@@ -37806,10 +37863,28 @@ index 3822072..8686e0a 100644
')
#######################################
-@@ -1067,6 +1456,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1512,42 @@ interface(`seutil_get_semanage_read_lock',`
#######################################
## <summary>
++## Allow access check on module store
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_access_check_semanage_read_lock',`
++ gen_require(`
++ type semanage_read_lock_t;
++ ')
++
++ allow $1 semanage_read_lock_t:file audit_access;
++')
++
++#######################################
++## <summary>
+## Dontaudit access check on module store
+## </summary>
+## <param name="domain">
@@ -37831,7 +37906,7 @@ index 3822072..8686e0a 100644
## Get trans lock on module store
## </summary>
## <param name="domain">
-@@ -1137,3 +1544,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9fc84d2..3f12b14 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -61915,7 +61915,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a3..3eb9dc1 100644
+index 63957a3..ba34f72 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -62040,7 +62040,7 @@ index 63957a3..3eb9dc1 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -164,6 +188,10 @@ tunable_policy(`openvpn_can_network_connect',`
+@@ -164,10 +188,19 @@ tunable_policy(`openvpn_can_network_connect',`
')
optional_policy(`
@@ -62051,11 +62051,17 @@ index 63957a3..3eb9dc1 100644
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
-@@ -173,5 +201,30 @@ optional_policy(`
+ optional_policy(`
++ networkmanager_stream_connect(openvpn_t)
++ networkmanager_manage_pid_files(openvpn_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(openvpn_t)
+ dbus_connect_system_bus(openvpn_t)
- optional_policy(`
+@@ -175,3 +208,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
-+ networkmanager_stream_connect(openvpn_t)
')
')
+
@@ -92301,7 +92307,7 @@ index 35ad2a7..6b75e85 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 12700b4..fde3c8d 100644
+index 12700b4..906b5db 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -92441,7 +92447,7 @@ index 12700b4..fde3c8d 100644
')
optional_policy(`
-@@ -164,6 +168,10 @@ optional_policy(`
+@@ -164,14 +168,27 @@ optional_policy(`
')
optional_policy(`
@@ -92452,7 +92458,12 @@ index 12700b4..fde3c8d 100644
milter_stream_connect_all(sendmail_t)
')
-@@ -172,6 +180,11 @@ optional_policy(`
+ optional_policy(`
++ mta_filetrans_home_content(sendmail_t)
++')
++
++optional_policy(`
+ munin_dontaudit_search_lib(sendmail_t)
')
optional_policy(`
@@ -92464,7 +92475,7 @@ index 12700b4..fde3c8d 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +206,10 @@ optional_policy(`
+@@ -193,6 +210,10 @@ optional_policy(`
')
optional_policy(`
@@ -92475,7 +92486,7 @@ index 12700b4..fde3c8d 100644
udev_read_db(sendmail_t)
')
-@@ -206,8 +223,8 @@ optional_policy(`
+@@ -206,8 +227,8 @@ optional_policy(`
#
optional_policy(`
@@ -97481,7 +97492,7 @@ index a240455..f4d8c79 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1f..ababeba 100644
+index 2d8db1f..dbb5dd6 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@@ -97539,7 +97550,7 @@ index 2d8db1f..ababeba 100644
corecmd_exec_bin(sssd_t)
-@@ -83,28 +79,30 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +79,36 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -97559,6 +97570,12 @@ index 2d8db1f..ababeba 100644
-# seutil_manage_login_config_files(sssd_t)
+seutil_rw_login_config_dirs(sssd_t)
+seutil_manage_login_config_files(sssd_t)
++
++seutil_access_check_module_store(sssd_t)
++
++seutil_access_check_load_policy(sssd_t)
++seutil_access_check_setfiles(sssd_t)
++seutil_access_check_semanage_read_lock(sssd_t)
mls_file_read_to_clearance(sssd_t)
mls_socket_read_to_clearance(sssd_t)
@@ -97574,7 +97591,7 @@ index 2d8db1f..ababeba 100644
init_read_utmp(sssd_t)
-@@ -112,18 +110,36 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +116,36 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6efdd23..8aef00c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 93%{?dist}
+Release: 94%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Nov 19 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-94
+- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
+- Allow sendmail to create dead.letter. BZ(1165443)
+- Allow selinux_child running as sssd access check on /etc/selinux/targeted/modules/active.
+- Allow access checks on setfiles/load_policy/semanage_lock for selinux_child running as sssd_t.
+- Label sock file charon.vici as ipsec_var_run_t. BZ(1165065)
+- Add additional interfaces for load_policy/setfiles/read_lock related to access checks.
+
* Fri Nov 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-93
- Allow bumblebee to use nsswitch. BZ(1155339)
- Allow openvpn to stream connect to networkmanager. BZ(1164182)
More information about the scm-commits
mailing list