[selinux-policy/f21] * Mon Dec 15 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-103 - Docker has a new config/key file it
Lukas Vrabec
lvrabec at fedoraproject.org
Mon Dec 15 12:37:28 UTC 2014
commit 22ea27acabb2dd41245acb6f01a62ba763e80548
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon Dec 15 07:37:26 2014 -0500
* Mon Dec 15 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-103
- Docker has a new config/key file it writes to /etc/docker
- Add support for /usr/share/vdsm/daemonAdapter
- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.
- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean.
- Allow virt_qemu_ga_t to execute kmod
- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
policy-f21-base.patch | 47 ++++++++++---
policy-f21-contrib.patch | 168 +++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 10 +++-
3 files changed, 151 insertions(+), 74 deletions(-)
---
diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 361df19..ba33ce9 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -8771,7 +8771,7 @@ index 0b1a871..f260e6f 100644
+allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
+allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..1b9b0b5 100644
+index 6a1e4d1..7ac2831 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8846,7 +8846,33 @@ index 6a1e4d1..1b9b0b5 100644
## Send a stop signal to all domains.
## </summary>
## <param name="domain">
-@@ -631,7 +626,7 @@ interface(`domain_read_all_domains_state',`
+@@ -571,6 +566,25 @@ interface(`domain_kill_all_domains',`
+
+ ########################################
+ ## <summary>
++## Destroy all domains semaphores
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`domain_destroy_all_semaphores',`
++ gen_require(`
++ attribute domain;
++ ')
++
++ allow $1 domain:sem destroy;
++')
++
++########################################
++## <summary>
+ ## Search the process state directory (/proc/pid) of all domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -631,7 +645,7 @@ interface(`domain_read_all_domains_state',`
########################################
## <summary>
@@ -8855,7 +8881,7 @@ index 6a1e4d1..1b9b0b5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -655,7 +650,7 @@ interface(`domain_getattr_all_domains',`
+@@ -655,7 +669,7 @@ interface(`domain_getattr_all_domains',`
## </summary>
## <param name="domain">
## <summary>
@@ -8864,7 +8890,7 @@ index 6a1e4d1..1b9b0b5 100644
## </summary>
## </param>
#
-@@ -1356,6 +1351,24 @@ interface(`domain_manage_all_entry_files',`
+@@ -1356,6 +1370,24 @@ interface(`domain_manage_all_entry_files',`
########################################
## <summary>
@@ -8889,7 +8915,7 @@ index 6a1e4d1..1b9b0b5 100644
## Relabel to and from all entry point
## file types.
## </summary>
-@@ -1421,7 +1434,7 @@ interface(`domain_entry_file_spec_domtrans',`
+@@ -1421,7 +1453,7 @@ interface(`domain_entry_file_spec_domtrans',`
## <summary>
## Ability to mmap a low area of the address
## space conditionally, as configured by
@@ -8898,7 +8924,7 @@ index 6a1e4d1..1b9b0b5 100644
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
-@@ -1448,7 +1461,7 @@ interface(`domain_mmap_low',`
+@@ -1448,7 +1480,7 @@ interface(`domain_mmap_low',`
## <summary>
## Ability to mmap a low area of the address
## space unconditionally, as configured
@@ -8907,7 +8933,7 @@ index 6a1e4d1..1b9b0b5 100644
## Preventing such mappings helps protect against
## exploiting null deref bugs in the kernel.
## </summary>
-@@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',`
+@@ -1508,6 +1540,24 @@ interface(`domain_unconfined_signal',`
########################################
## <summary>
@@ -8932,7 +8958,7 @@ index 6a1e4d1..1b9b0b5 100644
## Unconfined access to domains.
## </summary>
## <param name="domain">
-@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1580,63 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -41398,10 +41424,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..c7c145b
+index 0000000..769e942
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,702 @@
+@@ -0,0 +1,703 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41542,6 +41568,7 @@ index 0000000..c7c145b
+domain_signal_all_domains(systemd_logind_t)
+domain_signull_all_domains(systemd_logind_t)
+domain_kill_all_domains(systemd_logind_t)
++domain_destroy_all_semaphores(systemd_logind_t)
+
+# /etc/udev/udev.conf should probably have a private type if only for confined administration
+# /etc/nsswitch.conf
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 11469d7..a2cb064 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -24718,14 +24718,18 @@ index c7bb4e7..e6fe2f40 100644
sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/docker.fc b/docker.fc
new file mode 100644
-index 0000000..fd679a1
+index 0000000..a4aa484
--- /dev/null
+++ b/docker.fc
-@@ -0,0 +1,18 @@
+@@ -0,0 +1,23 @@
++/root/\.docker gen_context(system_u:object_r:docker_home_t,s0)
++
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
+
++/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0)
++
+/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
+
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
@@ -24740,12 +24744,13 @@ index 0000000..fd679a1
+/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0)
+/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0)
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
++
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..b2c82df
+index 0000000..c8e5981
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,367 @@
+@@ -0,0 +1,372 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -25047,6 +25052,7 @@ index 0000000..b2c82df
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
+ filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
++ userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
+')
+
+########################################
@@ -25087,11 +25093,14 @@ index 0000000..b2c82df
+ type docker_unit_file_t;
+ type docker_lock_t;
+ type docker_log_t;
++ type docker_config_t;
+ ')
+
+ allow $1 docker_t:process { ptrace signal_perms };
+ ps_process_pattern($1, docker_t)
+
++ admin_pattern($1, docker_config_t)
++
+ files_search_var_lib($1)
+ admin_pattern($1, docker_var_lib_t)
+
@@ -25113,12 +25122,13 @@ index 0000000..b2c82df
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
++
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..91d8c90
+index 0000000..08cf151
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,286 @@
+@@ -0,0 +1,300 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -25150,6 +25160,12 @@ index 0000000..91d8c90
+type docker_var_lib_t;
+files_type(docker_var_lib_t)
+
++type docker_home_t;
++userdom_user_home_content(docker_home_t)
++
++type docker_config_t;
++files_config_file(docker_config_t)
++
+type docker_lock_t;
+files_lock_file(docker_lock_t)
+
@@ -25186,6 +25202,14 @@ index 0000000..91d8c90
+allow docker_t self:udp_socket create_socket_perms;
+allow docker_t self:capability2 block_suspend;
+
++manage_files_pattern(docker_t, docker_home_t, docker_home_t)
++manage_dirs_pattern(docker_t, docker_home_t, docker_home_t)
++manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t)
++userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker")
++
++manage_dirs_pattern(docker_t, docker_config_t, docker_config_t)
++manage_files_pattern(docker_t, docker_config_t, docker_config_t)
++
+manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
+manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
+files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
@@ -42656,7 +42680,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index be0ab84..3ebbcc0 100644
+index be0ab84..2de18e1 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@@ -42906,7 +42930,7 @@ index be0ab84..3ebbcc0 100644
')
optional_policy(`
-@@ -228,10 +285,21 @@ optional_policy(`
+@@ -228,26 +285,43 @@ optional_policy(`
')
optional_policy(`
@@ -42928,7 +42952,11 @@ index be0ab84..3ebbcc0 100644
su_exec(logrotate_t)
')
-@@ -239,15 +307,17 @@ optional_policy(`
+ optional_policy(`
++ rpm_read_cache(logrotate_t)
++')
++
++optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -59893,7 +59921,7 @@ index c87bd2a..4c17c99 100644
+ ')
')
diff --git a/oddjob.te b/oddjob.te
-index e403097..6f7b99d 100644
+index e403097..033911e 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
@@ -59950,7 +59978,7 @@ index e403097..6f7b99d 100644
locallogin_dontaudit_use_fds(oddjob_t)
-@@ -65,19 +65,15 @@ optional_policy(`
+@@ -65,28 +65,24 @@ optional_policy(`
dbus_connect_system_bus(oddjob_t)
')
@@ -59972,15 +60000,18 @@ index e403097..6f7b99d 100644
kernel_read_system_state(oddjob_mkhomedir_t)
-@@ -85,7 +81,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t)
++mls_file_upgrade(oddjob_mkhomedir_t)
++
+ auth_use_nsswitch(oddjob_mkhomedir_t)
logging_send_syslog_msg(oddjob_mkhomedir_t)
-miscfiles_read_localization(oddjob_mkhomedir_t)
-
+-
selinux_get_fs_mount(oddjob_mkhomedir_t)
selinux_validate_context(oddjob_mkhomedir_t)
-@@ -98,8 +93,11 @@ seutil_read_config(oddjob_mkhomedir_t)
+ selinux_compute_access_vector(oddjob_mkhomedir_t)
+@@ -98,8 +94,11 @@ seutil_read_config(oddjob_mkhomedir_t)
seutil_read_file_contexts(oddjob_mkhomedir_t)
seutil_read_default_contexts(oddjob_mkhomedir_t)
@@ -74124,7 +74155,7 @@ index 7cb8b1f..9422c90 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index 618dcfe..0903e67 100644
+index 618dcfe..4dd18a3 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -74186,7 +74217,7 @@ index 618dcfe..0903e67 100644
type puppetmaster_t;
type puppetmaster_exec_t;
-@@ -56,161 +62,156 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,158 @@ files_tmp_file(puppetmaster_tmp_t)
########################################
#
@@ -74298,6 +74329,7 @@ index 618dcfe..0903e67 100644
+allow puppetagent_t self:udp_socket create_socket_perms;
+
+read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
++read_lnk_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t)
+
+manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t)
@@ -74456,10 +74488,11 @@ index 618dcfe..0903e67 100644
-allow puppetca_t puppet_etc_t:file read_file_perms;
-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms;
+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
++read_lnk_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +222,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +224,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
kernel_read_system_state(puppetca_t)
@@ -74467,7 +74500,7 @@ index 618dcfe..0903e67 100644
kernel_read_kernel_sysctls(puppetca_t)
corecmd_exec_bin(puppetca_t)
-@@ -229,15 +231,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +233,12 @@ corecmd_exec_shell(puppetca_t)
dev_read_urand(puppetca_t)
dev_search_sysfs(puppetca_t)
@@ -74483,7 +74516,7 @@ index 618dcfe..0903e67 100644
miscfiles_read_generic_certs(puppetca_t)
seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +245,47 @@ optional_policy(`
+@@ -246,38 +247,48 @@ optional_policy(`
hostname_exec(puppetca_t)
')
@@ -74513,6 +74546,7 @@ index 618dcfe..0903e67 100644
-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
++read_lnk_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
@@ -74547,7 +74581,7 @@ index 618dcfe..0903e67 100644
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +297,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +300,24 @@ corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -74578,7 +74612,7 @@ index 618dcfe..0903e67 100644
selinux_validate_context(puppetmaster_t)
-@@ -314,26 +323,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +326,31 @@ auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_generic_certs(puppetmaster_t)
@@ -74615,7 +74649,7 @@ index 618dcfe..0903e67 100644
')
optional_policy(`
-@@ -342,3 +356,9 @@ optional_policy(`
+@@ -342,3 +359,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -88540,7 +88574,7 @@ index 50d07fb..dc069c8 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..c2cd297 100644
+index 2b7c441..114b2be 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -89149,7 +89183,7 @@ index 2b7c441..c2cd297 100644
rpc_search_nfs_state_data(smbd_t)
')
-@@ -499,9 +522,47 @@ optional_policy(`
+@@ -499,9 +522,48 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -89164,6 +89198,7 @@ index 2b7c441..c2cd297 100644
+ allow nmbd_t self:capability { dac_read_search dac_override };
+ fs_read_noxattr_fs_files(smbd_t)
+ files_read_non_security_files(smbd_t)
++ files_dontaudit_list_security_dirs(smbd_t)
+ files_dontaudit_search_security_files(smbd_t)
+ files_dontaudit_read_security_files(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
@@ -89198,7 +89233,7 @@ index 2b7c441..c2cd297 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +573,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +574,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -89213,7 +89248,7 @@ index 2b7c441..c2cd297 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +589,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +590,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -89237,7 +89272,7 @@ index 2b7c441..c2cd297 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +605,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +606,44 @@ kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -89306,7 +89341,7 @@ index 2b7c441..c2cd297 100644
')
optional_policy(`
-@@ -606,16 +655,22 @@ optional_policy(`
+@@ -606,16 +656,22 @@ optional_policy(`
########################################
#
@@ -89333,7 +89368,7 @@ index 2b7c441..c2cd297 100644
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +682,13 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +683,13 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -89352,7 +89387,7 @@ index 2b7c441..c2cd297 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +696,23 @@ optional_policy(`
+@@ -644,22 +697,23 @@ optional_policy(`
########################################
#
@@ -89384,7 +89419,7 @@ index 2b7c441..c2cd297 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +721,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +722,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -89420,7 +89455,7 @@ index 2b7c441..c2cd297 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -699,58 +748,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +749,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -89512,7 +89547,7 @@ index 2b7c441..c2cd297 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +827,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +828,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -89536,7 +89571,7 @@ index 2b7c441..c2cd297 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -777,36 +841,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +842,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -89579,7 +89614,7 @@ index 2b7c441..c2cd297 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -818,10 +871,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +872,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -89593,7 +89628,7 @@ index 2b7c441..c2cd297 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -840,17 +894,20 @@ optional_policy(`
+@@ -840,17 +895,20 @@ optional_policy(`
# Winbind local policy
#
@@ -89619,7 +89654,7 @@ index 2b7c441..c2cd297 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +917,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +918,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -89630,7 +89665,7 @@ index 2b7c441..c2cd297 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +928,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +929,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -89683,7 +89718,7 @@ index 2b7c441..c2cd297 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +970,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +971,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -89742,7 +89777,7 @@ index 2b7c441..c2cd297 100644
')
optional_policy(`
-@@ -959,31 +1031,35 @@ optional_policy(`
+@@ -959,31 +1032,35 @@ optional_policy(`
# Winbind helper local policy
#
@@ -89785,7 +89820,7 @@ index 2b7c441..c2cd297 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1073,38 @@ optional_policy(`
+@@ -997,25 +1074,38 @@ optional_policy(`
########################################
#
@@ -103968,10 +104003,10 @@ index 3d11c6a..b19a117 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index a4f20bc..88a2dc6 100644
+index a4f20bc..b3bd64f 100644
--- a/virt.fc
+++ b/virt.fc
-@@ -1,51 +1,98 @@
+@@ -1,51 +1,99 @@
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -104083,6 +104118,7 @@ index a4f20bc..88a2dc6 100644
+/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/share/vdsm/respawn -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/share/vdsm/supervdsmServer -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/share/vdsm/daemonAdapter -- gen_context(system_u:object_r:virtd_exec_t,s0)
+
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -105980,7 +106016,7 @@ index facdee8..aacee65 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..f3d6203 100644
+index f03dcf5..487f131 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,241 @@
@@ -107116,7 +107152,7 @@ index f03dcf5..f3d6203 100644
+miscfiles_read_generic_certs(virt_domain)
+
+storage_raw_read_removable_device(virt_domain)
-+
+
+sysnet_read_config(virt_domain)
+
+term_use_all_inherited_terms(virt_domain)
@@ -107143,7 +107179,7 @@ index f03dcf5..f3d6203 100644
+optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
-
++
+optional_policy(`
+ sssd_dontaudit_stream_connect(virt_domain)
+ sssd_dontaudit_read_lib(virt_domain)
@@ -107312,10 +107348,10 @@ index f03dcf5..f3d6203 100644
-logging_send_syslog_msg(virsh_t)
+systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
-miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
+logging_send_syslog_msg(virsh_t)
sysnet_dns_name_resolve(virsh_t)
@@ -107624,12 +107660,6 @@ index f03dcf5..f3d6203 100644
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+')
-+
-+optional_policy(`
-+ docker_read_share_files(svirt_sandbox_domain)
-+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
-+ docker_use_ptys(svirt_sandbox_domain)
-+')
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -107714,6 +107744,12 @@ index f03dcf5..f3d6203 100644
-
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+optional_policy(`
++ docker_read_share_files(svirt_sandbox_domain)
++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++ docker_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
+ gear_read_pid_files(svirt_sandbox_domain)
+')
@@ -107784,11 +107820,6 @@ index f03dcf5..f3d6203 100644
+tunable_policy(`virt_sandbox_use_mknod',`
+ allow svirt_lxc_net_t self:capability mknod;
+')
-+
-+tunable_policy(`virt_sandbox_use_all_caps',`
-+ allow svirt_lxc_net_t self:capability all_capability_perms;
-+ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
-+')
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
@@ -107800,6 +107831,11 @@ index f03dcf5..f3d6203 100644
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
++tunable_policy(`virt_sandbox_use_all_caps',`
++ allow svirt_lxc_net_t self:capability all_capability_perms;
++ allow svirt_lxc_net_t self:capability2 all_capability2_perms;
++')
++
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -107884,13 +107920,13 @@ index f03dcf5..f3d6203 100644
+term_use_ptmx(svirt_qemu_net_t)
+
+dev_rw_kvm(svirt_qemu_net_t)
-
--allow svirt_prot_exec_t self:process { execmem execstack };
++
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
-+
+
+-allow svirt_prot_exec_t self:process { execmem execstack };
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
@@ -107961,7 +107997,7 @@ index f03dcf5..f3d6203 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1525,227 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1525,233 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@@ -107995,12 +108031,14 @@ index f03dcf5..f3d6203 100644
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
+
+kernel_read_system_state(virt_qemu_ga_t)
++kernel_rw_kernel_sysctl(virt_qemu_ga_t)
+
+corecmd_exec_shell(virt_qemu_ga_t)
+corecmd_exec_bin(virt_qemu_ga_t)
+
+clock_read_adjtime(virt_qemu_ga_t)
+
++dev_getattr_apm_bios_dev(virt_qemu_ga_t)
+dev_rw_sysfs(virt_qemu_ga_t)
+dev_rw_realtime_clock(virt_qemu_ga_t)
+
@@ -108014,9 +108052,13 @@ index f03dcf5..f3d6203 100644
+term_use_all_ttys(virt_qemu_ga_t)
+term_use_unallocated_ttys(virt_qemu_ga_t)
+
++auth_use_nsswitch(virt_qemu_ga_t)
++
+logging_send_syslog_msg(virt_qemu_ga_t)
+logging_send_audit_msgs(virt_qemu_ga_t)
+
++modutils_exec_insmod(virt_qemu_ga_t)
++
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
+systemd_exec_systemctl(virt_qemu_ga_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b17158d..d8df39e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 102%{?dist}
+Release: 103%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Dec 15 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-103
+- Docker has a new config/key file it writes to /etc/docker
+- Add support for /usr/share/vdsm/daemonAdapter
+- Add additionnal MLS attribute for oddjob_mkhomedir to create homedirs.
+- Add missing files_dontaudit_list_security_dirs() for smbd_t in samba_export_all_ro boolean.
+- Allow virt_qemu_ga_t to execute kmod
+- Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
+
* Thu Dec 11 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-102
- Allow pegasus_openlmi_storage_t use nsswitch. BZ(1172258)
- Allow docker daemon to start transitiant units
More information about the scm-commits
mailing list