[selinux-policy] * Wed Feb 04 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-108 - Fix labels, improve sysnet_manage_c
Lukas Vrabec
lvrabec at fedoraproject.org
Wed Feb 4 12:06:57 UTC 2015
commit 203031a6dbcfd706ccb37dd896c9dc44206b33f4
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Feb 4 13:06:40 2015 +0100
* Wed Feb 04 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-108
- Fix labels, improve sysnet_manage_config interface.
- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
- Dontaudit network connections related to thumb_t. BZ(1187981)
- Remove sysnet_filetrans_named_content from fail2ban
policy-rawhide-base.patch | 220 +++++++++++++++++++++++-------------------
policy-rawhide-contrib.patch | 14 ++--
selinux-policy.spec | 8 ++-
3 files changed, 134 insertions(+), 108 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a50e3ca..39e1baa 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -25701,10 +25701,10 @@ index 6bf0ecc..b036584 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..635442b 100644
+index 8b40377..5a2c173 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
-@@ -26,28 +26,59 @@ gen_require(`
+@@ -26,28 +26,66 @@ gen_require(`
#
## <desc>
@@ -25754,6 +25754,13 @@ index 8b40377..635442b 100644
+
+## <desc>
+## <p>
++## Allows xdm_t to bind on vnc_port_t(5910)
++## </p>
++## </desc>
++gen_tunable(xdm_bind_vnc_tcp_port, false)
++
++## <desc>
++## <p>
+## Support X userspace object manager
+## </p>
## </desc>
@@ -25773,7 +25780,7 @@ index 8b40377..635442b 100644
# X Events
attribute xevent_type;
-@@ -107,44 +138,54 @@ xserver_object_types_template(remote)
+@@ -107,44 +145,54 @@ xserver_object_types_template(remote)
xserver_common_x_domain_template(remote, remote_t)
type user_fonts_t;
@@ -25829,7 +25836,7 @@ index 8b40377..635442b 100644
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
userdom_user_tmp_file(xauth_tmp_t)
-@@ -155,19 +196,28 @@ dev_associate(xconsole_device_t)
+@@ -155,19 +203,28 @@ dev_associate(xconsole_device_t)
fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t)
@@ -25861,7 +25868,7 @@ index 8b40377..635442b 100644
type xdm_var_lib_t;
files_type(xdm_var_lib_t)
-@@ -175,13 +225,21 @@ files_type(xdm_var_lib_t)
+@@ -175,13 +232,21 @@ files_type(xdm_var_lib_t)
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@@ -25886,7 +25893,7 @@ index 8b40377..635442b 100644
# type for /var/lib/xkb
type xkb_var_lib_t;
files_type(xkb_var_lib_t)
-@@ -194,15 +252,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -194,15 +259,13 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
init_system_domain(xserver_t, xserver_exec_t)
ubac_constrained(xserver_t)
@@ -25907,7 +25914,7 @@ index 8b40377..635442b 100644
type xsession_exec_t;
corecmd_executable_file(xsession_exec_t)
-@@ -226,21 +282,35 @@ optional_policy(`
+@@ -226,21 +289,35 @@ optional_policy(`
#
allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -25950,7 +25957,7 @@ index 8b40377..635442b 100644
')
########################################
-@@ -248,48 +318,91 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -248,48 +325,91 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -26042,18 +26049,18 @@ index 8b40377..635442b 100644
+ifdef(`hide_broken_symptoms',`
+ term_dontaudit_use_unallocated_ttys(xauth_t)
+ dev_dontaudit_rw_dri(xauth_t)
-+')
-+
-+optional_policy(`
-+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
')
optional_policy(`
++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
++')
++
++optional_policy(`
+ ssh_use_ptys(xauth_t)
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -300,64 +413,103 @@ optional_policy(`
+@@ -300,64 +420,103 @@ optional_policy(`
# XDM Local policy
#
@@ -26081,14 +26088,14 @@ index 8b40377..635442b 100644
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
+allow xdm_t self:dbus { send_msg acquire_svc };
-+
+
+-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xauth_home_t:file manage_file_perms;
+
+allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
-
--allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
++
+manage_dirs_pattern(xdm_t, xdm_home_t, xdm_home_t)
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+xserver_filetrans_home_content(xdm_t)
@@ -26170,7 +26177,7 @@ index 8b40377..635442b 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,20 +518,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +525,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -26203,7 +26210,7 @@ index 8b40377..635442b 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -389,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -26257,7 +26264,7 @@ index 8b40377..635442b 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +604,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +611,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -26286,7 +26293,7 @@ index 8b40377..635442b 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,28 +634,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -26335,7 +26342,7 @@ index 8b40377..635442b 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +681,155 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +688,155 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -26497,10 +26504,15 @@ index 8b40377..635442b 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -503,11 +843,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +849,31 @@ tunable_policy(`xdm_sysadm_login',`
+ # allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
- optional_policy(`
++tunable_policy(`xdm_bind_vnc_tcp_port',`
++ corenet_tcp_bind_vnc_port(xdm_t)
++')
++
++optional_policy(`
+ accountsd_read_lib_files(xdm_t)
+ accountsd_dbus_chat(xdm_t)
+')
@@ -26513,7 +26525,7 @@ index 8b40377..635442b 100644
+ boinc_dontaudit_getattr_lib(xdm_t)
+')
+
-+optional_policy(`
+ optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
')
@@ -26524,7 +26536,7 @@ index 8b40377..635442b 100644
')
optional_policy(`
-@@ -517,9 +872,34 @@ optional_policy(`
+@@ -517,9 +883,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -26560,7 +26572,7 @@ index 8b40377..635442b 100644
')
')
-@@ -530,6 +910,20 @@ optional_policy(`
+@@ -530,6 +921,20 @@ optional_policy(`
')
optional_policy(`
@@ -26581,7 +26593,7 @@ index 8b40377..635442b 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +941,78 @@ optional_policy(`
+@@ -547,28 +952,78 @@ optional_policy(`
')
optional_policy(`
@@ -26669,7 +26681,7 @@ index 8b40377..635442b 100644
')
optional_policy(`
-@@ -580,6 +1024,14 @@ optional_policy(`
+@@ -580,6 +1035,14 @@ optional_policy(`
')
optional_policy(`
@@ -26684,7 +26696,7 @@ index 8b40377..635442b 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1046,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1057,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -26693,7 +26705,7 @@ index 8b40377..635442b 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1056,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1067,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -26706,7 +26718,7 @@ index 8b40377..635442b 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1073,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1084,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -26722,7 +26734,7 @@ index 8b40377..635442b 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1089,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1100,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -26733,7 +26745,7 @@ index 8b40377..635442b 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1104,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1115,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -26770,7 +26782,7 @@ index 8b40377..635442b 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1150,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1161,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -26802,7 +26814,7 @@ index 8b40377..635442b 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1183,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1194,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -26817,7 +26829,7 @@ index 8b40377..635442b 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1204,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1215,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -26841,7 +26853,7 @@ index 8b40377..635442b 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1223,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1234,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -26850,7 +26862,7 @@ index 8b40377..635442b 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1267,50 @@ optional_policy(`
+@@ -785,17 +1278,50 @@ optional_policy(`
')
optional_policy(`
@@ -26903,7 +26915,7 @@ index 8b40377..635442b 100644
')
optional_policy(`
-@@ -803,6 +1318,10 @@ optional_policy(`
+@@ -803,6 +1329,10 @@ optional_policy(`
')
optional_policy(`
@@ -26914,7 +26926,7 @@ index 8b40377..635442b 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1337,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1348,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -26939,7 +26951,7 @@ index 8b40377..635442b 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1360,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1371,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -26974,7 +26986,7 @@ index 8b40377..635442b 100644
')
optional_policy(`
-@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1436,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -26983,7 +26995,7 @@ index 8b40377..635442b 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1490,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -27015,7 +27027,7 @@ index 8b40377..635442b 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1525,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1536,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -30997,7 +31009,7 @@ index 79a45f6..b88e8a2 100644
+ init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..32af6e4 100644
+index 17eda24..1381948 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -31875,7 +31887,7 @@ index 17eda24..32af6e4 100644
+ sysnet_relabelfrom_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_net_conf(initrc_t)
+ sysnet_relabelto_net_conf(initrc_t)
-+ sysnet_filetrans_named_content(initrc_t)
++ #sysnet_filetrans_named_content(initrc_t)
+ ')
+
+ optional_policy(`
@@ -39130,10 +39142,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..bdc6d52 100644
+index 40edc18..963b974 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,23 +17,28 @@ ifdef(`distro_debian',`
+@@ -17,23 +17,27 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -39146,10 +39158,10 @@ index 40edc18..bdc6d52 100644
+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-+/etc/\.resolv\.conf\.NetworkManager gen_context(system_u:object_r:net_conf_t,s0)
-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -39162,11 +39174,11 @@ index 40edc18..bdc6d52 100644
+/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
')
-+/var/run/NetworkManager/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/NetworkManager/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
#
# /sbin
-@@ -44,6 +49,7 @@ ifdef(`distro_redhat',`
+@@ -44,6 +48,7 @@ ifdef(`distro_redhat',`
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -39174,7 +39186,7 @@ index 40edc18..bdc6d52 100644
/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -55,6 +61,21 @@ ifdef(`distro_redhat',`
+@@ -55,6 +60,21 @@ ifdef(`distro_redhat',`
#
# /usr
#
@@ -39196,7 +39208,7 @@ index 40edc18..bdc6d52 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -77,3 +98,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +97,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
@@ -39204,7 +39216,7 @@ index 40edc18..bdc6d52 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..b52919c 100644
+index 2cea692..fcd75c1 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39355,10 +39367,14 @@ index 2cea692..b52919c 100644
read_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -440,6 +538,40 @@ interface(`sysnet_etc_filetrans_config',`
- files_etc_filetrans($1, net_conf_t, file, $2)
- ')
+@@ -438,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',`
+ ')
+ files_etc_filetrans($1, net_conf_t, file, $2)
++ files_etc_filetrans($1, net_conf_t, lnk_file, $2)
++
++')
++
+########################################
+## <summary>
+## Transition content to the type used for
@@ -39391,12 +39407,19 @@ index 2cea692..b52919c 100644
+ ')
+
+ filetrans_pattern($1, $2, net_conf_t, $3, $4)
-+')
-+
+ ')
+
#######################################
- ## <summary>
- ## Create, read, write, and delete network config files.
-@@ -463,12 +595,45 @@ interface(`sysnet_manage_config',`
+@@ -453,7 +587,7 @@ interface(`sysnet_etc_filetrans_config',`
+ interface(`sysnet_manage_config',`
+ gen_require(`
+ type net_conf_t;
+- ')
++ ')
+
+ allow $1 net_conf_t:file manage_file_perms;
+
+@@ -463,7 +597,42 @@ interface(`sysnet_manage_config',`
')
ifdef(`distro_redhat',`
@@ -39404,11 +39427,13 @@ index 2cea692..b52919c 100644
+ init_search_pid_dirs($1)
+ allow $1 net_conf_t:dir list_dir_perms;
manage_files_pattern($1, net_conf_t, net_conf_t)
- ')
- ')
-
- #######################################
- ## <summary>
++ manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
++ ')
++ sysnet_filetrans_named_content($1)
++')
++
++#######################################
++## <summary>
+## Create, read, write, and delete network config dirs.
+## </summary>
+## <param name="domain">
@@ -39434,15 +39459,10 @@ index 2cea692..b52919c 100644
+ init_search_pid_dirs($1)
+ allow $1 net_conf_t:dir list_dir_perms;
+ manage_dirs_pattern($1, net_conf_t, net_conf_t)
-+ ')
-+')
-+
-+#######################################
-+## <summary>
- ## Read the dhcp client pid file.
- ## </summary>
- ## <param name="domain">
-@@ -501,6 +666,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+ ')
+ ')
+
+@@ -501,6 +670,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -39450,7 +39470,7 @@ index 2cea692..b52919c 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -610,6 +776,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -610,6 +780,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
## <summary>
@@ -39476,7 +39496,7 @@ index 2cea692..b52919c 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -626,6 +811,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -626,6 +815,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -39484,7 +39504,7 @@ index 2cea692..b52919c 100644
')
########################################
-@@ -647,6 +833,26 @@ interface(`sysnet_search_dhcp_state',`
+@@ -647,6 +837,26 @@ interface(`sysnet_search_dhcp_state',`
allow $1 dhcp_state_t:dir search_dir_perms;
')
@@ -39511,7 +39531,7 @@ index 2cea692..b52919c 100644
########################################
## <summary>
## Create DHCP state data.
-@@ -711,8 +917,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -711,8 +921,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -39520,7 +39540,7 @@ index 2cea692..b52919c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +924,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +928,11 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
@@ -39532,7 +39552,7 @@ index 2cea692..b52919c 100644
sysnet_read_config($1)
optional_policy(`
-@@ -750,8 +957,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +961,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -39541,7 +39561,7 @@ index 2cea692..b52919c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -760,9 +965,14 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +969,14 @@ interface(`sysnet_use_ldap',`
# Support for LDAPS
dev_read_rand($1)
@@ -39556,7 +39576,7 @@ index 2cea692..b52919c 100644
')
########################################
-@@ -784,7 +994,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +998,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -39564,7 +39584,7 @@ index 2cea692..b52919c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1005,120 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1009,122 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -39634,6 +39654,7 @@ index 2cea692..b52919c 100644
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
++ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts")
@@ -39644,8 +39665,9 @@ index 2cea692..b52919c 100644
+ init_pid_filetrans($1, net_conf_t, dir, "network")
+
+ optional_policy(`
-+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
-+ ')
++ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
++ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
++ ')
+')
+
+########################################
@@ -41601,10 +41623,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..db531dc
+index 0000000..3ebbad0
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,707 @@
+@@ -0,0 +1,706 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41863,7 +41885,6 @@ index 0000000..db531dc
+
+auth_read_passwd(systemd_networkd_t)
+
-+sysnet_filetrans_named_content(systemd_networkd_t)
+sysnet_manage_config(systemd_networkd_t)
+sysnet_manage_config_dirs(systemd_networkd_t)
+
@@ -42610,7 +42631,7 @@ index 9a1650d..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..880b174 100644
+index 39f185f..a253f3f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -42769,12 +42790,11 @@ index 39f185f..880b174 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,7 +191,11 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,7 +191,10 @@ sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
-sysnet_etc_filetrans_config(udev_t)
-+sysnet_filetrans_named_content(udev_t)
+#sysnet_etc_filetrans_config(udev_t)
+
+systemd_login_read_pid_files(udev_t)
@@ -42782,7 +42802,7 @@ index 39f185f..880b174 100644
userdom_dontaudit_search_user_home_content(udev_t)
-@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',`
+@@ -195,16 +220,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -42801,7 +42821,7 @@ index 39f185f..880b174 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -242,6 +261,7 @@ optional_policy(`
+@@ -242,6 +260,7 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -42809,7 +42829,7 @@ index 39f185f..880b174 100644
')
optional_policy(`
-@@ -249,17 +269,31 @@ optional_policy(`
+@@ -249,17 +268,31 @@ optional_policy(`
dbus_use_system_bus_fds(udev_t)
optional_policy(`
@@ -42843,7 +42863,7 @@ index 39f185f..880b174 100644
')
optional_policy(`
-@@ -289,6 +323,10 @@ optional_policy(`
+@@ -289,6 +322,10 @@ optional_policy(`
')
optional_policy(`
@@ -42854,7 +42874,7 @@ index 39f185f..880b174 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -303,6 +341,15 @@ optional_policy(`
+@@ -303,6 +340,15 @@ optional_policy(`
')
optional_policy(`
@@ -42870,7 +42890,7 @@ index 39f185f..880b174 100644
unconfined_signal(udev_t)
')
-@@ -315,6 +362,7 @@ optional_policy(`
+@@ -315,6 +361,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 4febba8..94d6196 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -27741,7 +27741,7 @@ index 50d0084..94e1936 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index cf0e567..9ebb247 100644
+index cf0e567..6c3ce35 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -27769,7 +27769,7 @@ index cf0e567..9ebb247 100644
files_list_var(fail2ban_t)
files_dontaudit_list_tmp(fail2ban_t)
-@@ -92,24 +90,38 @@ fs_getattr_all_fs(fail2ban_t)
+@@ -92,24 +90,37 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
@@ -27785,7 +27785,6 @@ index cf0e567..9ebb247 100644
-sysnet_etc_filetrans_config(fail2ban_t)
-
-mta_send_mail(fail2ban_t)
-+sysnet_filetrans_named_content(fail2ban_t)
optional_policy(`
apache_read_log(fail2ban_t)
@@ -27812,7 +27811,7 @@ index cf0e567..9ebb247 100644
iptables_domtrans(fail2ban_t)
')
-@@ -118,6 +130,10 @@ optional_policy(`
+@@ -118,6 +129,10 @@ optional_policy(`
')
optional_policy(`
@@ -27823,7 +27822,7 @@ index cf0e567..9ebb247 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -131,22 +147,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -101816,10 +101815,10 @@ index 0000000..9524b50
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..02ed710
+index 0000000..e80cde4
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,162 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -101891,6 +101890,7 @@ index 0000000..02ed710
+corecmd_exec_shell(thumb_t)
+
+corenet_tcp_connect_xserver_port(thumb_t)
++corenet_dontaudit_tcp_connect_all_ports(thumb_t)
+
+dev_read_sysfs(thumb_t)
+dev_read_urand(thumb_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index df4dbf4..0643b43 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 107%{?dist}
+Release: 108%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -605,6 +605,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Feb 04 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-108
+- Fix labels, improve sysnet_manage_config interface.
+- Label /var/run/NetworkManager/resolv.conf.tmp as net_conf_t.
+- Dontaudit network connections related to thumb_t. BZ(1187981)
+- Remove sysnet_filetrans_named_content from fail2ban
+
* Thu Feb 02 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-107
- Fix labels on new location of resolv.conf
- syslog is not writing to the audit socket
More information about the scm-commits
mailing list