[selinux-policy/f21] * Mon Mar 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.8 - Merge docker policy from rawhide.
Lukas Vrabec
lvrabec at fedoraproject.org
Mon Mar 16 17:15:53 UTC 2015
commit a5e394eaf67d047ae3d1cff5049367c861b7744e
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon Mar 16 18:15:45 2015 +0100
* Mon Mar 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.8
- Merge docker policy from rawhide.
- Allow docker to relablefrom/to sockets and docker_log_t
- Allow docker to communicate with openvswitch
- Fix some resolv problems
- Remove automatcically running filetrans_named_content form sysnet_manage_config
- Allow all domains that read resolv.conf to search through /run. Since multiple domains including NetworkManager will be putting their resolv.conf into this directory
- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
- Fix labels, improve sysnet_manage_config interface.
policy-f21-base.patch | 112 ++++++++++++++++++++++++++---------------------
policy-f21-contrib.patch | 80 ++++++++++++++++++++++++---------
selinux-policy.spec | 12 ++++-
3 files changed, 133 insertions(+), 71 deletions(-)
---
diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 9267ea1..13f8ce3 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -30929,7 +30929,7 @@ index 79a45f6..b88e8a2 100644
+ init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..32af6e4 100644
+index 17eda24..1381948 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -31807,7 +31807,7 @@ index 17eda24..32af6e4 100644
+ sysnet_relabelfrom_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_net_conf(initrc_t)
+ sysnet_relabelto_net_conf(initrc_t)
-+ sysnet_filetrans_named_content(initrc_t)
++ #sysnet_filetrans_named_content(initrc_t)
+ ')
+
+ optional_policy(`
@@ -39119,7 +39119,7 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..76506a4 100644
+index 40edc18..b328c40 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -17,23 +17,27 @@ ifdef(`distro_debian',`
@@ -39135,7 +39135,8 @@ index 40edc18..76506a4 100644
+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+-/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -39150,7 +39151,7 @@ index 40edc18..76506a4 100644
+/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
')
-+/var/run/NetworkManager/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
++/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
#
# /sbin
@@ -39192,7 +39193,7 @@ index 40edc18..76506a4 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..eb967c7 100644
+index 2cea692..a1734af 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39343,10 +39344,14 @@ index 2cea692..eb967c7 100644
read_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -440,6 +538,40 @@ interface(`sysnet_etc_filetrans_config',`
- files_etc_filetrans($1, net_conf_t, file, $2)
- ')
+@@ -438,6 +536,42 @@ interface(`sysnet_etc_filetrans_config',`
+ ')
+ files_etc_filetrans($1, net_conf_t, file, $2)
++ files_etc_filetrans($1, net_conf_t, lnk_file, $2)
++
++')
++
+########################################
+## <summary>
+## Transition content to the type used for
@@ -39379,12 +39384,19 @@ index 2cea692..eb967c7 100644
+ ')
+
+ filetrans_pattern($1, $2, net_conf_t, $3, $4)
-+')
-+
+ ')
+
#######################################
- ## <summary>
- ## Create, read, write, and delete network config files.
-@@ -463,12 +595,45 @@ interface(`sysnet_manage_config',`
+@@ -453,7 +587,7 @@ interface(`sysnet_etc_filetrans_config',`
+ interface(`sysnet_manage_config',`
+ gen_require(`
+ type net_conf_t;
+- ')
++ ')
+
+ allow $1 net_conf_t:file manage_file_perms;
+
+@@ -463,7 +597,41 @@ interface(`sysnet_manage_config',`
')
ifdef(`distro_redhat',`
@@ -39392,11 +39404,12 @@ index 2cea692..eb967c7 100644
+ init_search_pid_dirs($1)
+ allow $1 net_conf_t:dir list_dir_perms;
manage_files_pattern($1, net_conf_t, net_conf_t)
- ')
- ')
-
- #######################################
- ## <summary>
++ manage_lnk_files_pattern($1, net_conf_t, net_conf_t)
++ ')
++')
++
++#######################################
++## <summary>
+## Create, read, write, and delete network config dirs.
+## </summary>
+## <param name="domain">
@@ -39422,15 +39435,10 @@ index 2cea692..eb967c7 100644
+ init_search_pid_dirs($1)
+ allow $1 net_conf_t:dir list_dir_perms;
+ manage_dirs_pattern($1, net_conf_t, net_conf_t)
-+ ')
-+')
-+
-+#######################################
-+## <summary>
- ## Read the dhcp client pid file.
- ## </summary>
- ## <param name="domain">
-@@ -501,6 +666,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+ ')
+ ')
+
+@@ -501,6 +669,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -39438,7 +39446,7 @@ index 2cea692..eb967c7 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -610,6 +776,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -610,6 +779,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
## <summary>
@@ -39464,7 +39472,7 @@ index 2cea692..eb967c7 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -626,6 +811,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -626,6 +814,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -39472,7 +39480,7 @@ index 2cea692..eb967c7 100644
')
########################################
-@@ -647,6 +833,26 @@ interface(`sysnet_search_dhcp_state',`
+@@ -647,6 +836,26 @@ interface(`sysnet_search_dhcp_state',`
allow $1 dhcp_state_t:dir search_dir_perms;
')
@@ -39499,7 +39507,7 @@ index 2cea692..eb967c7 100644
########################################
## <summary>
## Create DHCP state data.
-@@ -711,8 +917,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -711,8 +920,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -39508,19 +39516,21 @@ index 2cea692..eb967c7 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -720,8 +924,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -720,8 +927,13 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
-+ corenet_tcp_connect_dnssec_port($1)
++ corenet_tcp_connect_dnssec_port($1)
corenet_sendrecv_dns_client_packets($1)
++ files_search_all_pids($1)
++
+ miscfiles_read_generic_certs($1)
+
sysnet_read_config($1)
optional_policy(`
-@@ -750,8 +957,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +962,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -39529,7 +39539,7 @@ index 2cea692..eb967c7 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -760,9 +965,14 @@ interface(`sysnet_use_ldap',`
+@@ -760,9 +970,14 @@ interface(`sysnet_use_ldap',`
# Support for LDAPS
dev_read_rand($1)
@@ -39544,7 +39554,7 @@ index 2cea692..eb967c7 100644
')
########################################
-@@ -784,7 +994,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +999,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -39552,7 +39562,7 @@ index 2cea692..eb967c7 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1005,116 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1010,120 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -39622,6 +39632,8 @@ index 2cea692..eb967c7 100644
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
++ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
++ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts.deny")
@@ -39630,6 +39642,8 @@ index 2cea692..eb967c7 100644
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+ init_pid_filetrans($1, net_conf_t, dir, "network")
+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
++ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
++ ')
+')
+
+########################################
@@ -41585,10 +41599,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..db531dc
+index 0000000..3ebbad0
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,707 @@
+@@ -0,0 +1,706 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41847,7 +41861,6 @@ index 0000000..db531dc
+
+auth_read_passwd(systemd_networkd_t)
+
-+sysnet_filetrans_named_content(systemd_networkd_t)
+sysnet_manage_config(systemd_networkd_t)
+sysnet_manage_config_dirs(systemd_networkd_t)
+
@@ -42594,7 +42607,7 @@ index 9a1650d..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f..880b174 100644
+index 39f185f..a253f3f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -42753,12 +42766,11 @@ index 39f185f..880b174 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -169,7 +191,11 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,7 +191,10 @@ sysnet_read_dhcpc_pid(udev_t)
sysnet_delete_dhcpc_pid(udev_t)
sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
-sysnet_etc_filetrans_config(udev_t)
-+sysnet_filetrans_named_content(udev_t)
+#sysnet_etc_filetrans_config(udev_t)
+
+systemd_login_read_pid_files(udev_t)
@@ -42766,7 +42778,7 @@ index 39f185f..880b174 100644
userdom_dontaudit_search_user_home_content(udev_t)
-@@ -195,16 +221,9 @@ ifdef(`distro_gentoo',`
+@@ -195,16 +220,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -42785,7 +42797,7 @@ index 39f185f..880b174 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -242,6 +261,7 @@ optional_policy(`
+@@ -242,6 +260,7 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -42793,7 +42805,7 @@ index 39f185f..880b174 100644
')
optional_policy(`
-@@ -249,17 +269,31 @@ optional_policy(`
+@@ -249,17 +268,31 @@ optional_policy(`
dbus_use_system_bus_fds(udev_t)
optional_policy(`
@@ -42827,7 +42839,7 @@ index 39f185f..880b174 100644
')
optional_policy(`
-@@ -289,6 +323,10 @@ optional_policy(`
+@@ -289,6 +322,10 @@ optional_policy(`
')
optional_policy(`
@@ -42838,7 +42850,7 @@ index 39f185f..880b174 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -303,6 +341,15 @@ optional_policy(`
+@@ -303,6 +340,15 @@ optional_policy(`
')
optional_policy(`
@@ -42854,7 +42866,7 @@ index 39f185f..880b174 100644
unconfined_signal(udev_t)
')
-@@ -315,6 +362,7 @@ optional_policy(`
+@@ -315,6 +361,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 77b0978..a608b6f 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -3026,7 +3026,7 @@ index 0000000..36251b9
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..cb58319
+index 0000000..253a684
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,270 @@
@@ -3295,9 +3295,9 @@ index 0000000..cb58319
+
+optional_policy(`
+ spamd_stream_connect(clamd_t)
-+ spamassassin_exec(antivirus_domain)
-+ spamassassin_exec_client(antivirus_domain)
-+ spamassassin_read_lib_files(antivirus_domain)
++ spamassassin_exec(antivirus_domain)
++ spamassassin_exec_client(antivirus_domain)
++ spamassassin_read_lib_files(antivirus_domain)
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
@@ -24910,10 +24910,10 @@ index 0000000..a4aa484
+
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..c8e5981
+index 0000000..1542da8
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,372 @@
+@@ -0,0 +1,392 @@
+
+## <summary>The open-source application container engine.</summary>
+
@@ -25237,6 +25237,26 @@ index 0000000..c8e5981
+ stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
+')
+
++########################################
++## <summary>
++## Connect to SPC containers over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`docker_spc_stream_connect',`
++ gen_require(`
++ type spc_t, spc_var_run_t;
++ ')
++
++ files_search_pids($1)
++ files_write_all_pid_sockets($1)
++ allow $1 spc_t:unix_stream_socket connectto;
++')
++
+
+########################################
+## <summary>
@@ -25288,10 +25308,10 @@ index 0000000..c8e5981
+
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..a00bb59
+index 0000000..f85020e
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,304 @@
+@@ -0,0 +1,324 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -25307,19 +25327,16 @@ index 0000000..a00bb59
+## </desc>
+gen_tunable(docker_connect_any, false)
+
-+## <desc>
-+## <p>
-+## Allow docker to transition to unconfined containers.
-+## </p>
-+## </desc>
-+gen_tunable(docker_transition_unconfined, false)
-+
+type docker_t;
+type docker_exec_t;
+init_daemon_domain(docker_t, docker_exec_t)
+domain_subj_id_change_exemption(docker_t)
+domain_role_change_exemption(docker_t)
+
++type spc_t;
++domain_type(spc_t)
++role system_r types spc_t;
++
+type docker_var_lib_t;
+files_type(docker_var_lib_t)
+
@@ -25372,6 +25389,7 @@ index 0000000..a00bb59
+
+manage_dirs_pattern(docker_t, docker_config_t, docker_config_t)
+manage_files_pattern(docker_t, docker_config_t, docker_config_t)
++files_etc_filetrans(docker_t, docker_config_t, dir, "docker")
+
+manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
+manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
@@ -25381,6 +25399,7 @@ index 0000000..a00bb59
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
+logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
++allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto };
+
+manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
+manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
@@ -25483,6 +25502,10 @@ index 0000000..a00bb59
+ iptables_domtrans(docker_t)
+')
+
++optional_policy(`
++ openvswitch_stream_connect(docker_t)
++')
++
+#
+# lxc rules
+#
@@ -25590,11 +25613,28 @@ index 0000000..a00bb59
+ corenet_tcp_sendrecv_all_ports(docker_t)
+')
+
-+tunable_policy(`docker_transition_unconfined',`
-+ unconfined_transition(docker_t, docker_share_t)
-+ unconfined_transition(docker_t, docker_var_lib_t)
-+ unconfined_setsched(docker_t)
-+ userdom_attach_admin_tun_iface(docker_t)
++########################################
++#
++# spc local policy
++#
++domain_entry_file(spc_t, docker_share_t)
++domain_entry_file(spc_t, docker_var_lib_t)
++role system_r types spc_t;
++
++domain_entry_file(spc_t, docker_share_t)
++domain_entry_file(spc_t, docker_var_lib_t)
++domtrans_pattern(docker_t, docker_share_t, spc_t)
++domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
++allow docker_t spc_t:process { setsched signal_perms };
++ps_process_pattern(docker_t, spc_t)
++allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
++
++optional_policy(`
++ unconfined_domain_noaudit(spc_t)
++')
++
++optional_policy(`
++ virt_transition_svirt_sandbox(spc_t, system_r)
+')
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 03605cb..e6a7801 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 105.7%{?dist}
+Release: 105.8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.8
+- Merge docker policy from rawhide.
+- Allow docker to relablefrom/to sockets and docker_log_t
+- Allow docker to communicate with openvswitch
+- Fix some resolv problems
+- Remove automatcically running filetrans_named_content form sysnet_manage_config
+- Allow all domains that read resolv.conf to search through /run. Since multiple domains including NetworkManager will be putting their resolv.conf into this directory
+- Allow apps that create net_conf_t content to create .resolv.conf.NetworkManager
+- Fix labels, improve sysnet_manage_config interface.
+
* Fri Mar 09 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.7
- Allow spamc read spamd_etc_t files. BZ(1199339).
- Allow collectd to write to smnpd_var_lib_t dirs. BZ(1199278)
More information about the scm-commits
mailing list