lvrabec pushed to selinux-policy (master). "* Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-124 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed Apr 15 15:14:51 UTC 2015
>From 28cc160db1f8815708db6de3c64b03cf5a6aea72 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed, 15 Apr 2015 17:14:18 +0200
Subject: * Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-124 - Add
more restriction on entrypoint for unconfined domains.
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c471c0e..c20f6c9 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -16174,7 +16174,7 @@ index 8416beb..19d6aba 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..3ed4189 100644
+index e7d1738..6ac60c3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -16308,6 +16308,19 @@ index e7d1738..3ed4189 100644
########################################
#
+@@ -301,9 +322,10 @@ fs_associate_noxattr(noxattrfs)
+ # Unconfined access to this module
+ #
+
+-allow filesystem_unconfined_type filesystem_type:filesystem *;
++allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms;
+
+ # Create/access other files. fs_type is to pick up various
+ # pseudo filesystem types that are applied to both the filesystem
+ # and its files.
+-allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
++allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
++allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
index 7be4ddf..9710b33 100644
--- a/policy/modules/kernel/kernel.fc
@@ -17578,7 +17591,7 @@ index e100d88..991e1a5 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..96d9a91 100644
+index 8dbab4c..15c063c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -17865,7 +17878,23 @@ index 8dbab4c..96d9a91 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +496,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) {
+ # Rules for unconfined acccess to this module
+ #
+
+-allow kern_unconfined proc_type:{ dir file lnk_file } *;
++allow kern_unconfined proc_type:{ file } ~entrypoint;
++allow kern_unconfined proc_type:{ dir lnk_file } *;
+
+-allow kern_unconfined sysctl_type:{ dir file } *;
++allow kern_unconfined sysctl_type:{ file } ~entrypoint;
++allow kern_unconfined sysctl_type:{ dir } *;
+
+ allow kern_unconfined kernel_t:system *;
+
+-allow kern_unconfined unlabeled_t:dir_file_class_set *;
++allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
++allow kern_unconfined unlabeled_t:file ~entrypoint;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9c3b13e..261ecaa 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 123%{?dist}
+Release: 124%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,7 +602,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Wed Apr 14 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-123
+* Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-124
+- Add more restriction on entrypoint for unconfined domains.
+
+* Tue Apr 14 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-123
- Allow abrtd to list home config. BZ(1199658)
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=master&id=28cc160db1f8815708db6de3c64b03cf5a6aea72
More information about the scm-commits
mailing list