[selinux-policy/f14/master] - Add support for a new cluster service - foghorn - Add /var/spool/audit support for new version of
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 25 10:48:09 UTC 2011
commit 8ccf1a5532c3f38286389763f98a8fb613f21af0
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 25 11:48:23 2011 +0000
- Add support for a new cluster service - foghorn
- Add /var/spool/audit support for new version of audit
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- Allow syslogd setrlimit, sys_nice
- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
policy-F14.patch | 201 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 11 +++-
2 files changed, 159 insertions(+), 53 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index b9ed5a3..1035747 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -22023,7 +22023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.9.7/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/dovecot.te 2011-02-25 17:40:39.890526101 +0000
++++ serefpolicy-3.9.7/policy/modules/services/dovecot.te 2011-03-25 10:20:51.359630001 +0000
@@ -18,7 +18,7 @@
files_tmp_file(dovecot_auth_tmp_t)
@@ -22172,7 +22172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +335,11 @@
+@@ -302,4 +335,15 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -22183,6 +22183,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+ # Handle sieve scripts
+ allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
+ sendmail_domtrans(dovecot_deliver_t)
++')
++
++optional_policy(`
++ postfix_rw_master_pipes(dovecot_deliver_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/drbd.fc serefpolicy-3.9.7/policy/modules/services/drbd.fc
--- nsaserefpolicy/policy/modules/services/drbd.fc 1970-01-01 00:00:00.000000000 +0000
@@ -24626,7 +24630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
+sysnet_read_config(jabberd_domain)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.9.7/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/kerberos.fc 2011-02-25 17:40:40.007523221 +0000
++++ serefpolicy-3.9.7/policy/modules/services/kerberos.fc 2011-03-25 08:27:37.937630001 +0000
@@ -8,7 +8,7 @@
/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -24638,7 +24642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.9.7/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/kerberos.if 2011-02-25 17:40:40.023522826 +0000
++++ serefpolicy-3.9.7/policy/modules/services/kerberos.if 2011-03-25 11:18:07.215630001 +0000
@@ -26,9 +26,9 @@
## Execute kadmind in the current domain
## </summary>
@@ -24728,7 +24732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +395,22 @@
+@@ -378,3 +395,41 @@
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -24751,9 +24755,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+
+ files_tmp_filetrans($1, krb5_host_rcache_t, file)
+')
++
++########################################
++## <summary>
++## read kerberos homedir content (.k5login)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`kerberos_read_home_content',`
++ gen_require(`
++ type krb5_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.9.7/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/kerberos.te 2011-02-25 17:40:40.024522801 +0000
++++ serefpolicy-3.9.7/policy/modules/services/kerberos.te 2011-03-25 08:27:15.309630001 +0000
@@ -6,9 +6,9 @@
#
@@ -31046,7 +31069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.9.7/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2011-02-25 17:40:40.369514310 +0000
++++ serefpolicy-3.9.7/policy/modules/services/postfix.if 2011-03-25 10:18:09.630630001 +0000
@@ -35,7 +35,7 @@
role system_r types postfix_$1_t;
@@ -31127,7 +31150,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -529,6 +550,25 @@
+@@ -414,6 +435,24 @@
+ stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
+ ')
+
++#######################################
++## <summary>
++## Allow read/write postfix master pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_rw_master_pipes',`
++ gen_require(`
++ type postfix_master_t;
++ ')
++
++ allow $1 postfix_master_t:fifo_file rw_fifo_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute the master postdrop in the
+@@ -529,6 +568,25 @@
########################################
## <summary>
@@ -31153,7 +31201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +579,10 @@
+@@ -539,10 +597,10 @@
#
interface(`postfix_search_spool',`
gen_require(`
@@ -31166,7 +31214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_spool($1)
')
-@@ -558,10 +598,10 @@
+@@ -558,10 +616,10 @@
#
interface(`postfix_list_spool',`
gen_require(`
@@ -31179,7 +31227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_spool($1)
')
-@@ -577,11 +617,11 @@
+@@ -577,11 +635,11 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -31193,7 +31241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
-@@ -596,11 +636,11 @@
+@@ -596,11 +654,11 @@
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -31207,7 +31255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
-@@ -621,3 +661,103 @@
+@@ -621,3 +679,103 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -37062,7 +37110,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.9.7/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/spamassassin.te 2011-02-25 17:40:40.556509706 +0000
++++ serefpolicy-3.9.7/policy/modules/services/spamassassin.te 2011-03-25 10:21:53.251630001 +0000
@@ -6,54 +6,93 @@
#
@@ -37276,7 +37324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -254,27 +322,40 @@
+@@ -254,27 +322,41 @@
sysnet_read_config(spamc_t)
@@ -37311,6 +37359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
+ postfix_rw_local_pipes(spamc_t)
++ postfix_rw_master_pipes(spamc_t)
')
optional_policy(`
@@ -37323,7 +37372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
########################################
-@@ -286,7 +367,7 @@
+@@ -286,7 +368,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -37332,7 +37381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -302,10 +383,17 @@
+@@ -302,10 +384,17 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -37351,7 +37400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +402,15 @@
+@@ -314,11 +403,15 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -37369,7 +37418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -367,22 +459,27 @@
+@@ -367,22 +460,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -37401,7 +37450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-@@ -399,7 +496,9 @@
+@@ -399,7 +497,9 @@
')
optional_policy(`
@@ -37411,7 +37460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -408,25 +507,17 @@
+@@ -408,25 +508,17 @@
')
optional_policy(`
@@ -37439,7 +37488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
postgresql_stream_connect(spamd_t)
')
-@@ -437,6 +528,10 @@
+@@ -437,6 +529,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -38259,7 +38308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
sssd_initrc_domtrans($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.9.7/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/sssd.te 2011-02-25 17:40:40.573509288 +0000
++++ serefpolicy-3.9.7/policy/modules/services/sssd.te 2011-03-25 08:30:50.796630001 +0000
@@ -28,9 +28,11 @@
#
# sssd local policy
@@ -38326,10 +38375,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -88,3 +101,11 @@
+@@ -87,4 +100,25 @@
+
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
- ')
++ kerberos_read_home_content(sssd_t)
++')
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
@@ -38338,6 +38389,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
+optional_policy(`
+ ldap_stream_connect(sssd_t)
+')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(sssd_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(sssd_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_read_fusefs_files(sssd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.9.7/policy/modules/services/stunnel.if
--- nsaserefpolicy/policy/modules/services/stunnel.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/stunnel.if 2011-02-25 17:40:40.574509263 +0000
@@ -45229,7 +45292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.9.7/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/ipsec.te 2011-02-25 17:40:40.828503011 +0000
++++ serefpolicy-3.9.7/policy/modules/system/ipsec.te 2011-03-25 08:41:53.917630001 +0000
@@ -72,7 +72,7 @@
#
@@ -45277,7 +45340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -184,8 +188,8 @@
+@@ -184,14 +188,16 @@
#
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
@@ -45288,7 +45351,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -224,7 +228,6 @@
+ allow ipsec_mgmt_t self:key_socket create_socket_perms;
+ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+
++allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
++
+ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
+ files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
+
+@@ -224,7 +230,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -45296,7 +45367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -243,6 +246,17 @@
+@@ -243,6 +248,17 @@
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -45314,7 +45385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -257,7 +271,7 @@
+@@ -257,7 +273,7 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -45323,20 +45394,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -275,8 +289,11 @@
+@@ -275,8 +291,11 @@
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+term_use_all_terms(ipsec_mgmt_t)
-+
-+auth_dontaudit_read_login_records(ipsec_mgmt_t)
++auth_dontaudit_read_login_records(ipsec_mgmt_t)
++
+init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
-@@ -290,7 +307,9 @@
+@@ -290,7 +309,9 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
@@ -45346,7 +45417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -299,6 +318,23 @@
+@@ -299,6 +320,23 @@
')
optional_policy(`
@@ -45370,7 +45441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -385,6 +421,8 @@
+@@ -385,6 +423,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -45379,7 +45450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -411,6 +449,7 @@
+@@ -411,6 +451,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -45387,7 +45458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -422,3 +461,4 @@
+@@ -422,3 +463,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
@@ -46138,7 +46209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.9.7/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/logging.fc 2011-02-25 17:40:40.897501313 +0000
++++ serefpolicy-3.9.7/policy/modules/system/logging.fc 2011-03-25 09:51:20.856630001 +0000
@@ -17,6 +17,10 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -46158,7 +46229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
ifdef(`distro_suse', `
-@@ -54,18 +59,24 @@
+@@ -54,18 +59,25 @@
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -46181,9 +46252,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
-+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+
++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -46263,8 +46335,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.9.7/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/logging.te 2011-02-25 17:40:40.899501263 +0000
-@@ -60,6 +60,7 @@
++++ serefpolicy-3.9.7/policy/modules/system/logging.te 2011-03-25 09:51:10.512630001 +0000
+@@ -19,6 +19,11 @@
+ files_security_file(auditd_log_t)
+ files_security_mountpoint(auditd_log_t)
+
++type audit_spool_t;
++files_type(audit_spool_t)
++files_security_file(audit_spool_t)
++files_security_mountpoint(audit_spool_t)
++
+ type auditd_t;
+ type auditd_exec_t;
+ init_daemon_domain(auditd_t, auditd_exec_t)
+@@ -60,6 +65,7 @@
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -46272,7 +46356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -179,6 +180,8 @@
+@@ -179,6 +185,8 @@
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -46281,7 +46365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
-@@ -234,7 +237,12 @@
+@@ -234,7 +242,12 @@
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
@@ -46294,7 +46378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(audisp_t)
-@@ -244,14 +252,22 @@
+@@ -244,14 +257,26 @@
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -46314,11 +46398,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow audisp_remote_t self:tcp_socket create_socket_perms;
+allow audisp_remote_t var_log_t:dir search_dir_perms;
+
++manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
++manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
++files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
++
+corecmd_exec_bin(audisp_remote_t)
corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -266,9 +282,16 @@
+@@ -266,9 +291,16 @@
files_read_etc_files(audisp_remote_t)
logging_send_syslog_msg(audisp_remote_t)
@@ -46335,7 +46423,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -369,9 +392,15 @@
+@@ -338,7 +370,7 @@
+ # chown fsetid for syslog-ng
+ # sys_admin for the integrated klog of syslog-ng and metalog
+ # cjp: why net_admin!
+-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
++allow syslogd_t self:capability { dac_override sys_resource sys_tty_config sys_nice net_admin sys_admin chown fsetid };
+ dontaudit syslogd_t self:capability sys_tty_config;
+ # setpgid for metalog
+ # setrlimit for syslog-ng
+@@ -369,9 +401,15 @@
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -46351,7 +46448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +441,7 @@
+@@ -412,6 +450,7 @@
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -46359,7 +46456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_use_interactive_fds(syslogd_t)
-@@ -422,6 +452,7 @@
+@@ -422,6 +461,7 @@
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
files_read_kernel_symbol_table(syslogd_t)
@@ -46367,7 +46464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
-@@ -488,6 +519,10 @@
+@@ -488,6 +528,10 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fadbe28..3077b1c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 37%{?dist}
+Release: 38%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,15 @@ exit 0
%endif
%changelog
+* Fri Mar 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-38
+- Add support for a new cluster service - foghorn
+- Add /var/spool/audit support for new version of audit
+- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
+- sssd wants to read .k5login file in users homedir
+- Allow syslogd setrlimit, sys_nice
+- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
+
+
* Mon Mar 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-37
- Add label for /usr/share/shorewall/getparams
More information about the scm-commits
mailing list