[selinux-policy/f17] +* Tue Jul 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-137 +- Fixes for passenger running withi
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jul 3 21:39:06 UTC 2012
commit 94b11fa20bf1b770073423e984686e8cff312e51
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jul 3 23:38:40 2012 +0200
+* Tue Jul 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-137
+- Fixes for passenger running within openshift
+- Add labeling for all tomcat6 dirs
+- Allow cobblerd to read /etc/passwd
+- Allow jockey to read sysfs and and execute binaries with bin_t
+- Allow thum to use user terminals
+- Allow systemd_logind_t to read/write /dev/input0
Please enter the commit message for your changes. Lines starting
with '#' will be ignored, and an empty message aborts the commit.
On branch f17
Changes to be committed:
(use "git reset HEAD <file>..." to unstage)
modified: policy-F16.patch
modified: selinux-policy.spec
policy-F16.patch | 78 ++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 10 ++++++-
2 files changed, 65 insertions(+), 23 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 673c77e..14b0ff5 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -60373,7 +60373,7 @@ index e0791b9..9f49d01 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
-index f68b573..30b3188 100644
+index f68b573..95efca0 100644
--- a/policy/modules/admin/passenger.if
+++ b/policy/modules/admin/passenger.if
@@ -18,6 +18,24 @@ interface(`passenger_domtrans',`
@@ -60401,7 +60401,7 @@ index f68b573..30b3188 100644
########################################
## <summary>
## Read passenger lib files
-@@ -37,3 +55,46 @@ interface(`passenger_read_lib_files',`
+@@ -37,3 +55,64 @@ interface(`passenger_read_lib_files',`
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
')
@@ -60448,8 +60448,26 @@ index f68b573..30b3188 100644
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
++
++########################################
++## <summary>
++## Connect to passenger unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`passenger_stream_connect',`
++ gen_require(`
++ type passenger_t;
++ ')
++
++ allow $1 passenger_t:unix_stream_socket connectto;
++')
diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te
-index 3470036..41f736e 100644
+index 3470036..e4180ee 100644
--- a/policy/modules/admin/passenger.te
+++ b/policy/modules/admin/passenger.te
@@ -1,4 +1,4 @@
@@ -60458,6 +60476,15 @@ index 3470036..41f736e 100644
########################################
#
+@@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t)
+ # passanger local policy
+ #
+
+-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
++allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+ allow passenger_t self:process { setpgid setsched sigkill signal };
+ allow passenger_t self:fifo_file rw_fifo_file_perms;
+ allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -49,6 +49,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
@@ -66452,10 +66479,10 @@ index 0000000..fb58f33
+')
diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
new file mode 100644
-index 0000000..b60050f
+index 0000000..efa139b
--- /dev/null
+++ b/policy/modules/apps/jockey.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,42 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -66489,6 +66516,10 @@ index 0000000..b60050f
+manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
+logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
+
++corecmd_exec_bin(jockey_t)
++
++dev_read_sysfs(jockey_t)
++
+domain_use_interactive_fds(jockey_t)
+
+files_read_etc_files(jockey_t)
@@ -71513,7 +71544,7 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..9cc870f
+index 0000000..105338a
--- /dev/null
+++ b/policy/modules/apps/thumb.te
@@ -0,0 +1,110 @@
@@ -71606,7 +71637,7 @@ index 0000000..9cc870f
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
+
-+userdom_use_inherited_user_ptys(thumb_t)
++userdom_use_user_terminals(thumb_t)
+
+xserver_read_xdm_home_files(thumb_t)
+xserver_append_xdm_home_files(thumb_t)
@@ -86774,7 +86805,7 @@ index 6480167..c453e35 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..dff387e 100644
+index 3136c6a..1af488c 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
@@ -87599,8 +87630,7 @@ index 3136c6a..dff387e 100644
+
+optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
-+ allow httpd_t self:capability sys_resource;
-+ allow httpd_t self:capability { fowner fsetid };
++ allow httpd_t self:capability { fowner fsetid sys_resource };
+ allow httpd_t self:process setexec;
+ passenger_exec(httpd_t)
+ passenger_manage_pid_content(httpd_t)
@@ -87609,6 +87639,7 @@ index 3136c6a..dff387e 100644
+ passenger_domtrans(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+ passenger_read_lib_files(httpd_t)
++ passenger_stream_connect(httpd_t)
+ ')
+')
+
@@ -93412,7 +93443,7 @@ index 116d60f..e2c6ec6 100644
+ allow $1 cobblerd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..5f685a0 100644
+index 0258b48..7a7f3db 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -93515,7 +93546,7 @@ index 0258b48..5f685a0 100644
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
-@@ -65,44 +110,111 @@ corenet_tcp_bind_generic_node(cobblerd_t)
+@@ -65,44 +110,113 @@ corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
@@ -93547,6 +93578,8 @@ index 0258b48..5f685a0 100644
+# read from mounted images (install media)
+fs_read_iso9660_files(cobblerd_t)
+
++auth_read_passwd(cobblerd_t)
++
+init_dontaudit_read_all_script_files(cobblerd_t)
+
+term_use_console(cobblerd_t)
@@ -93629,7 +93662,7 @@ index 0258b48..5f685a0 100644
')
optional_policy(`
-@@ -110,12 +222,21 @@ optional_policy(`
+@@ -110,12 +224,21 @@ optional_policy(`
')
optional_policy(`
@@ -93654,7 +93687,7 @@ index 0258b48..5f685a0 100644
')
########################################
-@@ -124,5 +245,6 @@ optional_policy(`
+@@ -124,5 +247,6 @@ optional_policy(`
#
apache_content_template(cobbler)
@@ -132167,21 +132200,21 @@ index 0000000..d1903e6
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/policy/modules/services/tomcat.fc b/policy/modules/services/tomcat.fc
new file mode 100644
-index 0000000..1647b92
+index 0000000..a8385bc
--- /dev/null
+++ b/policy/modules/services/tomcat.fc
@@ -0,0 +1,11 @@
+/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0)
+
-+/usr/sbin/tomcat -- gen_context(system_u:object_r:tomcat_exec_t,s0)
++/usr/sbin/tomcat(6)? -- gen_context(system_u:object_r:tomcat_exec_t,s0)
+
-+/var/cache/tomcat(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
++/var/cache/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
+
-+/var/lib/tomcat(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0)
++/var/lib/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0)
+
-+/var/log/tomcat(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0)
++/var/log/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0)
+
-+/var/run/tomcat.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
++/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
diff --git a/policy/modules/services/tomcat.if b/policy/modules/services/tomcat.if
new file mode 100644
index 0000000..23251b7
@@ -149625,10 +149658,10 @@ index 0000000..1f323e4
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b7b7a83
+index 0000000..dd55eaa
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,419 @@
+@@ -0,0 +1,420 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -149710,6 +149743,7 @@ index 0000000..b7b7a83
+
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
++dev_rw_input_dev(systemd_logind_t)
+dev_rw_sysfs(systemd_logind_t)
+dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d5fd845..bc6eae8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 136%{?dist}
+Release: 137%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jul 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-137
+- Fixes for passenger running within openshift
+- Add labeling for all tomcat6 dirs
+- Allow cobblerd to read /etc/passwd
+- Allow jockey to read sysfs and and execute binaries with bin_t
+- Allow thum to use user terminals
+- Allow systemd_logind_t to read/write /dev/input0
+
* Fri Jun 29 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-136
- Fixes to make minimal policy to be installed
More information about the scm-commits
mailing list