[selinux-policy/f17] * Tue Jul 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-138 - Add labeling for aeolus-configserv
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jul 10 07:01:37 UTC 2012
commit 8e4560394ae8c18e457a7275ca88bfb0a0f13eb8
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jul 10 09:01:13 2012 +0200
* Tue Jul 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-138
- Add labeling for aeolus-configserver-thinwrapper
- Allow thin domains to execute shell
- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
- Allow OpenMPI job to use kerberos
- Make deltacloudd_t as nsswitch_domain
- Allow xend_t to run lsscsi
- Allow qemu-dm running as xend_t to create tun_socket
- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
- Fix alsa_manage_home_files interface
- Fix clamscan_can_scan_system boolean
- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
policy-F16.patch | 97 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 15 +++++++-
2 files changed, 79 insertions(+), 33 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 14b0ff5..3a8069f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58467,14 +58467,14 @@ index d362d9c..230a2f6 100644
+
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 1392679..25e02df 100644
+index 1392679..64e685f 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file manage_file_perms;
-+ alsa_filetrans_home_content(unpriv_userdomain)
++ alsa_filetrans_home_content($1)
')
########################################
@@ -66479,10 +66479,10 @@ index 0000000..fb58f33
+')
diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
new file mode 100644
-index 0000000..efa139b
+index 0000000..56b4856
--- /dev/null
+++ b/policy/modules/apps/jockey.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,43 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -66523,6 +66523,7 @@ index 0000000..efa139b
+domain_use_interactive_fds(jockey_t)
+
+files_read_etc_files(jockey_t)
++files_read_usr_files(jockey_t)
+
+miscfiles_read_localization(jockey_t)
diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
@@ -92585,7 +92586,7 @@ index 1f11572..87840b4 100644
+
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..ced0ce2 100644
+index f758323..1ae1cef 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,23 @@
@@ -92763,7 +92764,7 @@ index f758323..ced0ce2 100644
########################################
#
# clamscam local policy
-@@ -242,15 +288,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +288,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -92790,6 +92791,8 @@ index f758323..ced0ce2 100644
+
+tunable_policy(`clamscan_can_scan_system',`
+ files_read_non_security_files(clamscan_t)
++ files_getattr_all_pipes(clamscan_t)
++ files_getattr_all_sockets(clamscan_t)
+')
+
kernel_read_kernel_sysctls(clamscan_t)
@@ -92797,7 +92800,7 @@ index f758323..ced0ce2 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +328,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +330,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -92938,10 +92941,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..da2404c
+index 0000000..e0716d7
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,197 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -93047,6 +93050,8 @@ index 0000000..da2404c
+corenet_tcp_bind_generic_node(deltacloudd_t)
+corenet_tcp_bind_generic_port(deltacloudd_t)
+
++auth_use_nsswitch(deltacloudd_t)
++
+files_read_usr_files(deltacloudd_t)
+
+logging_send_syslog_msg(deltacloudd_t)
@@ -94536,10 +94541,10 @@ index 0000000..168f664
+')
diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
new file mode 100644
-index 0000000..4eb7bd9
+index 0000000..97437dd
--- /dev/null
+++ b/policy/modules/services/condor.te
-@@ -0,0 +1,231 @@
+@@ -0,0 +1,238 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -94766,6 +94771,13 @@ index 0000000..4eb7bd9
+optional_policy(`
+ ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
+ ssh_domtrans(condor_startd_t)
++
++ manage_files_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
++ manage_dirs_pattern(condor_startd_ssh_t, condor_var_lib_t, condor_var_lib_t)
++
++ optional_policy(`
++ kerberos_use(condor_startd_ssh_t)
++ ')
+')
+
+optional_policy(`
@@ -97293,7 +97305,7 @@ index 0000000..284fbae
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
-index 1b492ed..d3e9822 100644
+index 1b492ed..7f49429 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@@ -19,7 +19,10 @@
@@ -97327,7 +97339,7 @@ index 1b492ed..d3e9822 100644
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-@@ -64,10 +65,16 @@
+@@ -64,10 +65,18 @@
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -97345,6 +97357,8 @@ index 1b492ed..d3e9822 100644
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 305ddf4..d1b97fb 100644
--- a/policy/modules/services/cups.if
@@ -109017,7 +109031,7 @@ index a4f32f5..628b63c 100644
## in the caller domain.
## </summary>
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..d3d5067 100644
+index 93c14ca..00cd4a4 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -109080,7 +109094,7 @@ index 93c14ca..d3d5067 100644
# Write to /var/spool/lpd.
manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
-@@ -277,19 +278,19 @@ miscfiles_read_localization(lpr_t)
+@@ -277,19 +278,21 @@ miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
# Write to the user domain tty.
@@ -109088,6 +109102,8 @@ index 93c14ca..d3d5067 100644
+userdom_use_inherited_user_terminals(lpr_t)
userdom_read_user_home_content_files(lpr_t)
userdom_read_user_tmp_files(lpr_t)
++userdom_write_user_tmp_sockets(lpr_t)
++userdom_stream_connect(lpr_t)
tunable_policy(`use_lpd_server',`
# lpr can run in lightweight mode, without a local print spooler.
@@ -109105,7 +109121,7 @@ index 93c14ca..d3d5067 100644
# Send SIGHUP to lpd.
allow lpr_t lpd_t:process signal;
-@@ -307,17 +308,7 @@ tunable_policy(`use_lpd_server',`
+@@ -307,17 +310,7 @@ tunable_policy(`use_lpd_server',`
read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
')
@@ -109124,7 +109140,7 @@ index 93c14ca..d3d5067 100644
optional_policy(`
cups_read_config(lpr_t)
-@@ -326,5 +317,13 @@ optional_policy(`
+@@ -326,5 +319,13 @@ optional_policy(`
')
optional_policy(`
@@ -132025,12 +132041,13 @@ index 665bf7c..55c5868 100644
+')
diff --git a/policy/modules/services/thin.fc b/policy/modules/services/thin.fc
new file mode 100644
-index 0000000..62d2c77
+index 0000000..8954083
--- /dev/null
+++ b/policy/modules/services/thin.fc
-@@ -0,0 +1,10 @@
+@@ -0,0 +1,11 @@
+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
-+/usr/bin/thinStarter -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
++
++/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
+
+/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
+
@@ -132089,10 +132106,10 @@ index 0000000..6de86e5
+')
diff --git a/policy/modules/services/thin.te b/policy/modules/services/thin.te
new file mode 100644
-index 0000000..d1903e6
+index 0000000..1ed278e
--- /dev/null
+++ b/policy/modules/services/thin.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,106 @@
+policy_module(thin, 1.0)
+
+########################################
@@ -132136,6 +132153,7 @@ index 0000000..d1903e6
+kernel_read_system_state(thin_domain)
+
+corecmd_exec_bin(thin_domain)
++corecmd_exec_shell(thin_domain)
+
+dev_read_rand(thin_domain)
+dev_read_urand(thin_domain)
@@ -155540,7 +155558,7 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..74465c4 100644
+index 4350ba0..b1de3a5 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -155599,7 +155617,22 @@ index 4350ba0..74465c4 100644
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_fifo_file_perms;
allow xend_t self:unix_stream_socket create_stream_socket_perms;
-@@ -299,7 +303,6 @@ dev_rw_sysfs(xend_t)
+@@ -219,6 +223,7 @@ allow xend_t self:unix_dgram_socket create_socket_perms;
+ allow xend_t self:netlink_route_socket r_netlink_socket_perms;
+ allow xend_t self:tcp_socket create_stream_socket_perms;
+ allow xend_t self:packet_socket create_socket_perms;
++allow xend_t self:tun_socket create_socket_perms;
+
+ allow xend_t xen_image_t:dir list_dir_perms;
+ manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
+@@ -294,12 +299,13 @@ corenet_sendrecv_soundd_server_packets(xend_t)
+ corenet_rw_tun_tap_dev(xend_t)
+
+ dev_read_urand(xend_t)
++# run lsscsi
++dev_getattr_all_chr_files(xend_t)
+ dev_filetrans_xen(xend_t)
+ dev_rw_sysfs(xend_t)
dev_rw_xen(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
@@ -155607,7 +155640,7 @@ index 4350ba0..74465c4 100644
files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)
-@@ -320,13 +323,9 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@@ -155621,7 +155654,7 @@ index 4350ba0..74465c4 100644
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
sysnet_domtrans_ifconfig(xend_t)
-@@ -339,8 +338,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -155630,7 +155663,7 @@ index 4350ba0..74465c4 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +346,23 @@ optional_policy(`
+@@ -349,6 +349,23 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -155654,7 +155687,7 @@ index 4350ba0..74465c4 100644
########################################
#
# Xen console local policy
-@@ -374,8 +388,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +391,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -155663,7 +155696,7 @@ index 4350ba0..74465c4 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -413,9 +425,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -155675,7 +155708,7 @@ index 4350ba0..74465c4 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +455,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -155687,7 +155720,7 @@ index 4350ba0..74465c4 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +472,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +475,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -155784,7 +155817,7 @@ index 4350ba0..74465c4 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +487,4 @@ optional_policy(`
+@@ -559,8 +490,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5464d74..4fe8d59 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 137%{?dist}
+Release: 138%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jul 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-138
+- Add labeling for aeolus-configserver-thinwrapper
+- Allow thin domains to execute shell
+- Allow OpenMPI job running as condor_startd_ssh_t to manage condor lib files
+- Allow OpenMPI job to use kerberos
+- Make deltacloudd_t as nsswitch_domain
+- Allow xend_t to run lsscsi
+- Allow qemu-dm running as xend_t to create tun_socket
+- Allow jockey-backend to read pyconfig-64.h labeled as usr_t
+- Fix alsa_manage_home_files interface
+- Fix clamscan_can_scan_system boolean
+- Allow lpr to connectto to /run/user/$USER/keyring-22uREb/pkcs11
+
* Tue Jul 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-137
- Fixes for passenger running within openshift
- Add labeling for all tomcat6 dirs
More information about the scm-commits
mailing list