[selinux-policy/f17] * Tue Oct 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-155 - Allow all openshift domains to rea
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Oct 15 22:21:58 UTC 2012
commit f17ffc147895c3296397d7a373b8b15a3d8d5d69
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 16 00:21:07 2012 +0200
* Tue Oct 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-155
- Allow all openshift domains to read sysfs info
- Allow openshift domains to getattr on all domains
- Update httpd_run_stickshift boolean
- Allow hplip to execute bin_t
policy-F16.patch | 108 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 11 ++++-
2 files changed, 75 insertions(+), 44 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index dcbd6ef..4b7c0a7 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -72231,7 +72231,7 @@ index fbb5c5a..67c1168 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..67eb88c 100644
+index 2e9318b..a18db18 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
@@ -72486,7 +72486,7 @@ index 2e9318b..67eb88c 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +414,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +414,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -72502,13 +72502,15 @@ index 2e9318b..67eb88c 100644
auth_use_nsswitch(mozilla_plugin_t)
++init_dontaudit_getattr_initctl(mozilla_plugin_t)
++
+libs_exec_ld_so(mozilla_plugin_t)
+libs_exec_lib_files(mozilla_plugin_t)
+
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,34 +441,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,34 +443,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -72557,7 +72559,7 @@ index 2e9318b..67eb88c 100644
')
optional_policy(`
-@@ -421,24 +475,33 @@ optional_policy(`
+@@ -421,24 +477,33 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -72595,7 +72597,7 @@ index 2e9318b..67eb88c 100644
')
optional_policy(`
-@@ -446,10 +509,105 @@ optional_policy(`
+@@ -446,10 +511,105 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -92367,7 +92369,7 @@ index 6480167..f9d3c63 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..ddaee7d 100644
+index 3136c6a..745b9be 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
@@ -93183,7 +93185,7 @@ index 3136c6a..ddaee7d 100644
')
optional_policy(`
-@@ -577,6 +920,39 @@ optional_policy(`
+@@ -577,6 +920,51 @@ optional_policy(`
')
optional_policy(`
@@ -93195,23 +93197,35 @@ index 3136c6a..ddaee7d 100644
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
+ allow httpd_t self:process setexec;
-+ passenger_exec(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_manage_lib_files(httpd_t)
++
+ files_dontaudit_getattr_all_files(httpd_t)
+ domain_dontaudit_read_all_domains_state(httpd_t)
+ domain_getpgid_all_domains(httpd_t)
-+ openshift_read_lib_files(httpd_t)
-+ ',`
-+ passenger_domtrans(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_read_lib_files(httpd_t)
-+ passenger_stream_connect(httpd_t)
-+ passenger_manage_tmp_files(httpd_t)
+ ')
+')
+
+optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_manage_lib_files(httpd_t)
++ openshift_read_lib_files(httpd_t)
++ ',`
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
++ passenger_stream_connect(httpd_t)
++ passenger_manage_tmp_files(httpd_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`httpd_run_stickshift', `
++ oddjob_dbus_chat(httpd_t)
++ ')
++')
++
++optional_policy(`
+ puppet_read_lib(httpd_t)
+')
+
@@ -93223,7 +93237,7 @@ index 3136c6a..ddaee7d 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +967,11 @@ optional_policy(`
+@@ -591,6 +979,11 @@ optional_policy(`
')
optional_policy(`
@@ -93235,7 +93249,7 @@ index 3136c6a..ddaee7d 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +984,12 @@ optional_policy(`
+@@ -603,6 +996,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -93248,7 +93262,7 @@ index 3136c6a..ddaee7d 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +1003,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +1015,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -93261,7 +93275,7 @@ index 3136c6a..ddaee7d 100644
########################################
#
-@@ -654,28 +1045,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1057,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -93305,7 +93319,7 @@ index 3136c6a..ddaee7d 100644
')
########################################
-@@ -685,6 +1078,8 @@ optional_policy(`
+@@ -685,6 +1090,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -93314,7 +93328,7 @@ index 3136c6a..ddaee7d 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1094,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1106,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -93340,7 +93354,7 @@ index 3136c6a..ddaee7d 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1140,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1152,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -93373,7 +93387,7 @@ index 3136c6a..ddaee7d 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1187,25 @@ optional_policy(`
+@@ -769,6 +1199,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -93399,7 +93413,7 @@ index 3136c6a..ddaee7d 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1226,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1238,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -93417,7 +93431,7 @@ index 3136c6a..ddaee7d 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1245,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1257,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -93474,7 +93488,7 @@ index 3136c6a..ddaee7d 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1296,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1308,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -93515,7 +93529,7 @@ index 3136c6a..ddaee7d 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1341,20 @@ optional_policy(`
+@@ -842,10 +1353,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -93536,7 +93550,7 @@ index 3136c6a..ddaee7d 100644
')
########################################
-@@ -891,11 +1400,146 @@ optional_policy(`
+@@ -891,11 +1412,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -103152,7 +103166,7 @@ index 305ddf4..d1b97fb 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..62df109 100644
+index 0f28095..0f7579f 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -103430,7 +103444,17 @@ index 0f28095..62df109 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -661,6 +707,8 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -647,6 +693,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+ kernel_read_system_state(hplip_t)
+ kernel_read_kernel_sysctls(hplip_t)
+
++#for python
++corecmd_exec_bin(hplip_t)
++
+ corenet_all_recvfrom_unlabeled(hplip_t)
+ corenet_all_recvfrom_netlabel(hplip_t)
+ corenet_tcp_sendrecv_generic_if(hplip_t)
+@@ -661,6 +710,8 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -103439,7 +103463,7 @@ index 0f28095..62df109 100644
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
-@@ -673,18 +721,20 @@ dev_read_rand(hplip_t)
+@@ -673,18 +724,20 @@ dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_rw_usbfs(hplip_t)
@@ -103467,7 +103491,7 @@ index 0f28095..62df109 100644
logging_send_syslog_msg(hplip_t)
-@@ -695,9 +745,12 @@ sysnet_read_config(hplip_t)
+@@ -695,9 +748,12 @@ sysnet_read_config(hplip_t)
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -122098,10 +122122,10 @@ index 0000000..3eb6a30
+## <summary></summary>
diff --git a/policy/modules/services/openshift-origin.te b/policy/modules/services/openshift-origin.te
new file mode 100644
-index 0000000..966d0b3
+index 0000000..a437f80
--- /dev/null
+++ b/policy/modules/services/openshift-origin.te
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,13 @@
+policy_module(openshift-origin,1.0.0)
+gen_require(`
+ attribute openshift_domain;
@@ -122114,14 +122138,13 @@ index 0000000..966d0b3
+allow openshift_domain self:socket_class_set create_socket_perms;
+corenet_tcp_connect_all_ports(openshift_domain)
+corenet_tcp_bind_all_ports(openshift_domain)
-+dev_read_sysfs(openshift_domain)
+files_read_config_files(openshift_domain)
diff --git a/policy/modules/services/openshift.fc b/policy/modules/services/openshift.fc
new file mode 100644
-index 0000000..fdff8eb
+index 0000000..8283601
--- /dev/null
+++ b/policy/modules/services/openshift.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,23 @@
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -122141,6 +122164,7 @@ index 0000000..fdff8eb
+
+/usr/bin/rhc-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/bin/rhc-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
@@ -122708,7 +122732,7 @@ index 0000000..681f8a0
+')
diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
new file mode 100644
-index 0000000..91c558e
+index 0000000..8f642e4
--- /dev/null
+++ b/policy/modules/services/openshift.te
@@ -0,0 +1,351 @@
@@ -122875,7 +122899,7 @@ index 0000000..91c558e
+corecmd_bin_entry_type(openshift_domain)
+corecmd_exec_all_executables(openshift_domain)
+
-+dev_list_sysfs(openshift_domain)
++dev_read_sysfs(openshift_domain)
+dev_read_rand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
@@ -122890,7 +122914,7 @@ index 0000000..91c558e
+fs_rw_hugetlbfs_files(openshift_domain)
+fs_rw_anon_inodefs_files(openshift_domain)
+fs_search_tmpfs(openshift_domain)
-+fs_getattr_xattr_fs(openshift_domain)
++fs_getattr_all_fs(openshift_domain)
+fs_dontaudit_getattr_all_fs(openshift_domain)
+fs_list_inotifyfs(openshift_domain)
+fs_dontaudit_list_auto_mountpoints(openshift_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 751fdfb..9882d98 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 154%{?dist}
+Release: 155%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,7 +479,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Tue Oct 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-154- fix opeshift labeling
+* Tue Oct 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-155
+- Allow all openshift domains to read sysfs info
+- Allow openshift domains to getattr on all domains
+- Update httpd_run_stickshift boolean
+- Allow hplip to execute bin_t
+
+* Tue Oct 9 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-154
+- fix opeshift labeling
- Allow groupadd to read SELinux file context
* Mon Oct 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-153
More information about the scm-commits
mailing list