[selinux-policy] - Allow httpd_t to connect to osapi_compute port using httpd_use_openstac - Fixes for dlm_controld -
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Apr 8 12:06:21 UTC 2013
commit d8b4fa387f251c047bf6dcf190830796c71179ef
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Apr 8 14:05:50 2013 +0200
- Allow httpd_t to connect to osapi_compute port using httpd_use_openstac
- Fixes for dlm_controld
- Fix apache_read_sys_content_rw_dirs() interface
- Allow logrotate to read /var/log/z-push dir
- Allow postfix_postdrop to acces postfix_public socket
- Allow sched_setscheduler for cupsd_t
- Add missing context for /usr/sbin/snmpd
- Allow consolehelper more access discovered by Tom London
- Allow fsdaemon to send signull to all domain
- Add port definition for osapi_compute port
- Allow unconfined to create /etc/hostname with correct labeling
- Add systemd_filetrans_named_hostname() interface
policy-rawhide-base.patch | 48 ++++++---
policy-rawhide-contrib.patch | 246 ++++++++++++++++++++++++++----------------
selinux-policy.spec | 16 +++-
3 files changed, 202 insertions(+), 108 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 45f92f2..9709c47 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5074,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..fba95c8 100644
+index 4edc40d..a69e038 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5259,7 +5259,7 @@ index 4edc40d..fba95c8 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -188,13 +220,13 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -188,21 +220,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -5276,7 +5276,9 @@ index 4edc40d..fba95c8 100644
network_port(ocsp, tcp,9080,s0)
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -203,6 +235,12 @@ network_port(pegasus_http, tcp,5988,s0)
++network_port(osapi_compute, tcp, 8774, s0)
+ network_port(pdps, tcp,1314,s0, udp,1314,s0)
+ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -5289,7 +5291,7 @@ index 4edc40d..fba95c8 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +252,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +253,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5337,7 +5339,7 @@ index 4edc40d..fba95c8 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +298,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +299,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5348,7 +5350,7 @@ index 4edc40d..fba95c8 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +310,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +311,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5361,7 +5363,7 @@ index 4edc40d..fba95c8 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +334,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +335,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -5380,7 +5382,7 @@ index 4edc40d..fba95c8 100644
########################################
#
-@@ -330,6 +376,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +377,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5389,7 +5391,7 @@ index 4edc40d..fba95c8 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +390,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +391,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -7747,7 +7749,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..274ef6d 100644
+index cf04cb5..dc4207f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -7873,7 +7875,7 @@ index cf04cb5..274ef6d 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,265 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8014,6 +8016,7 @@ index cf04cb5..274ef6d 100644
+ systemd_login_reboot(unconfined_domain_type)
+ systemd_login_halt(unconfined_domain_type)
+ systemd_login_undefined(unconfined_domain_type)
++ systemd_filetrans_named_hostname(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -35717,10 +35720,10 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..2927875
+index 0000000..16c7767
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1103 @@
+@@ -0,0 +1,1122 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -36574,6 +36577,25 @@ index 0000000..2927875
+
+########################################
+## <summary>
++## Transition to systemd named content for /etc/hostname
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_filetrans_named_hostname',`
++ gen_require(`
++ type hostname_etc_t;
++ ')
++
++ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
++ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
++')
++
++########################################
++## <summary>
+## Get the system status information from systemd_login
+## </summary>
+## <param name="domain">
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 43bfddb..4aeb84e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3048,7 +3048,7 @@ index 550a69e..78579c0 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/apache.if b/apache.if
-index 83e899c..e3bed6a 100644
+index 83e899c..c0ece1b 100644
--- a/apache.if
+++ b/apache.if
@@ -1,9 +1,9 @@
@@ -3865,7 +3865,7 @@ index 83e899c..e3bed6a 100644
interface(`apache_manage_sys_content',`
gen_require(`
type httpd_sys_content_t;
-@@ -855,32 +922,78 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +922,98 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -3891,6 +3891,26 @@ index 83e899c..e3bed6a 100644
+')
+
+######################################
++## <summary>
++## Allow the specified domain to read
++## apache system content rw dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`apache_read_sys_content_rw_dirs',`
++ gen_require(`
++ type httpd_sys_rw_content_t;
++ ')
++
++ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
++')
++
++######################################
## <summary>
-## Create, read, write, and delete
-## httpd system rw content.
@@ -3952,7 +3972,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -888,10 +1001,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1021,17 @@ interface(`apache_manage_sys_rw_content',`
## </summary>
## </param>
#
@@ -3971,7 +3991,7 @@ index 83e899c..e3bed6a 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1021,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1041,8 @@ interface(`apache_domtrans_sys_script',`
########################################
## <summary>
@@ -3983,7 +4003,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -941,7 +1060,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1080,7 @@ interface(`apache_domtrans_all_scripts',`
########################################
## <summary>
## Execute all user scripts in the user
@@ -3992,7 +4012,7 @@ index 83e899c..e3bed6a 100644
## to the specified role.
## </summary>
## <param name="domain">
-@@ -954,6 +1073,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1093,7 @@ interface(`apache_domtrans_all_scripts',`
## Role allowed access.
## </summary>
## </param>
@@ -4000,7 +4020,7 @@ index 83e899c..e3bed6a 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -966,7 +1086,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1106,8 @@ interface(`apache_run_all_scripts',`
########################################
## <summary>
@@ -4010,7 +4030,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -979,12 +1100,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1120,13 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -4026,7 +4046,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1002,7 +1124,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1144,7 @@ interface(`apache_append_squirrelmail_data',`
########################################
## <summary>
@@ -4035,7 +4055,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1015,13 +1137,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1157,12 @@ interface(`apache_search_sys_content',`
type httpd_sys_content_t;
')
@@ -4050,7 +4070,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1041,7 +1162,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1182,7 @@ interface(`apache_read_sys_content',`
########################################
## <summary>
@@ -4059,7 +4079,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1059,8 +1180,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1200,7 @@ interface(`apache_search_sys_scripts',`
########################################
## <summary>
@@ -4069,7 +4089,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1070,13 +1190,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1210,22 @@ interface(`apache_search_sys_scripts',`
## <rolecap/>
#
interface(`apache_manage_all_user_content',`
@@ -4095,7 +4115,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1094,7 +1223,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1243,8 @@ interface(`apache_search_sys_script_state',`
########################################
## <summary>
@@ -4105,7 +4125,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1111,10 +1241,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1261,29 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -4137,7 +4157,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1127,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1296,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -4146,7 +4166,7 @@ index 83e899c..e3bed6a 100644
')
########################################
-@@ -1136,6 +1285,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1305,9 @@ interface(`apache_dontaudit_write_tmp_files',`
## </summary>
## <desc>
## <p>
@@ -4156,7 +4176,7 @@ index 83e899c..e3bed6a 100644
## This is an interface to support third party modules
## and its use is not allowed in upstream reference
## policy.
-@@ -1165,8 +1317,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1337,30 @@ interface(`apache_cgi_domain',`
########################################
## <summary>
@@ -4189,7 +4209,7 @@ index 83e899c..e3bed6a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1183,18 +1357,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1377,19 @@ interface(`apache_cgi_domain',`
interface(`apache_admin',`
gen_require(`
attribute httpdcontent, httpd_script_exec_type;
@@ -4218,7 +4238,7 @@ index 83e899c..e3bed6a 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1204,10 +1379,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1399,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -4232,7 +4252,7 @@ index 83e899c..e3bed6a 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1393,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1413,129 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -4367,7 +4387,7 @@ index 83e899c..e3bed6a 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..5e167ca 100644
+index 1a82e29..dfaef83 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,353 @@
@@ -6034,13 +6054,13 @@ index 1a82e29..5e167ca 100644
-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
--
++allow httpd_sys_script_t self:process getsched;
+
-corecmd_exec_all_executables(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@@ -6173,8 +6193,7 @@ index 1a82e29..5e167ca 100644
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -6204,7 +6223,8 @@ index 1a82e29..5e167ca 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6417,7 +6437,7 @@ index 1a82e29..5e167ca 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1501,94 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1501,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -6435,23 +6455,33 @@ index 1a82e29..5e167ca 100644
+systemd_manage_passwd_run(httpd_passwd_t)
+systemd_manage_passwd_run(httpd_t)
+#systemd_passwd_agent_dev_template(httpd)
-+
+
+-allow httpd_gpg_t self:process setrlimit;
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+dontaudit httpd_passwd_t httpd_config_t:file read;
-+
+
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
+corecmd_shell_entry_type(httpd_script_type)
-+
+
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
+allow httpd_script_type self:fifo_file rw_file_perms;
+allow httpd_script_type self:unix_stream_socket connectto;
-+
+
+-files_read_usr_files(httpd_gpg_t)
+allow httpd_script_type httpd_t:fifo_file write;
+# apache should set close-on-exec
+apache_dontaudit_leaks(httpd_script_type)
-+
+
+-miscfiles_read_localization(httpd_gpg_t)
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
+logging_search_logs(httpd_script_type)
-+
+
+-tunable_policy(`httpd_gpg_anon_write',`
+- miscfiles_manage_public_files(httpd_gpg_t)
+kernel_dontaudit_search_sysctl(httpd_script_type)
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
+
@@ -6466,34 +6496,24 @@ index 1a82e29..5e167ca 100644
+
+libs_exec_ld_so(httpd_script_type)
+libs_exec_lib_files(httpd_script_type)
-
--allow httpd_gpg_t self:process setrlimit;
++
+miscfiles_read_fonts(httpd_script_type)
+miscfiles_read_public_files(httpd_script_type)
-
--allow httpd_gpg_t httpd_t:fd use;
--allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
--allow httpd_gpg_t httpd_t:process sigchld;
++
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
-
--dev_read_rand(httpd_gpg_t)
--dev_read_urand(httpd_gpg_t)
++
+allow httpd_t httpd_script_exec_type:file read_file_perms;
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-
--files_read_usr_files(httpd_gpg_t)
++
+allow httpd_script_type self:process { setsched signal_perms };
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-
--miscfiles_read_localization(httpd_gpg_t)
++
+allow httpd_script_type httpd_t:fd use;
+allow httpd_script_type httpd_t:process sigchld;
-
--tunable_policy(`httpd_gpg_anon_write',`
-- miscfiles_manage_public_files(httpd_gpg_t)
++
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
+
+fs_getattr_xattr_fs(httpd_script_type)
@@ -6531,6 +6551,11 @@ index 1a82e29..5e167ca 100644
+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
++ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_use_openstack',`
++ corenet_tcp_connect_osapi_compute_port(httpd_t)
')
diff --git a/apcupsd.fc b/apcupsd.fc
index 5ec0e13..2da2368 100644
@@ -9565,10 +9590,10 @@ index 0c53b18..ef29f6e 100644
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
-index bf82163..5397bb9 100644
+index bf82163..2b571c7 100644
--- a/certmaster.te
+++ b/certmaster.te
-@@ -65,11 +65,8 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
+@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
dev_read_urand(certmaster_t)
files_list_var(certmaster_t)
@@ -9580,6 +9605,8 @@ index bf82163..5397bb9 100644
-miscfiles_read_localization(certmaster_t)
miscfiles_manage_generic_cert_dirs(certmaster_t)
miscfiles_manage_generic_cert_files(certmaster_t)
++
++mta_send_mail(certmaster_t)
diff --git a/certmonger.fc b/certmonger.fc
index ed298d8..cd8eb4d 100644
--- a/certmonger.fc
@@ -16063,7 +16090,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..3b03f21 100644
+index 9f34c2e..fb69e2c 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16160,8 +16187,8 @@ index 9f34c2e..3b03f21 100644
+# Cups general local policy
+#
+
-+allow cups_domain self:capability { setuid setgid };
-+allow cups_domain self:process signal_perms;
++allow cups_domain self:capability { setuid setgid sys_nice };
++allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
+
@@ -32942,7 +32969,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..ed36684 100644
+index 7bab8e5..3baae66 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,18 @@
@@ -33126,7 +33153,13 @@ index 7bab8e5..ed36684 100644
')
optional_policy(`
-@@ -140,11 +159,11 @@ optional_policy(`
+@@ -135,16 +154,17 @@ optional_policy(`
+
+ optional_policy(`
+ apache_read_config(logrotate_t)
++ apache_read_sys_content_rw_dirs(logrotate_t)
+ apache_domtrans(logrotate_t)
+ apache_signull(logrotate_t)
')
optional_policy(`
@@ -33140,7 +33173,7 @@ index 7bab8e5..ed36684 100644
')
optional_policy(`
-@@ -178,7 +197,7 @@ optional_policy(`
+@@ -178,7 +198,7 @@ optional_policy(`
')
optional_policy(`
@@ -33149,7 +33182,7 @@ index 7bab8e5..ed36684 100644
')
optional_policy(`
-@@ -198,21 +217,22 @@ optional_policy(`
+@@ -198,21 +218,22 @@ optional_policy(`
')
optional_policy(`
@@ -33176,7 +33209,7 @@ index 7bab8e5..ed36684 100644
')
optional_policy(`
-@@ -228,10 +248,20 @@ optional_policy(`
+@@ -228,10 +249,20 @@ optional_policy(`
')
optional_policy(`
@@ -33197,7 +33230,7 @@ index 7bab8e5..ed36684 100644
su_exec(logrotate_t)
')
-@@ -241,13 +271,11 @@ optional_policy(`
+@@ -241,13 +272,11 @@ optional_policy(`
#######################################
#
@@ -54684,7 +54717,7 @@ index 2e23946..41da729 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..b11469c 100644
+index 191a66f..7ceaec2 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -55284,7 +55317,7 @@ index 191a66f..b11469c 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +495,24 @@ optional_policy(`
+@@ -576,19 +495,25 @@ optional_policy(`
########################################
#
@@ -55301,6 +55334,7 @@ index 191a66f..b11469c 100644
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
++rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
+postfix_list_spool(postfix_postdrop_t)
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -55314,7 +55348,7 @@ index 191a66f..b11469c 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +527,7 @@ optional_policy(`
+@@ -603,10 +528,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -55326,7 +55360,7 @@ index 191a66f..b11469c 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +542,23 @@ optional_policy(`
+@@ -621,17 +543,23 @@ optional_policy(`
#######################################
#
@@ -55353,7 +55387,7 @@ index 191a66f..b11469c 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +574,77 @@ optional_policy(`
+@@ -647,67 +575,77 @@ optional_policy(`
########################################
#
@@ -55449,7 +55483,7 @@ index 191a66f..b11469c 100644
')
optional_policy(`
-@@ -720,24 +657,27 @@ optional_policy(`
+@@ -720,24 +658,27 @@ optional_policy(`
########################################
#
@@ -55483,7 +55517,7 @@ index 191a66f..b11469c 100644
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
-@@ -754,6 +694,7 @@ optional_policy(`
+@@ -754,6 +695,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -55491,7 +55525,7 @@ index 191a66f..b11469c 100644
')
optional_policy(`
-@@ -764,31 +705,100 @@ optional_policy(`
+@@ -764,31 +706,100 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -64957,7 +64991,7 @@ index 56bc01f..cbca7aa 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..bbe8875 100644
+index 2c2de9a..aa4480c 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -65257,7 +65291,16 @@ index 2c2de9a..bbe8875 100644
')
#####################################
-@@ -98,6 +354,12 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -79,7 +335,7 @@ optional_policy(`
+ # dlm_controld local policy
+ #
+
+-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
++allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
+ allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+@@ -98,6 +354,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -65267,10 +65310,14 @@ index 2c2de9a..bbe8875 100644
+ corosync_rw_tmpfs(dlm_controld_t)
+')
+
++optional_policy(`
++ rhcs_stream_connect_cluster(dlm_controld_t)
++')
++
#######################################
#
# fenced local policy
-@@ -105,9 +367,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+@@ -105,9 +371,13 @@ init_rw_script_tmp_files(dlm_controld_t)
allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms };
@@ -65285,7 +65332,7 @@ index 2c2de9a..bbe8875 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +384,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +388,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -65296,7 +65343,7 @@ index 2c2de9a..bbe8875 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +413,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +417,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -65307,7 +65354,7 @@ index 2c2de9a..bbe8875 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +423,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +427,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -65316,7 +65363,7 @@ index 2c2de9a..bbe8875 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -190,10 +453,6 @@ optional_policy(`
+@@ -190,10 +457,6 @@ optional_policy(`
')
optional_policy(`
@@ -65327,7 +65374,7 @@ index 2c2de9a..bbe8875 100644
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
-@@ -203,6 +462,13 @@ optional_policy(`
+@@ -203,6 +466,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -65341,7 +65388,7 @@ index 2c2de9a..bbe8875 100644
#######################################
#
# foghorn local policy
-@@ -223,7 +489,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,7 +493,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
dev_read_urand(foghorn_t)
@@ -65351,7 +65398,7 @@ index 2c2de9a..bbe8875 100644
optional_policy(`
dbus_connect_system_bus(foghorn_t)
-@@ -257,6 +524,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +528,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -65360,7 +65407,7 @@ index 2c2de9a..bbe8875 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +544,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +548,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -65373,7 +65420,7 @@ index 2c2de9a..bbe8875 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +590,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +594,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -73079,7 +73126,7 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index a34eac4..25ad7ec 100644
+index a34eac4..b144d40 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -73219,7 +73266,7 @@ index a34eac4..25ad7ec 100644
optional_policy(`
- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
-+ virt_kill(sanlock_t)
++ virt_kill(sanlock_t)
virt_manage_lib_files(sanlock_t)
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
@@ -75771,7 +75818,7 @@ index e0644b5..ea347cc 100644
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
-index 9ade9c5..efefceb 100644
+index 9ade9c5..60d6c41 100644
--- a/smartmon.te
+++ b/smartmon.te
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
@@ -75804,15 +75851,17 @@ index 9ade9c5..efefceb 100644
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
-@@ -85,6 +91,8 @@ term_dontaudit_search_ptys(fsdaemon_t)
+@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t)
- application_signull(fsdaemon_t)
+ term_dontaudit_search_ptys(fsdaemon_t)
-+auth_read_passwd(fsdaemon_t)
+-application_signull(fsdaemon_t)
++domain_signull_all_domains(fsdaemon_t)
+
++auth_read_passwd(fsdaemon_t)
+
init_read_utmp(fsdaemon_t)
- libs_exec_ld_so(fsdaemon_t)
@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t)
logging_send_syslog_msg(fsdaemon_t)
@@ -76248,9 +76297,17 @@ index 0000000..92c3638
+
+sysnet_dns_name_resolve(smsd_t)
diff --git a/snmp.fc b/snmp.fc
-index c73fa24..9018dbc 100644
+index c73fa24..408ff61 100644
--- a/snmp.fc
+++ b/snmp.fc
+@@ -1,6 +1,6 @@
+ /etc/rc\.d/init\.d/((snmpd)|(snmptrapd)) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+
+-/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
++/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+ /usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
+
+ /usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
@@ -10,9 +10,12 @@
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
@@ -83495,7 +83552,7 @@ index cf118fd..cd80e83 100644
+ can_exec($1, consolehelper_exec_t)
+')
diff --git a/userhelper.te b/userhelper.te
-index 274ed9c..9294dd6 100644
+index 274ed9c..57a9c3d 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -1,15 +1,12 @@
@@ -83516,7 +83573,7 @@ index 274ed9c..9294dd6 100644
type userhelper_conf_t;
files_config_file(userhelper_conf_t)
-@@ -22,141 +19,71 @@ application_executable_file(consolehelper_exec_t)
+@@ -22,141 +19,72 @@ application_executable_file(consolehelper_exec_t)
########################################
#
@@ -83533,8 +83590,8 @@ index 274ed9c..9294dd6 100644
-dontaudit consolehelper_type userhelper_conf_t:file audit_access;
-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
+allow consolehelper_domain self:shm create_shm_perms;
-+allow consolehelper_domain self:capability { setgid setuid dac_override };
-+allow consolehelper_domain self:process signal;
++allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice };
++allow consolehelper_domain self:process { signal_perms getsched setsched };
-domain_use_interactive_fds(consolehelper_type)
+allow consolehelper_domain userhelper_conf_t:file audit_access;
@@ -83600,6 +83657,7 @@ index 274ed9c..9294dd6 100644
+userdom_use_user_ptys(consolehelper_domain)
+userdom_use_user_ttys(consolehelper_domain)
+userdom_read_user_home_content_files(consolehelper_domain)
++userdom_search_admin_dir(consolehelper_domain)
-tunable_policy(`use_samba_home_dirs',`
- fs_search_cifs(consolehelper_type)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 32c43d1..679cc34 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 27%{?dist}
+Release: 28%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Apr 8 2013 Dan Walsh <dwalsh at redhat.com> 3.12.1-28
+- Allow httpd_t to connect to osapi_compute port using httpd_use_openstack bolean
+- Fixes for dlm_controld
+- Fix apache_read_sys_content_rw_dirs() interface
+- Allow logrotate to read /var/log/z-push dir
+- Allow postfix_postdrop to acces postfix_public socket
+- Allow sched_setscheduler for cupsd_t
+- Add missing context for /usr/sbin/snmpd
+- Allow consolehelper more access discovered by Tom London
+- Allow fsdaemon to send signull to all domain
+- Add port definition for osapi_compute port
+- Allow unconfined to create /etc/hostname with correct labeling
+- Add systemd_filetrans_named_hostname() interface
+
* Sat Apr 6 2013 Dan Walsh <dwalsh at redhat.com> 3.12.1-27
- Fix file_contexts.subs to label /run/lock correctly
More information about the scm-commits
mailing list