[selinux-policy/f18] - Allow NM and openvpn to acces files on encrypt /home - Allow procmail to manger user tmp files/dir
Miroslav Grepl
mgrepl at fedoraproject.org
Fri May 3 13:10:11 UTC 2013
commit 05b7b4867720a81297015fb5af0a81a5fd120fd7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri May 3 15:09:44 2013 +0200
- Allow NM and openvpn to acces files on encrypt /home
- Allow procmail to manger user tmp files/dirs/lnk_files
- Add virt_stream_connect_svirt() interface
- Allow dovecot-auth to execute bin_t
- Allow iscsid to request that kernel load a kernel module
- Add labeling support for /var/lib/mod_security
- Backport tuned policy from F19
- Dontaudit sys_tty_config for thumb_t
- Add labeling for nm-l2tp-service
- Allow httpd running as certwatch_t to open tcp socket
- Fix allow rules for postfix_var_run
- Allow cobblerd to read /etc/passwd
- Add support for nginx
- Allow tcpd to execute leafnode
- Allow mout to stream connect to rpcbind
- Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki
policy-f18-base.patch | 13 +++++++------
policy-f18-contrib.patch | 30 +++++++++++++++++++++---------
selinux-policy.spec | 16 ++++++++++++++++
3 files changed, 44 insertions(+), 15 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 25e4754..aebdb30 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -138789,7 +138789,7 @@ index f8eeecd..9a88637 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index fe3427d..a3e8830 100644
+index fe3427d..33a2562 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
@@ -138820,7 +138820,7 @@ index fe3427d..a3e8830 100644
/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
-+/usr/share/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
++/usr/share/pki/ca-trust-source(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
@@ -139734,7 +139734,7 @@ index 4584457..0755e25 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 63931f6..f7d4fe6 100644
+index 63931f6..0e08b2d 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
@@ -140000,16 +140000,17 @@ index 63931f6..f7d4fe6 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +256,8 @@ optional_policy(`
+@@ -179,6 +256,9 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
+
+ rpc_domtrans_rpcd(mount_t)
++ rpcbind_stream_connect(mount_t)
')
optional_policy(`
-@@ -186,6 +265,32 @@ optional_policy(`
+@@ -186,6 +266,32 @@ optional_policy(`
')
optional_policy(`
@@ -140042,7 +140043,7 @@ index 63931f6..f7d4fe6 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +298,125 @@ optional_policy(`
+@@ -193,21 +299,125 @@ optional_policy(`
')
')
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 6ddbdb1..5c2edfb 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -10722,7 +10722,7 @@ index 116d60f..83d5104 100644
- allow $2 system_r;
')
diff --git a/cobbler.te b/cobbler.te
-index 0258b48..8bb34e2 100644
+index 0258b48..260d23d 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -1,18 +1,43 @@
@@ -10829,7 +10829,7 @@ index 0258b48..8bb34e2 100644
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
-@@ -53,31 +93,49 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
+@@ -53,31 +93,51 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
kernel_read_system_state(cobblerd_t)
@@ -10877,6 +10877,8 @@ index 0258b48..8bb34e2 100644
+
+term_use_console(cobblerd_t)
+
++auth_read_passwd(cobblerd_t)
++
+logging_send_syslog_msg(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
@@ -10887,7 +10889,7 @@ index 0258b48..8bb34e2 100644
sysnet_rw_dhcp_config(cobblerd_t)
sysnet_write_config(cobblerd_t)
-@@ -85,6 +143,28 @@ tunable_policy(`cobbler_anon_write',`
+@@ -85,6 +145,28 @@ tunable_policy(`cobbler_anon_write',`
miscfiles_manage_public_files(cobblerd_t)
')
@@ -10916,7 +10918,7 @@ index 0258b48..8bb34e2 100644
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
-@@ -95,6 +175,10 @@ optional_policy(`
+@@ -95,6 +177,10 @@ optional_policy(`
')
optional_policy(`
@@ -10927,7 +10929,7 @@ index 0258b48..8bb34e2 100644
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
-@@ -111,18 +195,11 @@ optional_policy(`
+@@ -111,18 +197,11 @@ optional_policy(`
optional_policy(`
rsync_read_config(cobblerd_t)
@@ -50859,7 +50861,7 @@ index 46bee12..20a3ccd 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..c119a31 100644
+index a1e0f60..63051d9 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -51421,7 +51423,7 @@ index a1e0f60..c119a31 100644
+
+allow postfix_domain postfix_spool_t:dir list_dir_perms;
+
-+allow postfix_domain postfix_var_run_t:file manage_file_perms;
++manage_files_pattern(postfix_t, postfix_var_run_t, postfix_var_run_t)
+files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
+
+kernel_read_network_state(postfix_domain)
@@ -68952,7 +68954,7 @@ index 0ecd8a7..b532568 100644
- logging_send_syslog_msg(sysstat_t)
-')
diff --git a/tcpd.te b/tcpd.te
-index 7038b55..8961067 100644
+index 7038b55..b062ff2 100644
--- a/tcpd.te
+++ b/tcpd.te
@@ -22,7 +22,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
@@ -68963,7 +68965,17 @@ index 7038b55..8961067 100644
corenet_all_recvfrom_netlabel(tcpd_t)
corenet_tcp_sendrecv_generic_if(tcpd_t)
corenet_tcp_sendrecv_generic_node(tcpd_t)
-@@ -39,8 +38,6 @@ files_dontaudit_search_var(tcpd_t)
+@@ -30,8 +29,7 @@ corenet_tcp_sendrecv_all_ports(tcpd_t)
+
+ fs_getattr_xattr_fs(tcpd_t)
+
+-# Run other daemons in the inetd child domain.
+-corecmd_search_bin(tcpd_t)
++corecmd_exec_bin(tcpd_t)
+
+ files_read_etc_files(tcpd_t)
+ # no good reason for files_dontaudit_search_var, probably nscd
+@@ -39,8 +37,6 @@ files_dontaudit_search_var(tcpd_t)
logging_send_syslog_msg(tcpd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a7047bc..2df75a0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -523,6 +523,22 @@ SELinux Reference policy mls base module.
%Changelog
* Thu May 2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-93
- Allow pki apache domain to create own tmp files and execute httpd_suexec
+- Allow NM and openvpn to acces files on encrypt /home
+- Allow procmail to manger user tmp files/dirs/lnk_files
+- Add virt_stream_connect_svirt() interface
+- Allow dovecot-auth to execute bin_t
+- Allow iscsid to request that kernel load a kernel module
+- Add labeling support for /var/lib/mod_security
+- Backport tuned policy from F19
+- Dontaudit sys_tty_config for thumb_t
+- Add labeling for nm-l2tp-service
+- Allow httpd running as certwatch_t to open tcp socket
+- Fix allow rules for postfix_var_run
+- Allow cobblerd to read /etc/passwd
+- Add support for nginx
+- Allow tcpd to execute leafnode
+- Allow mout to stream connect to rpcbind
+- Add labeling just for /usr/share/pki/ca-trust-source instead of /usr/share/pki
* Fri Apr 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-92
- Eliminate dontaudit rules so setroubleshoot and audit2allow can tell user what to do if apache attempts to use the terminal
More information about the scm-commits
mailing list