[selinux-policy] - Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Allow

Miroslav Grepl mgrepl at fedoraproject.org
Wed Nov 10 10:04:50 UTC 2010 

commit 5d168a352bfd7804b39320f1b00bd7f9928a6ef0
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Wed Nov 10 11:04:39 2010 +0100

    - Allow groupd transition to fenced domain when executes fence_node
    - Fixes for rchs policy
    - Allow mpd to be able to read samba/nfs files

 policy-F15.patch    |   42 ++++++++++++++++++++++++++++++------------
 selinux-policy.spec |    7 ++++++-
 2 files changed, 36 insertions(+), 13 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 9afa3e2..f8f4f66 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -24082,10 +24082,10 @@ index 0000000..311aaed
 +')
 diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
 new file mode 100644
-index 0000000..68af4e8
+index 0000000..5391d10
 --- /dev/null
 +++ b/policy/modules/services/mpd.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,121 @@
 +policy_module(mpd, 1.0.0)
 +
 +########################################
@@ -24184,6 +24184,16 @@ index 0000000..68af4e8
 +userdom_read_home_audio_files(mpd_t)
 +userdom_read_user_tmpfs_files(mpd_t)
 +
++tunable_policy(`use_samba_home_dirs',`
++    fs_read_cifs_files(mpd_t)
++    fs_read_cifs_symlinks(mpd_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++    fs_read_nfs_files(mpd_t)
++    fs_read_nfs_symlinks(mpd_t)
++')
++
 +optional_policy(`
 +	dbus_system_bus_client(mpd_t)
 +')
@@ -30843,7 +30853,7 @@ index de37806..229a3c7 100644
 +	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
 diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..8d40ec9 100644
+index 93c896a..b6f0f45 100644
 --- a/policy/modules/services/rhcs.te
 +++ b/policy/modules/services/rhcs.te
 @@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0)
@@ -30876,7 +30886,7 @@ index 93c896a..8d40ec9 100644
  #####################################
  #
  # dlm_controld local policy
-@@ -55,17 +61,13 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -55,20 +61,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
@@ -30895,7 +30905,11 @@ index 93c896a..8d40ec9 100644
  
  allow fenced_t self:tcp_socket create_stream_socket_perms;
  allow fenced_t self:udp_socket create_socket_perms;
-@@ -82,7 +84,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
++allow fenced_t self:unix_stream_socket connectto;
+ 
+ can_exec(fenced_t, fenced_exec_t)
+ 
+@@ -82,7 +85,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
  
  stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -30906,7 +30920,7 @@ index 93c896a..8d40ec9 100644
  
  corenet_tcp_connect_http_port(fenced_t)
  
-@@ -104,9 +109,13 @@ tunable_policy(`fenced_can_network_connect',`
+@@ -104,9 +110,13 @@ tunable_policy(`fenced_can_network_connect',`
  	corenet_tcp_connect_all_ports(fenced_t)
  ')
  
@@ -30921,7 +30935,7 @@ index 93c896a..8d40ec9 100644
  ')
  
  optional_policy(`
-@@ -120,7 +129,6 @@ optional_policy(`
+@@ -120,7 +130,6 @@ optional_policy(`
  #
  
  allow gfs_controld_t self:capability { net_admin sys_resource };
@@ -30929,7 +30943,7 @@ index 93c896a..8d40ec9 100644
  allow gfs_controld_t self:shm create_shm_perms;
  allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
  
-@@ -139,10 +147,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +148,6 @@ storage_getattr_removable_dev(gfs_controld_t)
  init_rw_script_tmp_files(gfs_controld_t)
  
  optional_policy(`
@@ -30940,15 +30954,19 @@ index 93c896a..8d40ec9 100644
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
  ')
-@@ -154,7 +158,6 @@ optional_policy(`
+@@ -154,9 +159,10 @@ optional_policy(`
  
  allow groupd_t self:capability { sys_nice sys_resource };
  allow groupd_t self:process setsched;
 -
  allow groupd_t self:shm create_shm_perms;
  
++domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
++
  dev_list_sysfs(groupd_t)
-@@ -168,8 +171,7 @@ init_rw_script_tmp_files(groupd_t)
+ 
+ files_read_etc_files(groupd_t)
+@@ -168,8 +174,7 @@ init_rw_script_tmp_files(groupd_t)
  # qdiskd local policy
  #
  
@@ -30958,7 +30976,7 @@ index 93c896a..8d40ec9 100644
  allow qdiskd_t self:tcp_socket create_stream_socket_perms;
  allow qdiskd_t self:udp_socket create_socket_perms;
  
-@@ -207,10 +209,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +212,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
  auth_use_nsswitch(qdiskd_t)
  
  optional_policy(`
@@ -30969,7 +30987,7 @@ index 93c896a..8d40ec9 100644
  	netutils_domtrans_ping(qdiskd_t)
  ')
  
-@@ -223,18 +221,24 @@ optional_policy(`
+@@ -223,18 +224,24 @@ optional_policy(`
  # rhcs domains common policy
  #
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3781100..6253bd8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.8
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
 %endif
 
 %changelog
+* Wed Nov 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.8-4
+- Allow groupd transition to fenced domain when executes fence_node
+- Fixes for rchs policy
+- Allow mpd to be able to read samba/nfs files
+
 * Tue Nov 9 2010 Dan Walsh <dwalsh at redhat.com> 3.9.8-3
 - Fix up corecommands.fc to match upstream
 - Make sure /lib/systemd/* is labeled init_exec_t

More information about the scm-commits mailing list