[selinux-policy/f12/master] - Fixes for nut policy
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Sep 1 13:25:23 UTC 2010
commit 8d7a021376cd846e21b1322f0568c0cf93704241
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Sep 1 15:25:15 2010 +0200
- Fixes for nut policy
policy-20100106.patch | 108 ++++++++++++++++++++++++++++++++++++++++++++----
selinux-policy.spec | 5 ++-
2 files changed, 103 insertions(+), 10 deletions(-)
---
diff --git a/policy-20100106.patch b/policy-20100106.patch
index ba65e07..7b83d7e 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -3073,7 +3073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-04-16 09:19:46.149614555 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-09-01 14:34:55.989084677 +0200
@@ -166,6 +166,7 @@
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
@@ -3103,7 +3103,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -299,6 +304,7 @@
+@@ -244,6 +249,7 @@
+ /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/turboprint/lib(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/share/wicd/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+
+@@ -299,6 +305,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -11711,8 +11719,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 2010-01-18 18:24:22.836530501 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nut.te 2010-03-15 12:18:24.764614391 +0100
-@@ -96,9 +96,6 @@
++++ serefpolicy-3.6.32/policy/modules/services/nut.te 2010-09-01 14:31:37.938334024 +0200
+@@ -79,13 +79,15 @@
+ allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+ allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow nut_upsmon_t self:tcp_socket create_socket_perms;
++allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+
+ read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+ # pid file
+ manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+ manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+-files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file })
++manage_sock_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file sock_file })
+
+ corenet_tcp_connect_ups_port(nut_upsmon_t)
+ #corenet_tcp_connect_generic_port(nut_upsmon_t)
+@@ -96,9 +98,6 @@
kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@@ -11722,7 +11747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
-@@ -118,6 +115,12 @@
+@@ -118,6 +117,12 @@
init_rw_utmp(nut_upsmon_t)
init_telinit(nut_upsmon_t)
@@ -11735,7 +11760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Local policy for upsdrvctl
-@@ -140,7 +143,6 @@
+@@ -140,7 +145,6 @@
files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
# /sbin/upsdrvctl executes other drivers
@@ -11743,7 +11768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(nut_upsdrvctl_t)
corecmd_exec_sbin(nut_upsdrvctl_t)
-@@ -177,7 +179,6 @@
+@@ -177,7 +181,6 @@
corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
@@ -13013,6 +13038,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Read qmail configuration files.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.6.32/policy/modules/services/qmail.te
+--- nsaserefpolicy/policy/modules/services/qmail.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/qmail.te 2010-09-01 14:27:05.270334208 +0200
+@@ -125,6 +125,10 @@
+ spamassassin_domtrans_client(qmail_local_t)
+ ')
+
++optional_policy(`
++ uucp_domtrans(qmail_local_t)
++')
++
+ ########################################
+ #
+ # qmail-lspawn local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.6.32/policy/modules/services/qpidd.fc
--- nsaserefpolicy/policy/modules/services/qpidd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/qpidd.fc 2010-03-23 13:40:07.842390658 +0100
@@ -15236,6 +15275,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+auth_use_nsswitch(usbmuxd_t)
+
+logging_send_syslog_msg(usbmuxd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.6.32/policy/modules/services/uucp.if
+--- nsaserefpolicy/policy/modules/services/uucp.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/uucp.if 2010-09-01 14:27:51.808084472 +0200
+@@ -1,5 +1,24 @@
+ ## <summary>Unix to Unix Copy</summary>
+
++#######################################
++## <summary>
++## Execute the uucico program in the
++## uucpd_t domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`uucp_domtrans',`
++ gen_require(`
++ type uucpd_t, uucpd_exec_t;
++ ')
++
++ domtrans_pattern($1, uucpd_exec_t, uucpd_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to append
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.6.32/policy/modules/services/varnishd.if
--- nsaserefpolicy/policy/modules/services/varnishd.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/services/varnishd.if 2010-04-13 14:36:06.397612500 +0200
@@ -17585,6 +17652,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kerberos_use($1)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.32/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-01-18 18:24:22.929540026 +0100
++++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2010-09-01 14:37:19.726085065 +0200
+@@ -84,7 +84,7 @@
+
+ allow chkpwd_t self:capability { dac_override setuid };
+ dontaudit chkpwd_t self:capability sys_tty_config;
+-allow chkpwd_t self:process getattr;
++allow chkpwd_t self:process { getattr signal };
+
+ allow chkpwd_t shadow_t:file read_file_perms;
+ files_list_etc(chkpwd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.6.32/policy/modules/system/daemontools.if
--- nsaserefpolicy/policy/modules/system/daemontools.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/daemontools.if 2010-02-11 14:55:16.780616974 +0100
@@ -18889,8 +18968,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-01-18 18:24:22.965530078 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2010-03-01 16:18:46.909490203 +0100
-@@ -1142,6 +1142,27 @@
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2010-09-01 14:23:30.404335337 +0200
+@@ -525,6 +525,10 @@
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, setfiles_exec_t, setfiles_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit setfiles_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
+@@ -1142,6 +1146,27 @@
role $2 types setsebool_t;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1c49c5c..62acc0a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 121%{?dist}
+Release: 122%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Wed Sep 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-122
+- Fixes for nut policy
+
* Tue Aug 17 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-121
- Fix label for mount.crypt
- Allow dhcpc to read Network Manger lib files
More information about the scm-commits
mailing list