[selinux-policy] +- Use fs_use_xattr for squashf +- Fix procs_type interface +- Dovecot has a new fifo_file /var/run
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Dec 1 17:26:02 UTC 2011
commit 4fe804b3672ac0f8fda34c6e45a04d2eaafd8e85
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Dec 1 18:25:51 2011 +0100
+- Use fs_use_xattr for squashf
+- Fix procs_type interface
+- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
+- Dovecot has a new fifo_file /var/run/stats-mail
+- Colord does not need to connect to network
+- Allow system_cronjob to dbus chat with NetworkManager
+- Puppet manages content, want to make sure it labels everything correctly
policy-F16.patch | 268 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 11 ++-
2 files changed, 194 insertions(+), 85 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index e9a7f65..b1d4625 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -18475,7 +18475,7 @@ index ff006ea..b682bcf 100644
+ dontaudit $1 file_type:dir_file_class_set write;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 22821ff..4e8d594 100644
+index 22821ff..4486d80 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -10,7 +10,9 @@ attribute files_unconfined_type;
@@ -18515,7 +18515,7 @@ index 22821ff..4e8d594 100644
#
type system_map_t;
files_type(system_map_t)
-+procs_type(system_map_t)
++kernel_proc_type(system_map_t)
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
#
@@ -19114,10 +19114,18 @@ index 97fcdac..6342520 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index f125dc2..3c6e827 100644
+index f125dc2..f5e522e 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -52,6 +52,7 @@ type anon_inodefs_t;
+@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
+
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -52,6 +53,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -19125,7 +19133,7 @@ index f125dc2..3c6e827 100644
type bdev_t;
fs_type(bdev_t)
-@@ -67,7 +68,7 @@ fs_type(capifs_t)
+@@ -67,7 +69,7 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@@ -19134,7 +19142,7 @@ index f125dc2..3c6e827 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -96,6 +97,7 @@ type hugetlbfs_t;
+@@ -96,6 +98,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -19142,7 +19150,19 @@ index f125dc2..3c6e827 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -175,6 +177,7 @@ fs_type(tmpfs_t)
+@@ -144,11 +147,6 @@ fs_type(spufs_t)
+ genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
+ files_mountpoint(spufs_t)
+
+-type squash_t;
+-fs_type(squash_t)
+-genfscon squash / gen_context(system_u:object_r:squash_t,s0)
+-files_mountpoint(squash_t)
+-
+ type sysv_t;
+ fs_noxattr_type(sysv_t)
+ files_mountpoint(sysv_t)
+@@ -175,6 +173,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -19150,7 +19170,7 @@ index f125dc2..3c6e827 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +257,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +253,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -19159,7 +19179,7 @@ index f125dc2..3c6e827 100644
files_mountpoint(removable_t)
#
-@@ -273,6 +278,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +274,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -19168,7 +19188,7 @@ index f125dc2..3c6e827 100644
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..4845190 100644
+index 6346378..34c6897 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,8 @@ interface(`kernel_load_module',`
@@ -19383,9 +19403,9 @@ index 6346378..4845190 100644
+## </summary>
+## </param>
+#
-+interface(`procs_type',`
++interface(`kernel_proc_type',`
+ gen_require(`
-+ attribute proc_type
++ attribute proc_type;
+ ')
+
+ typeattribute $1 proc_type;
@@ -31285,24 +31305,10 @@ index 0000000..ca71d08
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..2f9b1bc 100644
+index 74505cc..be3683b 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
-@@ -5,6 +5,13 @@ policy_module(colord, 1.0.0)
- # Declarations
- #
-
-+## <desc>
-+## <p>
-+## Allow colord domain to connect to the network using TCP.
-+## </p>
-+## </desc>
-+gen_tunable(colord_can_network_connect, false)
-+
- type colord_t;
- type colord_exec_t;
- dbus_system_domain(colord_t, colord_exec_t)
-@@ -23,9 +30,11 @@ files_type(colord_var_lib_t)
+@@ -23,9 +23,11 @@ files_type(colord_var_lib_t)
# colord local policy
#
allow colord_t self:capability { dac_read_search dac_override };
@@ -31314,7 +31320,7 @@ index 74505cc..2f9b1bc 100644
allow colord_t self:udp_socket create_socket_perms;
allow colord_t self:unix_dgram_socket create_socket_perms;
-@@ -41,8 +50,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+@@ -41,8 +43,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -31330,7 +31336,7 @@ index 74505cc..2f9b1bc 100644
corenet_all_recvfrom_unlabeled(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
-@@ -50,6 +65,8 @@ corenet_udp_bind_generic_node(colord_t)
+@@ -50,6 +58,8 @@ corenet_udp_bind_generic_node(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
@@ -31339,7 +31345,7 @@ index 74505cc..2f9b1bc 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +82,37 @@ files_list_mnt(colord_t)
+@@ -65,19 +75,33 @@ files_list_mnt(colord_t)
files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
@@ -31363,10 +31369,6 @@ index 74505cc..2f9b1bc 100644
+userdom_rw_user_tmpfs_files(colord_t)
+
+userdom_home_reader(colord_t)
-+
-+tunable_policy(`colord_can_network_connect',`
-+ corenet_tcp_connect_all_ports(colord_t)
-+')
tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(colord_t)
@@ -31378,7 +31380,7 @@ index 74505cc..2f9b1bc 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +124,12 @@ optional_policy(`
+@@ -89,6 +113,12 @@ optional_policy(`
')
optional_policy(`
@@ -31391,7 +31393,7 @@ index 74505cc..2f9b1bc 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +137,16 @@ optional_policy(`
+@@ -96,5 +126,16 @@ optional_policy(`
')
optional_policy(`
@@ -32485,7 +32487,7 @@ index 35241ed..7a0913c 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..230cbb2 100644
+index f7583ab..a4d25d9 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -32878,7 +32880,18 @@ index f7583ab..230cbb2 100644
')
optional_policy(`
-@@ -480,7 +582,7 @@ optional_policy(`
+@@ -472,6 +574,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
+ postfix_read_config(system_cronjob_t)
+ ')
+
+@@ -480,7 +586,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -32887,7 +32900,7 @@ index f7583ab..230cbb2 100644
')
optional_policy(`
-@@ -495,6 +597,7 @@ optional_policy(`
+@@ -495,6 +601,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -32895,7 +32908,7 @@ index f7583ab..230cbb2 100644
')
optional_policy(`
-@@ -502,7 +605,13 @@ optional_policy(`
+@@ -502,7 +609,13 @@ optional_policy(`
')
optional_policy(`
@@ -32909,7 +32922,7 @@ index f7583ab..230cbb2 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +704,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +708,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -36655,7 +36668,7 @@ index e1d7dc5..0557be0 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..194f170 100644
+index acf6d4f..47969fe 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -36709,7 +36722,7 @@ index acf6d4f..194f170 100644
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,10 +99,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -36718,11 +36731,12 @@ index acf6d4f..194f170 100644
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
++manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -110,6 +116,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,6 +117,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
@@ -36730,7 +36744,7 @@ index acf6d4f..194f170 100644
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -135,6 +142,7 @@ files_dontaudit_list_default(dovecot_t)
+@@ -135,6 +143,7 @@ files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
files_search_all_mountpoints(dovecot_t)
@@ -36738,7 +36752,7 @@ index acf6d4f..194f170 100644
init_getattr_utmp(dovecot_t)
-@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t)
+@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -36746,7 +36760,7 @@ index acf6d4f..194f170 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -160,6 +169,15 @@ optional_policy(`
+@@ -160,6 +170,15 @@ optional_policy(`
')
optional_policy(`
@@ -36762,7 +36776,7 @@ index acf6d4f..194f170 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -180,8 +198,8 @@ optional_policy(`
+@@ -180,8 +199,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -36773,7 +36787,7 @@ index acf6d4f..194f170 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +208,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +209,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -36783,7 +36797,7 @@ index acf6d4f..194f170 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +222,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +223,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -36796,7 +36810,7 @@ index acf6d4f..194f170 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +240,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +241,8 @@ files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
@@ -36806,7 +36820,7 @@ index acf6d4f..194f170 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +261,8 @@ optional_policy(`
+@@ -236,6 +262,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -36815,7 +36829,7 @@ index acf6d4f..194f170 100644
')
optional_policy(`
-@@ -243,6 +270,8 @@ optional_policy(`
+@@ -243,6 +271,8 @@ optional_policy(`
')
optional_policy(`
@@ -36824,7 +36838,7 @@ index acf6d4f..194f170 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +279,42 @@ optional_policy(`
+@@ -250,23 +280,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -36869,7 +36883,7 @@ index acf6d4f..194f170 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +331,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +332,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -53252,7 +53266,7 @@ index 2855a44..58bb459 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..fa3c113 100644
+index 64c5f95..39d23dc 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -53376,7 +53390,7 @@ index 64c5f95..fa3c113 100644
files_rw_var_files(puppet_t)
rpm_domtrans(puppet_t)
-@@ -156,13 +188,68 @@ optional_policy(`
+@@ -156,13 +188,136 @@ optional_policy(`
')
optional_policy(`
@@ -53387,8 +53401,77 @@ index 64c5f95..fa3c113 100644
+ usermanage_access_check_useradd(puppet_t)
+')
+
-+########################################
-+#
++optional_policy(`
++ auth_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ alsa_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ bootloader_filetrans_config(puppet_t)
++')
++
++optional_policy(`
++ devicekit_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ dnsmasq_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ kerberos_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ libs_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ miscfiles_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ mta_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ modules_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ networkmanager_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ nx_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ postfix_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ quota_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ sysnet_filetrans_named_content(puppet_t)
++')
++
++optional_policy(`
++ virt_filetrans_home_content(puppet_t)
++')
++
++optional_policy(`
++ ssh_filetrans_admin_home_content(puppet_t)
+ ')
+
+ ########################################
+ #
+-# Pupper master personal policy
+# PuppetCA personal policy
+#
+
@@ -53439,16 +53522,15 @@ index 64c5f95..fa3c113 100644
+ usermanage_access_check_groupadd(puppet_t)
+ usermanage_access_check_passwd(puppet_t)
+ usermanage_access_check_useradd(puppet_t)
- ')
-
- ########################################
- #
--# Pupper master personal policy
++')
++
++########################################
++#
+# Puppet master personal policy
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +258,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +326,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -53488,7 +53570,7 @@ index 64c5f95..fa3c113 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +300,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +368,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -53502,11 +53584,11 @@ index 64c5f95..fa3c113 100644
domain_read_all_domains_state(puppetmaster_t)
+domain_obj_id_change_exemption(puppetmaster_t)
-+
-+files_read_usr_files(puppetmaster_t)
-files_read_etc_files(puppetmaster_t)
-files_search_var_lib(puppetmaster_t)
++files_read_usr_files(puppetmaster_t)
++
+selinux_validate_context(puppetmaster_t)
+
+auth_use_nsswitch(puppetmaster_t)
@@ -53538,7 +53620,7 @@ index 64c5f95..fa3c113 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +350,9 @@ optional_policy(`
+@@ -231,3 +418,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -59443,7 +59525,7 @@ index 623c8fa..0a802f7 100644
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
-index 275f9fb..ad10bef 100644
+index 275f9fb..f1343b7 100644
--- a/policy/modules/services/snmp.if
+++ b/policy/modules/services/snmp.if
@@ -11,12 +11,12 @@
@@ -59463,7 +59545,7 @@ index 275f9fb..ad10bef 100644
')
########################################
-@@ -62,6 +62,7 @@ interface(`snmp_read_snmp_var_lib_files',`
+@@ -62,11 +62,70 @@ interface(`snmp_read_snmp_var_lib_files',`
type snmpd_var_lib_t;
')
@@ -59471,10 +59553,29 @@ index 275f9fb..ad10bef 100644
allow $1 snmpd_var_lib_t:dir list_dir_perms;
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-@@ -69,6 +70,45 @@ interface(`snmp_read_snmp_var_lib_files',`
+ ')
- ########################################
- ## <summary>
++#######################################
++## <summary>
++## Read snmpd libraries directories
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`snmp_read_snmp_var_lib_dirs',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 snmpd_var_lib_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+## Manage snmpd libraries directories
+## </summary>
+## <param name="domain">
@@ -59512,12 +59613,10 @@ index 275f9fb..ad10bef 100644
+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
## dontaudit Read snmpd libraries.
- ## </summary>
- ## <param name="domain">
-@@ -81,9 +121,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
+@@ -81,9 +140,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',`
gen_require(`
type snmpd_var_lib_t;
')
@@ -59529,7 +59628,7 @@ index 275f9fb..ad10bef 100644
')
########################################
-@@ -123,13 +164,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
+@@ -123,13 +183,15 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',`
#
interface(`snmp_admin',`
gen_require(`
@@ -63903,7 +64002,7 @@ index 7c5d8d8..3fd8f12 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..30c47b0 100644
+index 3eca020..59444ba 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
@@ -64460,7 +64559,7 @@ index 3eca020..30c47b0 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +626,358 @@ files_search_all(virt_domain)
+@@ -440,25 +626,359 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -64796,6 +64895,7 @@ index 3eca020..30c47b0 100644
+
+domain_entry_file(svirt_lxc_net_t, svirt_lxc_file_t)
+domtrans_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_net_t)
++corecmd_shell_domtrans(virtd_lxc_t, svirt_lxc_net_t)
+fs_noxattr_type(svirt_lxc_file_t)
+term_pty(svirt_lxc_file_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 888c519..4b7dc51 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 63%{?dist}
+Release: 64%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Dec 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-64
+- Use fs_use_xattr for squashf
+- Fix procs_type interface
+- Dovecot has a new fifo_file /var/run/dovecot/stats-mail
+- Dovecot has a new fifo_file /var/run/stats-mail
+- Colord does not need to connect to network
+- Allow system_cronjob to dbus chat with NetworkManager
+- Puppet manages content, want to make sure it labels everything correctly
+
* Tue Nov 29 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-63
- Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it
- Allow all postfix domains to use the fifo_file
More information about the scm-commits
mailing list