[selinux-policy] - Allow abrt to request the kernel to load a module - Make sure mozilla content is labeled correctl
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Dec 13 10:26:13 UTC 2011
commit d17f759dd0fd2ee0cc488ce7412262250a674e1f
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Dec 13 11:26:04 2011 +0100
- Allow abrt to request the kernel to load a module
- Make sure mozilla content is labeled correctly
- Allow tgtd to read system state
- More fixes for boinc
* allow to resolve dns name
* re-write boinc policy to use boinc_domain attribute
- Allow munin services plugins to use NSCD services
policy-F16.patch | 216 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 11 +++-
2 files changed, 146 insertions(+), 81 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 25d1257..e5be303 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -5446,7 +5446,7 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..9b1de02 100644
+index f5afe78..c57fc1e 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,862 @@
@@ -6521,7 +6521,7 @@ index f5afe78..9b1de02 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1029,299 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1029,298 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -6715,7 +6715,6 @@ index f5afe78..9b1de02 100644
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
+')
+
-+
+########################################
+## <summary>
+## Create gnome content in the user home directory
@@ -7931,7 +7930,7 @@ index 93ac529..800b5c8 100644
+
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..e187982 100644
+index fbb5c5a..ffeec16 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -7943,7 +7942,7 @@ index fbb5c5a..e187982 100644
# Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
allow $2 mozilla_t:process signal_perms;
-@@ -49,8 +51,16 @@ interface(`mozilla_role',`
+@@ -49,9 +51,19 @@ interface(`mozilla_role',`
mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2)
@@ -7958,9 +7957,12 @@ index fbb5c5a..e187982 100644
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
+ pulseaudio_filetrans_home_content(mozilla_t)
')
++
++ mozilla_filetrans_home_content($2)
')
-@@ -109,7 +119,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
+ ########################################
+@@ -109,7 +121,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
type mozilla_home_t;
')
@@ -7969,7 +7971,7 @@ index fbb5c5a..e187982 100644
')
########################################
-@@ -197,12 +207,29 @@ interface(`mozilla_domtrans',`
+@@ -197,12 +209,31 @@ interface(`mozilla_domtrans',`
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
@@ -7997,10 +7999,12 @@ index fbb5c5a..e187982 100644
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ can_exec($1, mozilla_plugin_rw_t)
++
++ #mozilla_filetrans_home_content($1)
')
########################################
-@@ -228,6 +255,27 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +259,27 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
@@ -8028,7 +8032,7 @@ index fbb5c5a..e187982 100644
')
########################################
-@@ -269,9 +317,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +321,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -8057,7 +8061,7 @@ index fbb5c5a..e187982 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +345,48 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +349,79 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -8113,6 +8117,37 @@ index fbb5c5a..e187982 100644
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
')
++
++########################################
++## <summary>
++## Create mozilla content in the user home directory
++## with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mozilla_filetrans_home_content',`
++
++ gen_require(`
++ type mozilla_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
++')
++
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 2e9318b..bb90a3b 100644
--- a/policy/modules/apps/mozilla.te
@@ -16430,7 +16465,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..facd6a8 100644
+index fae1ab1..b3fbad5 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -16531,7 +16566,7 @@ index fae1ab1..facd6a8 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,219 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,223 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -16595,6 +16630,10 @@ index fae1ab1..facd6a8 100644
+')
+
+optional_policy(`
++ mozilla_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ networkmanager_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -23987,7 +24026,7 @@ index 0b827c5..d83d4dc 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..e203cd3 100644
+index 30861ec..939e294 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -24095,7 +24134,7 @@ index 30861ec..e203cd3 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +133,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -24104,10 +24143,11 @@ index 30861ec..e203cd3 100644
kernel_read_ring_buffer(abrt_t)
-kernel_read_system_state(abrt_t)
++kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +154,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +155,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -24116,7 +24156,7 @@ index 30861ec..e203cd3 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +166,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -24126,7 +24166,7 @@ index 30861ec..e203cd3 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +175,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -24135,7 +24175,7 @@ index 30861ec..e203cd3 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +186,26 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +187,26 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -24168,7 +24208,7 @@ index 30861ec..e203cd3 100644
')
optional_policy(`
-@@ -167,6 +226,7 @@ optional_policy(`
+@@ -167,6 +227,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -24176,7 +24216,7 @@ index 30861ec..e203cd3 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +238,35 @@ optional_policy(`
+@@ -178,12 +239,35 @@ optional_policy(`
')
optional_policy(`
@@ -24213,7 +24253,7 @@ index 30861ec..e203cd3 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +283,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +284,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -24242,7 +24282,7 @@ index 30861ec..e203cd3 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +306,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +307,128 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -28274,10 +28314,10 @@ index 0000000..9fe3f9e
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..61db909
+index 0000000..788087e
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,178 @@
+@@ -0,0 +1,173 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -28285,6 +28325,8 @@ index 0000000..61db909
+# Declarations
+#
+
++attribute boinc_domain;
++
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
@@ -28311,6 +28353,37 @@ index 0000000..61db909
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
++#######################################
++#
++# boinc domain local policy
++#
++
++allow boinc_domain self:fifo_file rw_fifo_file_perms;
++allow boinc_domain self:sem create_sem_perms;
++
++# needs read /proc/interrupts
++kernel_read_system_state(boinc_domain)
++
++corecmd_exec_bin(boinc_domain)
++corecmd_exec_shell(boinc_domain)
++
++dev_read_rand(boinc_domain)
++dev_read_urand(boinc_domain)
++dev_read_sysfs(boinc_domain)
++
++domain_read_all_domains_state(boinc_domain)
++
++files_read_etc_files(boinc_domain)
++files_read_etc_runtime_files(boinc_domain)
++files_read_usr_files(boinc_domain)
++
++miscfiles_read_fonts(boinc_domain)
++miscfiles_read_localization(boinc_domain)
++
++optional_policy(`
++ sysnet_dns_name_resolve(boinc_domain)
++')
++
+########################################
+#
+# boinc local policy
@@ -28319,10 +28392,8 @@ index 0000000..61db909
+allow boinc_t self:capability { kill };
+allow boinc_t self:process { setsched sigkill };
+
-+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
-+allow boinc_t self:sem create_sem_perms;
+allow boinc_t self:shm create_shm_perms;
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -28340,15 +28411,9 @@ index 0000000..61db909
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
-+# needs read /proc/interrupts
-+kernel_read_system_state(boinc_t)
-+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
-+corecmd_exec_bin(boinc_t)
-+corecmd_exec_shell(boinc_t)
-+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
@@ -28365,18 +28430,8 @@ index 0000000..61db909
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+
-+dev_list_sysfs(boinc_t)
-+dev_read_rand(boinc_t)
-+dev_read_urand(boinc_t)
-+dev_read_sysfs(boinc_t)
-+
-+domain_read_all_domains_state(boinc_t)
-+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
-+files_read_etc_files(boinc_t)
-+files_read_usr_files(boinc_t)
-+
+fs_getattr_all_fs(boinc_t)
+
+term_getattr_all_ptys(boinc_t)
@@ -28384,14 +28439,11 @@ index 0000000..61db909
+
+init_read_utmp(boinc_t)
+
-+miscfiles_read_localization(boinc_t)
-+miscfiles_read_generic_certs(boinc_t)
-+
+logging_send_syslog_msg(boinc_t)
+
-+sysnet_dns_name_resolve(boinc_t)
-+
-+mta_send_mail(boinc_t)
++optional_policy(`
++ mta_send_mail(boinc_t)
++')
+
+########################################
+#
@@ -28408,9 +28460,6 @@ index 0000000..61db909
+ allow boinc_project_t self:process ptrace;
+')
+
-+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
-+allow boinc_project_t self:sem create_sem_perms;
-+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
@@ -28429,29 +28478,15 @@ index 0000000..61db909
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
-+kernel_read_system_state(boinc_project_t)
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
-+corecmd_exec_bin(boinc_project_t)
-+corecmd_exec_shell(boinc_project_t)
-+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
-+domain_read_all_domains_state(boinc_project_t)
-+
-+dev_read_rand(boinc_project_t)
-+dev_read_urand(boinc_project_t)
-+dev_read_sysfs(boinc_project_t)
+dev_rw_xserver_misc(boinc_project_t)
+
-+files_read_etc_files(boinc_project_t)
-+files_read_etc_runtime_files(boinc_project_t)
-+files_read_usr_files(boinc_project_t)
-+
-+miscfiles_read_fonts(boinc_project_t)
-+miscfiles_read_localization(boinc_project_t)
++files_dontaudit_search_home(boinc_project_t)
+
+optional_policy(`
+ java_exec(boinc_project_t)
@@ -46347,7 +46382,7 @@ index c358d8f..7c097ec 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..9850f4d 100644
+index f17583b..171ebec 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -46442,7 +46477,7 @@ index f17583b..9850f4d 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,19 +231,17 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -221,19 +231,23 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
@@ -46452,10 +46487,19 @@ index f17583b..9850f4d 100644
-
logging_read_generic_logs(mail_munin_plugin_t)
- mta_read_config(mail_munin_plugin_t)
- mta_send_mail(mail_munin_plugin_t)
-+mta_list_queue(mail_munin_plugin_t)
- mta_read_queue(mail_munin_plugin_t)
+-mta_read_config(mail_munin_plugin_t)
+-mta_send_mail(mail_munin_plugin_t)
+-mta_read_queue(mail_munin_plugin_t)
++optional_policy(`
++ mta_read_config(mail_munin_plugin_t)
++ mta_send_mail(mail_munin_plugin_t)
++ mta_list_queue(mail_munin_plugin_t)
++ mta_read_queue(mail_munin_plugin_t)
++')
++
++optional_policy(`
++ nscd_socket_use(mail_munin_plugin_t)
++')
optional_policy(`
postfix_read_config(mail_munin_plugin_t)
@@ -46464,7 +46508,7 @@ index f17583b..9850f4d 100644
')
optional_policy(`
-@@ -245,6 +253,8 @@ optional_policy(`
+@@ -245,6 +259,8 @@ optional_policy(`
# local policy for service plugins
#
@@ -46473,7 +46517,7 @@ index f17583b..9850f4d 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +265,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +271,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -46488,7 +46532,18 @@ index f17583b..9850f4d 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +293,10 @@ optional_policy(`
+@@ -279,6 +292,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ nscd_socket_use(services_munin_plugin_t)
++')
++
++optional_policy(`
+ postgresql_stream_connect(services_munin_plugin_t)
+ ')
+
+@@ -286,6 +303,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -46499,7 +46554,7 @@ index f17583b..9850f4d 100644
##################################
#
# local policy for system plugins
-@@ -295,13 +306,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,13 +316,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -46516,7 +46571,7 @@ index f17583b..9850f4d 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +323,31 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +333,31 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -62829,7 +62884,7 @@ index 8294f6f..4847b43 100644
/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te
-index 665bf7c..d100080 100644
+index 665bf7c..a1ea37a 100644
--- a/policy/modules/services/tgtd.te
+++ b/policy/modules/services/tgtd.te
@@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t)
@@ -62851,7 +62906,7 @@ index 665bf7c..d100080 100644
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:sem create_sem_perms;
allow tgtd_t self:tcp_socket create_stream_socket_perms;
-@@ -46,6 +49,11 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+@@ -46,6 +49,12 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
@@ -62860,10 +62915,11 @@ index 665bf7c..d100080 100644
+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
+
++kernel_read_system_state(tgtd_t)
kernel_read_fs_sysctls(tgtd_t)
corenet_all_recvfrom_netlabel(tgtd_t)
-@@ -57,10 +65,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
+@@ -57,10 +66,18 @@ corenet_tcp_bind_generic_node(tgtd_t)
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 503daba..54e97bc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 67%{?dist}
+Release: 68%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Dec 13 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-68
+- Allow abrt to request the kernel to load a module
+- Make sure mozilla content is labeled correctly
+- Allow tgtd to read system state
+- More fixes for boinc
+ * allow to resolve dns name
+ * re-write boinc policy to use boinc_domain attribute
+- Allow munin services plugins to use NSCD services
+
* Thu Dec 8 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-67
- Allow mozilla_plugin_t to manage mozilla_home_t
- Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain
More information about the scm-commits
mailing list