[selinux-policy/f15] +- BOinc fixes +- Allow mysqld_safe to delete the mysql_db_t sock_file +- Dovecot has a new fifo_fil

Miroslav Grepl mgrepl at fedoraproject.org
Wed Dec 14 13:08:04 UTC 2011 

commit 4c9ac4f8965a0127eace6f491076a45c0368eb21
Author: Miroslav <mgrepl at redhat.com>
Date:   Wed Dec 14 14:07:56 2011 +0100

    +- BOinc fixes
    +- Allow mysqld_safe to delete the mysql_db_t sock_file
    +- Dovecot has a new fifo_file /var/run/stats-mai

 policy-F15.patch    |  108 +++++++++++++++++++++++++++------------------------
 selinux-policy.spec |    7 +++-
 2 files changed, 63 insertions(+), 52 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 6c38aff..3ed039a 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -21987,7 +21987,7 @@ index 0000000..fa9b95a
 +')
 diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
 new file mode 100644
-index 0000000..11ad49a
+index 0000000..2685b9c
 --- /dev/null
 +++ b/policy/modules/services/boinc.te
 @@ -0,0 +1,171 @@
@@ -21998,6 +21998,8 @@ index 0000000..11ad49a
 +# Declarations
 +#
 +
++attribute boinc_domain;
++
 +type boinc_t;
 +type boinc_exec_t;
 +init_daemon_domain(boinc_t, boinc_exec_t)
@@ -22024,6 +22026,37 @@ index 0000000..11ad49a
 +type boinc_project_var_lib_t;
 +files_type(boinc_project_var_lib_t)
 +
++#######################################
++#
++# boinc domain local policy
++#
++
++allow boinc_domain self:fifo_file rw_fifo_file_perms;
++allow boinc_domain self:sem create_sem_perms;
++
++# needs read /proc/interrupts
++kernel_read_system_state(boinc_domain)
++
++corecmd_exec_bin(boinc_domain)
++corecmd_exec_shell(boinc_domain)
++
++dev_read_rand(boinc_domain)
++dev_read_urand(boinc_domain)
++dev_read_sysfs(boinc_domain)
++
++domain_read_all_domains_state(boinc_domain)
++
++files_read_etc_files(boinc_domain)
++files_read_etc_runtime_files(boinc_domain)
++files_read_usr_files(boinc_domain)
++
++miscfiles_read_fonts(boinc_domain)
++miscfiles_read_localization(boinc_domain)
++
++optional_policy(`
++	sysnet_dns_name_resolve(boinc_domain)
++')
++
 +########################################
 +#
 +# boinc local policy
@@ -22032,10 +22065,8 @@ index 0000000..11ad49a
 +allow boinc_t self:capability { kill };
 +allow boinc_t self:process { setsched sigkill };
 +
-+allow boinc_t self:fifo_file rw_fifo_file_perms;
 +allow boinc_t self:unix_stream_socket create_stream_socket_perms;
 +allow boinc_t self:tcp_socket create_stream_socket_perms;
-+allow boinc_t self:sem create_sem_perms;
 +allow boinc_t self:shm create_shm_perms;
 +
 +manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -22053,15 +22084,9 @@ index 0000000..11ad49a
 +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +
-+# needs read /proc/interrupts
-+kernel_read_system_state(boinc_t)
-+
 +files_getattr_all_dirs(boinc_t)
 +files_getattr_all_files(boinc_t)
 +
-+corecmd_exec_bin(boinc_t)
-+corecmd_exec_shell(boinc_t)
-+
 +corenet_all_recvfrom_unlabeled(boinc_t)
 +corenet_all_recvfrom_netlabel(boinc_t)
 +corenet_tcp_sendrecv_generic_if(boinc_t)
@@ -22077,18 +22102,8 @@ index 0000000..11ad49a
 +corenet_tcp_connect_http_port(boinc_t)
 +corenet_tcp_connect_http_cache_port(boinc_t)
 +
-+dev_list_sysfs(boinc_t)
-+dev_read_rand(boinc_t)
-+dev_read_urand(boinc_t)
-+dev_read_sysfs(boinc_t)
-+
-+domain_read_all_domains_state(boinc_t)
-+
 +files_dontaudit_getattr_boot_dirs(boinc_t)
 +
-+files_read_etc_files(boinc_t)
-+files_read_usr_files(boinc_t)
-+
 +fs_getattr_all_fs(boinc_t)
 +
 +term_getattr_all_ptys(boinc_t)
@@ -22096,14 +22111,11 @@ index 0000000..11ad49a
 +
 +init_read_utmp(boinc_t)
 +
-+miscfiles_read_localization(boinc_t)
-+miscfiles_read_generic_certs(boinc_t)
-+
 +logging_send_syslog_msg(boinc_t)
 +
-+sysnet_dns_name_resolve(boinc_t)
-+
-+mta_send_mail(boinc_t)
++optional_policy(`
++	mta_send_mail(boinc_t)
++')
 +
 +########################################
 +#
@@ -22137,27 +22149,15 @@ index 0000000..11ad49a
 +list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
 +rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
 +
-+kernel_read_system_state(boinc_project_t)
 +kernel_read_kernel_sysctls(boinc_project_t)
 +kernel_search_vm_sysctl(boinc_project_t)
 +kernel_read_network_state(boinc_project_t)
 +
-+corecmd_exec_bin(boinc_project_t)
-+corecmd_exec_shell(boinc_project_t)
-+
 +corenet_tcp_connect_boinc_port(boinc_project_t)
 +
-+dev_read_rand(boinc_project_t)
-+dev_read_urand(boinc_project_t)
-+dev_read_sysfs(boinc_project_t)
 +dev_rw_xserver_misc(boinc_project_t)
 +
-+files_read_etc_files(boinc_project_t)
-+files_read_etc_runtime_files(boinc_project_t)
-+files_read_usr_files(boinc_project_t)
-+
-+miscfiles_read_fonts(boinc_project_t)
-+miscfiles_read_localization(boinc_project_t)
++files_dontaudit_search_home(boinc_project_t)
 +
 +optional_policy(`
 +	java_exec(boinc_project_t)
@@ -35667,7 +35667,7 @@ index e9c0982..f11e4f2 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..91de41a 100644
+index 0a0d63c..b4b7ff4 100644
 --- a/policy/modules/services/mysql.te
 +++ b/policy/modules/services/mysql.te
 @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -35726,7 +35726,7 @@ index 0a0d63c..91de41a 100644
  ')
  
  tunable_policy(`mysql_connect_any',`
-@@ -155,6 +159,7 @@ optional_policy(`
+@@ -155,9 +159,11 @@ optional_policy(`
  
  allow mysqld_safe_t self:capability { chown dac_override fowner kill };
  dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -35734,7 +35734,11 @@ index 0a0d63c..91de41a 100644
  allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
  
  read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t)
++delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+ 
+ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+ 
+@@ -175,21 +181,27 @@ dev_list_sysfs(mysqld_safe_t)
  
  domain_read_all_domains_state(mysqld_safe_t)
  
@@ -44177,7 +44181,7 @@ index 82cb169..9e72970 100644
 +	admin_pattern($1, samba_unconfined_script_exec_t)
  ')
 diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..66c73a2 100644
+index e30bb63..7fb700c 100644
 --- a/policy/modules/services/samba.te
 +++ b/policy/modules/services/samba.te
 @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -44341,16 +44345,18 @@ index e30bb63..66c73a2 100644
  ########################################
  #
  # SWAT Local policy
-@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +679,9 @@ samba_domtrans_nmbd(swat_t)
  allow swat_t nmbd_t:process { signal signull };
  allow nmbd_t swat_t:process signal;
  
 -allow swat_t smbd_var_run_t:file { lock unlink };
 +allow swat_t nmbd_var_run_t:file read_file_perms;
++read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
++stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
  
  allow swat_t smbd_port_t:tcp_socket name_bind;
  
-@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +696,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
  manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
  
  manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -44365,7 +44371,7 @@ index e30bb63..66c73a2 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +716,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
  domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
  allow swat_t winbind_t:process { signal signull };
  
@@ -44373,7 +44379,7 @@ index e30bb63..66c73a2 100644
  allow swat_t winbind_var_run_t:dir { write add_name remove_name };
  allow swat_t winbind_var_run_t:sock_file { create unlink };
  
-@@ -754,6 +759,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +761,8 @@ logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
  
@@ -44382,7 +44388,7 @@ index e30bb63..66c73a2 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +815,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  allow winbind_t winbind_log_t:file manage_file_perms;
  logging_log_filetrans(winbind_t, winbind_log_t, file)
  
@@ -44404,7 +44410,7 @@ index e30bb63..66c73a2 100644
  kernel_read_kernel_sysctls(winbind_t)
  kernel_read_system_state(winbind_t)
  
-@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +843,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
  corenet_tcp_bind_generic_node(winbind_t)
  corenet_udp_bind_generic_node(winbind_t)
  corenet_tcp_connect_smbd_port(winbind_t)
@@ -44412,7 +44418,7 @@ index e30bb63..66c73a2 100644
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
  
-@@ -850,10 +859,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +861,14 @@ domain_use_interactive_fds(winbind_t)
  
  files_read_etc_files(winbind_t)
  files_read_usr_symlinks(winbind_t)
@@ -44427,7 +44433,7 @@ index e30bb63..66c73a2 100644
  
  userdom_dontaudit_use_unpriv_user_fds(winbind_t)
  userdom_manage_user_home_content_dirs(winbind_t)
-@@ -922,6 +935,18 @@ optional_policy(`
+@@ -922,6 +937,18 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -44446,7 +44452,7 @@ index e30bb63..66c73a2 100644
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -932,9 +957,12 @@ optional_policy(`
+@@ -932,9 +959,12 @@ optional_policy(`
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6e5e851..1ef2bb4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 49%{?dist}
+Release: 50%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
 %endif
 
 %changelog
+* Wed Dec 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-50
+- BOinc fixes
+- Allow mysqld_safe to delete the mysql_db_t sock_file
+- Dovecot has a new fifo_file /var/run/stats-mail
+
 * Fri Dec 2 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-49
 - Allow gnomeclock to send system log msgs
 - Users that use X and spice need to use the virtio device

More information about the scm-commits mailing list