[selinux-policy/f15] +- BOinc fixes +- Allow mysqld_safe to delete the mysql_db_t sock_file +- Dovecot has a new fifo_fil
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Dec 14 13:08:04 UTC 2011
commit 4c9ac4f8965a0127eace6f491076a45c0368eb21
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Dec 14 14:07:56 2011 +0100
+- BOinc fixes
+- Allow mysqld_safe to delete the mysql_db_t sock_file
+- Dovecot has a new fifo_file /var/run/stats-mai
policy-F15.patch | 108 +++++++++++++++++++++++++++------------------------
selinux-policy.spec | 7 +++-
2 files changed, 63 insertions(+), 52 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 6c38aff..3ed039a 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -21987,7 +21987,7 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..11ad49a
+index 0000000..2685b9c
--- /dev/null
+++ b/policy/modules/services/boinc.te
@@ -0,0 +1,171 @@
@@ -21998,6 +21998,8 @@ index 0000000..11ad49a
+# Declarations
+#
+
++attribute boinc_domain;
++
+type boinc_t;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
@@ -22024,6 +22026,37 @@ index 0000000..11ad49a
+type boinc_project_var_lib_t;
+files_type(boinc_project_var_lib_t)
+
++#######################################
++#
++# boinc domain local policy
++#
++
++allow boinc_domain self:fifo_file rw_fifo_file_perms;
++allow boinc_domain self:sem create_sem_perms;
++
++# needs read /proc/interrupts
++kernel_read_system_state(boinc_domain)
++
++corecmd_exec_bin(boinc_domain)
++corecmd_exec_shell(boinc_domain)
++
++dev_read_rand(boinc_domain)
++dev_read_urand(boinc_domain)
++dev_read_sysfs(boinc_domain)
++
++domain_read_all_domains_state(boinc_domain)
++
++files_read_etc_files(boinc_domain)
++files_read_etc_runtime_files(boinc_domain)
++files_read_usr_files(boinc_domain)
++
++miscfiles_read_fonts(boinc_domain)
++miscfiles_read_localization(boinc_domain)
++
++optional_policy(`
++ sysnet_dns_name_resolve(boinc_domain)
++')
++
+########################################
+#
+# boinc local policy
@@ -22032,10 +22065,8 @@ index 0000000..11ad49a
+allow boinc_t self:capability { kill };
+allow boinc_t self:process { setsched sigkill };
+
-+allow boinc_t self:fifo_file rw_fifo_file_perms;
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
+allow boinc_t self:tcp_socket create_stream_socket_perms;
-+allow boinc_t self:sem create_sem_perms;
+allow boinc_t self:shm create_shm_perms;
+
+manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
@@ -22053,15 +22084,9 @@ index 0000000..11ad49a
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
-+# needs read /proc/interrupts
-+kernel_read_system_state(boinc_t)
-+
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
-+corecmd_exec_bin(boinc_t)
-+corecmd_exec_shell(boinc_t)
-+
+corenet_all_recvfrom_unlabeled(boinc_t)
+corenet_all_recvfrom_netlabel(boinc_t)
+corenet_tcp_sendrecv_generic_if(boinc_t)
@@ -22077,18 +22102,8 @@ index 0000000..11ad49a
+corenet_tcp_connect_http_port(boinc_t)
+corenet_tcp_connect_http_cache_port(boinc_t)
+
-+dev_list_sysfs(boinc_t)
-+dev_read_rand(boinc_t)
-+dev_read_urand(boinc_t)
-+dev_read_sysfs(boinc_t)
-+
-+domain_read_all_domains_state(boinc_t)
-+
+files_dontaudit_getattr_boot_dirs(boinc_t)
+
-+files_read_etc_files(boinc_t)
-+files_read_usr_files(boinc_t)
-+
+fs_getattr_all_fs(boinc_t)
+
+term_getattr_all_ptys(boinc_t)
@@ -22096,14 +22111,11 @@ index 0000000..11ad49a
+
+init_read_utmp(boinc_t)
+
-+miscfiles_read_localization(boinc_t)
-+miscfiles_read_generic_certs(boinc_t)
-+
+logging_send_syslog_msg(boinc_t)
+
-+sysnet_dns_name_resolve(boinc_t)
-+
-+mta_send_mail(boinc_t)
++optional_policy(`
++ mta_send_mail(boinc_t)
++')
+
+########################################
+#
@@ -22137,27 +22149,15 @@ index 0000000..11ad49a
+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
+
-+kernel_read_system_state(boinc_project_t)
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
+
-+corecmd_exec_bin(boinc_project_t)
-+corecmd_exec_shell(boinc_project_t)
-+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
-+dev_read_rand(boinc_project_t)
-+dev_read_urand(boinc_project_t)
-+dev_read_sysfs(boinc_project_t)
+dev_rw_xserver_misc(boinc_project_t)
+
-+files_read_etc_files(boinc_project_t)
-+files_read_etc_runtime_files(boinc_project_t)
-+files_read_usr_files(boinc_project_t)
-+
-+miscfiles_read_fonts(boinc_project_t)
-+miscfiles_read_localization(boinc_project_t)
++files_dontaudit_search_home(boinc_project_t)
+
+optional_policy(`
+ java_exec(boinc_project_t)
@@ -35667,7 +35667,7 @@ index e9c0982..f11e4f2 100644
+ mysql_stream_connect($1)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..91de41a 100644
+index 0a0d63c..b4b7ff4 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -35726,7 +35726,7 @@ index 0a0d63c..91de41a 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -155,6 +159,7 @@ optional_policy(`
+@@ -155,9 +159,11 @@ optional_policy(`
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -35734,7 +35734,11 @@ index 0a0d63c..91de41a 100644
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t)
++delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
+
+ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+
+@@ -175,21 +181,27 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -44177,7 +44181,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..66c73a2 100644
+index e30bb63..7fb700c 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -44341,16 +44345,18 @@ index e30bb63..66c73a2 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +679,9 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
-allow swat_t smbd_var_run_t:file { lock unlink };
+allow swat_t nmbd_var_run_t:file read_file_perms;
++read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
++stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +696,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -44365,7 +44371,7 @@ index e30bb63..66c73a2 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +716,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -44373,7 +44379,7 @@ index e30bb63..66c73a2 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +759,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +761,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -44382,7 +44388,7 @@ index e30bb63..66c73a2 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +815,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -44404,7 +44410,7 @@ index e30bb63..66c73a2 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +843,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -44412,7 +44418,7 @@ index e30bb63..66c73a2 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +859,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +861,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -44427,7 +44433,7 @@ index e30bb63..66c73a2 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -922,6 +935,18 @@ optional_policy(`
+@@ -922,6 +937,18 @@ optional_policy(`
#
optional_policy(`
@@ -44446,7 +44452,7 @@ index e30bb63..66c73a2 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +957,12 @@ optional_policy(`
+@@ -932,9 +959,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6e5e851..1ef2bb4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 49%{?dist}
+Release: 50%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
%endif
%changelog
+* Wed Dec 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-50
+- BOinc fixes
+- Allow mysqld_safe to delete the mysql_db_t sock_file
+- Dovecot has a new fifo_file /var/run/stats-mail
+
* Fri Dec 2 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-49
- Allow gnomeclock to send system log msgs
- Users that use X and spice need to use the virtio device
More information about the scm-commits
mailing list