[selinux-policy/f17] - Add labeling for /var/www/openshift/{broker, console} - Allow openshift_initrc domain to dbus chat
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Dec 14 20:38:17 UTC 2012
commit fb59efbacc154f35e6cc2674a8275823032b86f0
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Dec 14 21:36:56 2012 +0100
- Add labeling for /var/www/openshift/{broker,console}
- Allow openshift_initrc domain to dbus chat with systemd_logind
- Allow httpd to getattr passenger log file if run_stickshift
- Add passenger_getattr_log_files interface
- Backport svirt_tcg policy
- munint wants to send sigkill to ping
- Allow munin plugins to send a signal to itself
- Allow munin to send signal to ping
policy-F16.patch | 169 ++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 12 +++-
2 files changed, 119 insertions(+), 62 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index a5e29a7..5657db6 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -65144,10 +65144,10 @@ index 545518d..4d2c97f 100644
/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
-index f68b573..8fb9cd3 100644
+index f68b573..c050b37 100644
--- a/policy/modules/admin/passenger.if
+++ b/policy/modules/admin/passenger.if
-@@ -18,6 +18,24 @@ interface(`passenger_domtrans',`
+@@ -18,6 +18,42 @@ interface(`passenger_domtrans',`
domtrans_pattern($1, passenger_exec_t, passenger_t)
')
@@ -65169,10 +65169,28 @@ index f68b573..8fb9cd3 100644
+ can_exec($1, passenger_exec_t)
+')
+
++#######################################
++## <summary>
++## Getattr passenger log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`passenger_getattr_log_files',`
++ gen_require(`
++ type passenger_log_t;
++ ')
++
++ getattr_files_pattern($1, passenger_log_t, passenger_log_t)
++')
++
########################################
## <summary>
## Read passenger lib files
-@@ -37,3 +55,84 @@ interface(`passenger_read_lib_files',`
+@@ -37,3 +73,84 @@ interface(`passenger_read_lib_files',`
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
')
@@ -91746,7 +91764,7 @@ index deca9d3..1aa76b0 100644
spamassassin_exec_client(amavis_t)
spamassassin_read_lib_files(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..d691f42 100644
+index 9e39aa5..6def224 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,39 +1,55 @@
@@ -91838,7 +91856,7 @@ index 9e39aa5..d691f42 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,39 +93,80 @@ ifdef(`distro_suse', `
+@@ -73,39 +93,86 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -91915,6 +91933,12 @@ index 9e39aa5..d691f42 100644
+
+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++
++/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
++
+/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -92744,7 +92768,7 @@ index 6480167..ba0521d 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..7152947 100644
+index 3136c6a..84f1297 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,275 @@ policy_module(apache, 2.2.1)
@@ -93566,7 +93590,7 @@ index 3136c6a..7152947 100644
')
optional_policy(`
-@@ -577,6 +927,60 @@ optional_policy(`
+@@ -577,6 +927,61 @@ optional_policy(`
')
optional_policy(`
@@ -93594,6 +93618,7 @@ index 3136c6a..7152947 100644
+ passenger_exec(httpd_t)
+ passenger_manage_pid_content(httpd_t)
+ passenger_manage_lib_files(httpd_t)
++ passenger_getattr_log_files(httpd_t)
+ openshift_read_lib_files(httpd_t)
+ ',`
+ passenger_domtrans(httpd_t)
@@ -93627,7 +93652,7 @@ index 3136c6a..7152947 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +995,11 @@ optional_policy(`
+@@ -591,6 +996,11 @@ optional_policy(`
')
optional_policy(`
@@ -93639,7 +93664,7 @@ index 3136c6a..7152947 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +1012,12 @@ optional_policy(`
+@@ -603,6 +1013,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -93652,7 +93677,7 @@ index 3136c6a..7152947 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +1031,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +1032,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -93665,7 +93690,7 @@ index 3136c6a..7152947 100644
########################################
#
-@@ -654,28 +1073,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1074,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -93709,7 +93734,7 @@ index 3136c6a..7152947 100644
')
########################################
-@@ -685,6 +1106,8 @@ optional_policy(`
+@@ -685,6 +1107,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -93718,7 +93743,7 @@ index 3136c6a..7152947 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1122,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1123,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -93744,7 +93769,7 @@ index 3136c6a..7152947 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1168,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1169,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -93777,7 +93802,7 @@ index 3136c6a..7152947 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1215,25 @@ optional_policy(`
+@@ -769,6 +1216,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -93803,7 +93828,7 @@ index 3136c6a..7152947 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1254,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1255,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -93821,7 +93846,7 @@ index 3136c6a..7152947 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1273,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1274,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -93878,7 +93903,7 @@ index 3136c6a..7152947 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1324,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1325,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -93919,7 +93944,7 @@ index 3136c6a..7152947 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1369,20 @@ optional_policy(`
+@@ -842,10 +1370,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -93940,7 +93965,7 @@ index 3136c6a..7152947 100644
')
########################################
-@@ -891,11 +1428,146 @@ optional_policy(`
+@@ -891,11 +1429,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -115679,7 +115704,7 @@ index 0000000..bd1d48e
+')
diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te
new file mode 100644
-index 0000000..5b84980
+index 0000000..82e5f09
--- /dev/null
+++ b/policy/modules/services/mailscanner.te
@@ -0,0 +1,87 @@
@@ -115722,7 +115747,7 @@ index 0000000..5b84980
+
+manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
+manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
-+files_tmp_filetrans(mscan_t, mscan_tmp_t, dir)
++files_tmp_filetrans(mscan_t, mscan_tmp_t, { dir file })
+
+can_exec(mscan_t, mscan_exec_t)
+
@@ -118684,7 +118709,7 @@ index c358d8f..7c097ec 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..4dd4fa5 100644
+index f17583b..5918ac4 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -118755,7 +118780,13 @@ index f17583b..4dd4fa5 100644
mta_read_queue(munin_t)
')
-@@ -159,6 +167,7 @@ optional_policy(`
+@@ -155,10 +163,13 @@ optional_policy(`
+
+ optional_policy(`
+ netutils_domtrans_ping(munin_t)
++ netutils_signal_ping(munin_t)
++ netutils_kill_ping(munin_t)
+ ')
optional_policy(`
postfix_list_spool(munin_t)
@@ -118763,7 +118794,7 @@ index f17583b..4dd4fa5 100644
')
optional_policy(`
-@@ -182,6 +191,7 @@ optional_policy(`
+@@ -182,6 +193,7 @@ optional_policy(`
# local policy for disk plugins
#
@@ -118771,7 +118802,7 @@ index f17583b..4dd4fa5 100644
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -192,13 +202,13 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+@@ -192,13 +204,13 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
files_read_etc_files(disk_munin_plugin_t)
files_read_etc_runtime_files(disk_munin_plugin_t)
@@ -118788,7 +118819,7 @@ index f17583b..4dd4fa5 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,30 +231,48 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -221,30 +233,48 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
@@ -118843,7 +118874,7 @@ index f17583b..4dd4fa5 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +283,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +285,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -118858,7 +118889,7 @@ index f17583b..4dd4fa5 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +304,10 @@ optional_policy(`
+@@ -279,6 +306,10 @@ optional_policy(`
')
optional_policy(`
@@ -118869,7 +118900,7 @@ index f17583b..4dd4fa5 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +315,10 @@ optional_policy(`
+@@ -286,6 +317,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -118880,7 +118911,7 @@ index f17583b..4dd4fa5 100644
##################################
#
# local policy for system plugins
-@@ -295,13 +328,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,13 +330,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -118897,7 +118928,7 @@ index f17583b..4dd4fa5 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +345,41 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +347,43 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -118913,6 +118944,8 @@ index f17583b..4dd4fa5 100644
+# local policy for munin plugin domains
+#
+
++allow munin_plugin_domain self:process signal;
++
+allow munin_plugin_domain munin_exec_t:file read_file_perms;
+allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
+
@@ -123379,10 +123412,10 @@ index 0000000..e66e073
+')
diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
new file mode 100644
-index 0000000..6d6105a
+index 0000000..6dd881d
--- /dev/null
+++ b/policy/modules/services/openshift.te
-@@ -0,0 +1,375 @@
+@@ -0,0 +1,377 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -123459,6 +123492,8 @@ index 0000000..6d6105a
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
++systemd_dbus_chat_logind(openshift_initrc_t
++
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
+manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
@@ -143494,7 +143529,7 @@ index 7c5d8d8..6917f32 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..6d2aef0 100644
+index 3eca020..f431ff2 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,60 +1,91 @@
@@ -143598,7 +143633,7 @@ index 3eca020..6d2aef0 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,23 +93,37 @@ files_config_file(virt_etc_t)
+@@ -62,33 +93,49 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -143635,9 +143670,14 @@ index 3eca020..6d2aef0 100644
-files_type(virt_var_lib_t)
+files_mountpoint(virt_var_lib_t)
- type virtd_t;
- type virtd_exec_t;
-@@ -89,6 +134,11 @@ domain_subj_id_change_exemption(virtd_t)
+-type virtd_t;
+-type virtd_exec_t;
+-init_daemon_domain(virtd_t, virtd_exec_t)
+-domain_obj_id_change_exemption(virtd_t)
+-domain_subj_id_change_exemption(virtd_t)
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
+
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -143649,7 +143689,7 @@ index 3eca020..6d2aef0 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,6 +147,35 @@ ifdef(`enable_mls',`
+@@ -97,6 +144,35 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -143685,7 +143725,7 @@ index 3eca020..6d2aef0 100644
########################################
#
# svirt local policy
-@@ -104,15 +183,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +180,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -143702,7 +143742,7 @@ index 3eca020..6d2aef0 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +206,17 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +203,17 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -143720,7 +143760,7 @@ index 3eca020..6d2aef0 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -140,18 +224,26 @@ tunable_policy(`virt_use_comm',`
+@@ -140,18 +221,26 @@ tunable_policy(`virt_use_comm',`
')
tunable_policy(`virt_use_fusefs',`
@@ -143748,7 +143788,7 @@ index 3eca020..6d2aef0 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +252,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +249,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -143777,7 +143817,7 @@ index 3eca020..6d2aef0 100644
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +282,41 @@ optional_policy(`
+@@ -173,22 +279,41 @@ optional_policy(`
# virtd local policy
#
@@ -143826,7 +143866,7 @@ index 3eca020..6d2aef0 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,14 +327,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,14 +324,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -143857,7 +143897,7 @@ index 3eca020..6d2aef0 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -217,9 +359,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +356,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -143873,7 +143913,7 @@ index 3eca020..6d2aef0 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +387,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +384,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -143907,7 +143947,7 @@ index 3eca020..6d2aef0 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +420,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +417,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -143926,7 +143966,7 @@ index 3eca020..6d2aef0 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +446,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +443,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -143935,7 +143975,7 @@ index 3eca020..6d2aef0 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +457,32 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +454,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -143968,7 +144008,7 @@ index 3eca020..6d2aef0 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +501,10 @@ optional_policy(`
+@@ -313,6 +498,10 @@ optional_policy(`
')
optional_policy(`
@@ -143979,7 +144019,7 @@ index 3eca020..6d2aef0 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,19 +518,34 @@ optional_policy(`
+@@ -326,19 +515,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -144015,7 +144055,7 @@ index 3eca020..6d2aef0 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -353,6 +560,12 @@ optional_policy(`
+@@ -353,6 +557,12 @@ optional_policy(`
')
optional_policy(`
@@ -144028,7 +144068,7 @@ index 3eca020..6d2aef0 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -360,11 +573,11 @@ optional_policy(`
+@@ -360,11 +570,11 @@ optional_policy(`
')
optional_policy(`
@@ -144045,7 +144085,7 @@ index 3eca020..6d2aef0 100644
')
optional_policy(`
-@@ -375,6 +588,7 @@ optional_policy(`
+@@ -375,6 +585,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -144053,7 +144093,7 @@ index 3eca020..6d2aef0 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -394,20 +608,36 @@ optional_policy(`
+@@ -394,20 +605,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -144093,7 +144133,7 @@ index 3eca020..6d2aef0 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +648,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +645,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -144107,7 +144147,7 @@ index 3eca020..6d2aef0 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +661,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +658,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -144120,7 +144160,7 @@ index 3eca020..6d2aef0 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +674,445 @@ files_search_all(virt_domain)
+@@ -440,25 +671,452 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -144510,7 +144550,14 @@ index 3eca020..6d2aef0 100644
+# svirt_prot_exec local policy
+#
+
-+allow svirt_prot_exec_t self:process { execmem execstack };
++allow svirt_tcg_t self:process { execmem execstack };
++corenet_udp_sendrecv_generic_if(svirt_tcg_t)
++corenet_udp_sendrecv_generic_node(svirt_tcg_t)
++corenet_udp_sendrecv_all_ports(svirt_tcg_t)
++corenet_udp_bind_generic_node(svirt_tcg_t)
++corenet_udp_bind_all_ports(svirt_tcg_t)
++corenet_tcp_bind_all_ports(svirt_tcg_t)
++corenet_tcp_connect_all_ports(svirt_tcg_t)
+
+########################################
+#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 71cd14d..2e1ab1f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 163%{?dist}
+Release: 164%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Dec 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-164
+- Add labeling for /var/www/openshift/{broker,console}
+- Allow openshift_initrc domain to dbus chat with systemd_logind
+- Allow httpd to getattr passenger log file if run_stickshift
+- Add passenger_getattr_log_files interface
+- Backport svirt_tcg policy
+- munint wants to send sigkill to ping
+- Allow munin plugins to send a signal to itself
+- Allow munin to send signal to ping
+
* Thu Dec 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-163
- Allow openshift domain to read /dev/urand
- Add labeling for /var/www/openshift/console/{tmp,log} dirs
More information about the scm-commits
mailing list