[selinux-policy/f15] - Fix BOINC bug

Miroslav Grepl mgrepl at fedoraproject.org
Thu Jan 19 09:49:43 UTC 2012 

commit 33ea471be4a79d1b5317d6c3fc3c86169a77174d
Author: Miroslav <mgrepl at redhat.com>
Date:   Thu Jan 19 10:49:23 2012 +0100

    - Fix BOINC bug

 policy-F15.patch    |   64 +++++++++++++++++++++++++++++++++++++++-----------
 selinux-policy.spec |    5 +++-
 2 files changed, 54 insertions(+), 15 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 3ed039a..373a2a2 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -8626,10 +8626,10 @@ index 0000000..6efdeca
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..74ce3e2
+index 0000000..1bc545e
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,482 @@
+@@ -0,0 +1,483 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -8839,6 +8839,7 @@ index 0000000..74ce3e2
 +dev_read_urand(sandbox_x_domain)
 +dev_dontaudit_read_rand(sandbox_x_domain)
 +dev_read_sysfs(sandbox_x_domain)
++dev_dontaudit_rw_dri(sandbox_x_domain)
 +
 +files_search_home(sandbox_x_domain)
 +files_dontaudit_list_all_mountpoints(sandbox_x_domain)
@@ -21987,7 +21988,7 @@ index 0000000..fa9b95a
 +')
 diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
 new file mode 100644
-index 0000000..2685b9c
+index 0000000..16bec60
 --- /dev/null
 +++ b/policy/modules/services/boinc.te
 @@ -0,0 +1,171 @@
@@ -22000,7 +22001,7 @@ index 0000000..2685b9c
 +
 +attribute boinc_domain;
 +
-+type boinc_t;
++type boinc_t, boinc_domain;
 +type boinc_exec_t;
 +init_daemon_domain(boinc_t, boinc_exec_t)
 +
@@ -22016,7 +22017,7 @@ index 0000000..2685b9c
 +type boinc_var_lib_t;
 +files_type(boinc_var_lib_t)
 +
-+type boinc_project_t;
++type boinc_project_t, boinc_domain;
 +domain_type(boinc_project_t)
 +role system_r types boinc_project_t;
 +
@@ -29714,7 +29715,7 @@ index bc27421..a65582e 100644
  ## <summary>
  ##	Allow domain dyntransition to sftpd_anon domain.
 diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..9348f18 100644
+index 8a74a83..ef6ab29 100644
 --- a/policy/modules/services/ftp.te
 +++ b/policy/modules/services/ftp.te
 @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -29905,6 +29906,19 @@ index 8a74a83..9348f18 100644
  ')
  
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -391,12 +446,6 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+ 	fs_manage_cifs_symlinks(sftpd_t)
+ ')
+ 
+-tunable_policy(`sftpd_full_access',`
+-	allow sftpd_t self:capability { dac_override dac_read_search };
+-	fs_read_noxattr_fs_files(sftpd_t)
+-	auth_manage_all_files_except_shadow(sftpd_t)
+-')
+-
+ tunable_policy(`use_samba_home_dirs',`
+ 	# allow read access to /home by default
+ 	fs_list_cifs(sftpd_t)
 diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
 index 99a94de..6dbc203 100644
 --- a/policy/modules/services/gatekeeper.te
@@ -35872,7 +35886,7 @@ index 8581040..2367841 100644
  
  	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..eecaf7c 100644
+index bf64a4c..edba027 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
 @@ -27,6 +27,9 @@ files_pid_file(nagios_var_run_t)
@@ -36017,14 +36031,24 @@ index bf64a4c..eecaf7c 100644
  ')
  
  optional_policy(`
-@@ -363,7 +376,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
  manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
  
--kernel_read_system_state(nagios_system_plugin_t)
++read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
++
+ kernel_read_system_state(nagios_system_plugin_t)
  kernel_read_kernel_sysctls(nagios_system_plugin_t)
  
- corecmd_exec_bin(nagios_system_plugin_t)
+@@ -376,6 +391,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+ 
+ files_read_etc_files(nagios_system_plugin_t)
+ 
++fs_getattr_all_fs(nagios_system_plugin_t)
++
+ # needed by check_users plugin
+ optional_policy(`
+ 	init_read_utmp(nagios_system_plugin_t)
 diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
 index 386543b..984eefc 100644
 --- a/policy/modules/services/networkmanager.fc
@@ -40362,7 +40386,7 @@ index b64b02f..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
 +')
 diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..6451f82 100644
+index 29b9295..d45c661 100644
 --- a/policy/modules/services/procmail.te
 +++ b/policy/modules/services/procmail.te
 @@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -40416,7 +40440,19 @@ index 29b9295..6451f82 100644
  
  mta_manage_spool(procmail_t)
  mta_read_queue(procmail_t)
-@@ -125,6 +138,11 @@ optional_policy(`
+@@ -107,6 +120,11 @@ tunable_policy(`use_samba_home_dirs',`
+ 	fs_manage_cifs_dirs(procmail_t)
+ 	fs_manage_cifs_files(procmail_t)
+ 	fs_manage_cifs_symlinks(procmail_t)
++
++optional_policy(`
++	clamav_domtrans_clamscan(procmail_t)
++	clamav_search_lib(procmail_t)
++	cyrus_stream_connect(procmail_t)
+ ')
+ 
+ optional_policy(`
+@@ -125,6 +143,11 @@ optional_policy(`
  	postfix_read_spool_files(procmail_t)
  	postfix_read_local_state(procmail_t)
  	postfix_read_master_state(procmail_t)
@@ -46854,7 +46890,7 @@ index 941380a..ce8c972 100644
  	# Allow sssd_t to restart the apache service
  	sssd_initrc_domtrans($1)
 diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..22b6731 100644
+index 8ffa257..00897e9 100644
 --- a/policy/modules/services/sssd.te
 +++ b/policy/modules/services/sssd.te
 @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -46863,7 +46899,7 @@ index 8ffa257..22b6731 100644
  #
 -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
 +
-+allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin };
  allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
 -allow sssd_t self:fifo_file rw_file_perms;
 +allow sssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1ef2bb4..f304304 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 50%{?dist}
+Release: 51%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Jan 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-51
+- Fix BOINC bug
+
 * Wed Dec 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-50
 - BOinc fixes
 - Allow mysqld_safe to delete the mysql_db_t sock_file

More information about the scm-commits mailing list