[selinux-policy/f15] - Fix BOINC bug
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jan 19 09:49:43 UTC 2012
commit 33ea471be4a79d1b5317d6c3fc3c86169a77174d
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Jan 19 10:49:23 2012 +0100
- Fix BOINC bug
policy-F15.patch | 64 +++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 5 +++-
2 files changed, 54 insertions(+), 15 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 3ed039a..373a2a2 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -8626,10 +8626,10 @@ index 0000000..6efdeca
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..74ce3e2
+index 0000000..1bc545e
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,482 @@
+@@ -0,0 +1,483 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8839,6 +8839,7 @@ index 0000000..74ce3e2
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
++dev_dontaudit_rw_dri(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
@@ -21987,7 +21988,7 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..2685b9c
+index 0000000..16bec60
--- /dev/null
+++ b/policy/modules/services/boinc.te
@@ -0,0 +1,171 @@
@@ -22000,7 +22001,7 @@ index 0000000..2685b9c
+
+attribute boinc_domain;
+
-+type boinc_t;
++type boinc_t, boinc_domain;
+type boinc_exec_t;
+init_daemon_domain(boinc_t, boinc_exec_t)
+
@@ -22016,7 +22017,7 @@ index 0000000..2685b9c
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
-+type boinc_project_t;
++type boinc_project_t, boinc_domain;
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
+
@@ -29714,7 +29715,7 @@ index bc27421..a65582e 100644
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..9348f18 100644
+index 8a74a83..ef6ab29 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -29905,6 +29906,19 @@ index 8a74a83..9348f18 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -391,12 +446,6 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+ fs_manage_cifs_symlinks(sftpd_t)
+ ')
+
+-tunable_policy(`sftpd_full_access',`
+- allow sftpd_t self:capability { dac_override dac_read_search };
+- fs_read_noxattr_fs_files(sftpd_t)
+- auth_manage_all_files_except_shadow(sftpd_t)
+-')
+-
+ tunable_policy(`use_samba_home_dirs',`
+ # allow read access to /home by default
+ fs_list_cifs(sftpd_t)
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index 99a94de..6dbc203 100644
--- a/policy/modules/services/gatekeeper.te
@@ -35872,7 +35886,7 @@ index 8581040..2367841 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..eecaf7c 100644
+index bf64a4c..edba027 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -27,6 +27,9 @@ files_pid_file(nagios_var_run_t)
@@ -36017,14 +36031,24 @@ index bf64a4c..eecaf7c 100644
')
optional_policy(`
-@@ -363,7 +376,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
--kernel_read_system_state(nagios_system_plugin_t)
++read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
++
+ kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
- corecmd_exec_bin(nagios_system_plugin_t)
+@@ -376,6 +391,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+
+ files_read_etc_files(nagios_system_plugin_t)
+
++fs_getattr_all_fs(nagios_system_plugin_t)
++
+ # needed by check_users plugin
+ optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
index 386543b..984eefc 100644
--- a/policy/modules/services/networkmanager.fc
@@ -40362,7 +40386,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..6451f82 100644
+index 29b9295..d45c661 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -40416,7 +40440,19 @@ index 29b9295..6451f82 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -125,6 +138,11 @@ optional_policy(`
+@@ -107,6 +120,11 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(procmail_t)
+ fs_manage_cifs_files(procmail_t)
+ fs_manage_cifs_symlinks(procmail_t)
++
++optional_policy(`
++ clamav_domtrans_clamscan(procmail_t)
++ clamav_search_lib(procmail_t)
++ cyrus_stream_connect(procmail_t)
+ ')
+
+ optional_policy(`
+@@ -125,6 +143,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -46854,7 +46890,7 @@ index 941380a..ce8c972 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..22b6731 100644
+index 8ffa257..00897e9 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -46863,7 +46899,7 @@ index 8ffa257..22b6731 100644
#
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+
-+allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1ef2bb4..f304304 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 50%{?dist}
+Release: 51%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,9 @@ exit 0
%endif
%changelog
+* Thu Jan 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-51
+- Fix BOINC bug
+
* Wed Dec 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-50
- BOinc fixes
- Allow mysqld_safe to delete the mysql_db_t sock_file
More information about the scm-commits
mailing list