[selinux-policy/f17] * Wed Jul 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-140 - Add support for rhnsd daemon - All
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jul 18 11:42:06 UTC 2012
commit 1e9cc1a7e6bd7a5df6dc1c189a07a69d97af19af
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jul 18 13:41:21 2012 +0200
* Wed Jul 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-140
- Add support for rhnsd daemon
- Allow cgclear to read cgconfig
- Allow sys_ptrace capability for snmp
- Allow freshclam to read /proc
- Fix rhsmcertd pid filetrans
- Allow NM to execute wpa_cli
- Allow procmail to manage /home/user/Maildir content
- Allow amavis to read clamd system state
- Allow postdrop to use unix_stream_sockets leaked into it
- Allow uucpd_t to uucpd port
policy-F16.patch | 161 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 14 ++++-
2 files changed, 117 insertions(+), 58 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 6d0b438..5648130 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -86118,7 +86118,7 @@ index e31d92a..1aa0718 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index deca9d3..e25ae7a 100644
+index deca9d3..f20cfea 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -86175,7 +86175,7 @@ index deca9d3..e25ae7a 100644
# uses uptime which reads utmp - redhat bug 561383
init_read_utmp(amavis_t)
init_stream_connect_script(amavis_t)
-@@ -153,29 +159,34 @@ sysnet_use_ldap(amavis_t)
+@@ -153,16 +159,17 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
@@ -86189,18 +86189,18 @@ index deca9d3..e25ae7a 100644
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
- ')
-
- optional_policy(`
++ clamav_read_state_clamd(amavis_t)
++')
++
++optional_policy(`
+ #Cron handling
+ cron_use_fds(amavis_t)
+ cron_use_system_job_fds(amavis_t)
+ cron_rw_pipes(amavis_t)
-+')
-+
-+optional_policy(`
- dcc_domtrans_client(amavis_t)
- dcc_stream_connect_dccifd(amavis_t)
+ ')
+
+ optional_policy(`
+@@ -171,11 +178,16 @@ optional_policy(`
')
optional_policy(`
@@ -86217,7 +86217,7 @@ index deca9d3..e25ae7a 100644
')
optional_policy(`
-@@ -188,6 +199,10 @@ optional_policy(`
+@@ -188,6 +200,10 @@ optional_policy(`
')
optional_policy(`
@@ -92434,7 +92434,7 @@ index 33facaf..225e70c 100644
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index dad226c..59c2a27 100644
+index dad226c..8a093ca 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -92448,15 +92448,19 @@ index dad226c..59c2a27 100644
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
-@@ -39,7 +39,6 @@ files_config_file(cgconfig_etc_t)
+@@ -39,9 +39,10 @@ files_config_file(cgconfig_etc_t)
#
# cgclear personal policy.
#
-
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
++allow cgclear_t cgconfig_etc_t:file read_file_perms;
++
kernel_read_system_state(cgclear_t)
-@@ -72,12 +71,15 @@ fs_mount_cgroup(cgconfig_t)
+
+ domain_setpriority_all_domains(cgclear_t)
+@@ -72,12 +73,15 @@ fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
fs_unmount_cgroup(cgconfig_t)
@@ -92473,7 +92477,7 @@ index dad226c..59c2a27 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -86,6 +88,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
+@@ -86,6 +90,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -92483,7 +92487,7 @@ index dad226c..59c2a27 100644
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-@@ -104,6 +109,8 @@ files_read_etc_files(cgred_t)
+@@ -104,6 +111,8 @@ files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
@@ -92795,7 +92799,7 @@ index e8e9a21..22986ef 100644
/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
-index 1f11572..87840b4 100644
+index 1f11572..99c5cca 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
@@ -92822,7 +92826,7 @@ index 1f11572..87840b4 100644
')
########################################
-@@ -133,6 +134,49 @@ interface(`clamav_exec_clamscan',`
+@@ -133,6 +134,68 @@ interface(`clamav_exec_clamscan',`
########################################
## <summary>
@@ -92845,6 +92849,25 @@ index 1f11572..87840b4 100644
+
+#######################################
+## <summary>
++## Read clamd state files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`clamav_read_state_clamd',`
++ gen_require(`
++ type clamd_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, clamd_t)
++')
++
++#######################################
++## <summary>
+## Execute clamd server in the clamd domain.
+## </summary>
+## <param name="domain">
@@ -92872,7 +92895,7 @@ index 1f11572..87840b4 100644
## All of the rules required to administrate
## an clamav environment
## </summary>
-@@ -151,19 +195,25 @@ interface(`clamav_exec_clamscan',`
+@@ -151,19 +214,25 @@ interface(`clamav_exec_clamscan',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
@@ -92904,7 +92927,7 @@ index 1f11572..87840b4 100644
ps_process_pattern($1, freshclam_t)
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
-@@ -171,6 +221,10 @@ interface(`clamav_admin',`
+@@ -171,6 +240,10 @@ interface(`clamav_admin',`
role_transition $2 clamd_initrc_exec_t system_r;
allow $2 system_r;
@@ -92915,7 +92938,7 @@ index 1f11572..87840b4 100644
files_list_etc($1)
admin_pattern($1, clamd_etc_t)
-@@ -189,4 +243,10 @@ interface(`clamav_admin',`
+@@ -189,4 +262,10 @@ interface(`clamav_admin',`
admin_pattern($1, clamscan_tmp_t)
admin_pattern($1, freshclam_var_log_t)
@@ -92927,7 +92950,7 @@ index 1f11572..87840b4 100644
+
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..5207f78 100644
+index f758323..f931f27 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,23 @@
@@ -93051,7 +93074,7 @@ index f758323..5207f78 100644
')
########################################
-@@ -178,10 +211,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +211,17 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -93062,6 +93085,7 @@ index f758323..5207f78 100644
logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
+kernel_read_kernel_sysctls(freshclam_t)
++kernel_read_network_state(freshclam_t)
+kernel_read_system_state(freshclam_t)
+
+corecmd_exec_shell(freshclam_t)
@@ -93070,7 +93094,7 @@ index f758323..5207f78 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +228,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +229,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -93079,7 +93103,7 @@ index f758323..5207f78 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +248,22 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +249,22 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -93106,7 +93130,7 @@ index f758323..5207f78 100644
########################################
#
# clamscam local policy
-@@ -242,15 +289,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +290,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -93142,7 +93166,7 @@ index f758323..5207f78 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +331,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +332,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -111269,7 +111293,7 @@ index 3368699..7a7fc02 100644
#
interface(`modemmanager_domtrans',`
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
-index b3ace16..83392b6 100644
+index b3ace16..46f4b11 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -8,6 +8,7 @@ policy_module(modemmanager, 1.1.0)
@@ -111290,7 +111314,7 @@ index b3ace16..83392b6 100644
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,13 +30,25 @@ dev_rw_modem(modemmanager_t)
+@@ -28,13 +30,27 @@ dev_rw_modem(modemmanager_t)
files_read_etc_files(modemmanager_t)
@@ -111298,6 +111322,8 @@ index b3ace16..83392b6 100644
+term_use_generic_ptys(modemmanager_t)
+term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t
+term_use_usb_ttys(modemmanager_t)
++
++xserver_read_state_xdm(modemmanager_t)
miscfiles_read_localization(modemmanager_t)
@@ -114014,7 +114040,7 @@ index 2324d9e..da61d01 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..ff617f1 100644
+index 0619395..7c2d938 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -114033,7 +114059,7 @@ index 0619395..ff617f1 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,16 +44,26 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -35,26 +44,49 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -114064,10 +114090,12 @@ index 0619395..ff617f1 100644
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -52,9 +71,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
-
++#wicd
++can_exec(NetworkManager_t, wpa_cli_exec_t)
++
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
@@ -114077,7 +114105,7 @@ index 0619395..ff617f1 100644
+filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
+
+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
-+
+
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -114085,7 +114113,7 @@ index 0619395..ff617f1 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -95,11 +125,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
+@@ -95,11 +127,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
@@ -114099,7 +114127,7 @@ index 0619395..ff617f1 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,10 +144,11 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,10 +146,11 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -114112,7 +114140,7 @@ index 0619395..ff617f1 100644
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
-@@ -128,35 +160,44 @@ init_domtrans_script(NetworkManager_t)
+@@ -128,35 +162,44 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -114159,7 +114187,7 @@ index 0619395..ff617f1 100644
')
optional_policy(`
-@@ -176,10 +217,17 @@ optional_policy(`
+@@ -176,10 +219,17 @@ optional_policy(`
')
optional_policy(`
@@ -114177,7 +114205,7 @@ index 0619395..ff617f1 100644
')
')
-@@ -191,6 +239,7 @@ optional_policy(`
+@@ -191,6 +241,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -114185,7 +114213,7 @@ index 0619395..ff617f1 100644
')
optional_policy(`
-@@ -202,23 +251,45 @@ optional_policy(`
+@@ -202,23 +253,45 @@ optional_policy(`
')
optional_policy(`
@@ -114231,7 +114259,7 @@ index 0619395..ff617f1 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +305,10 @@ optional_policy(`
+@@ -234,6 +307,10 @@ optional_policy(`
')
optional_policy(`
@@ -114242,7 +114270,7 @@ index 0619395..ff617f1 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +316,7 @@ optional_policy(`
+@@ -241,6 +318,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -114250,7 +114278,7 @@ index 0619395..ff617f1 100644
')
optional_policy(`
-@@ -254,6 +330,10 @@ optional_policy(`
+@@ -254,6 +332,10 @@ optional_policy(`
')
optional_policy(`
@@ -114261,7 +114289,7 @@ index 0619395..ff617f1 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +343,7 @@ optional_policy(`
+@@ -263,6 +345,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -119300,7 +119328,7 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..99499ef 100644
+index 46bee12..eccdc20 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -28,75 +28,19 @@ interface(`postfix_stub',`
@@ -119599,7 +119627,7 @@ index 46bee12..99499ef 100644
')
########################################
-@@ -621,3 +643,154 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +643,155 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -119715,6 +119743,7 @@ index 46bee12..99499ef 100644
+
+ postfix_domtrans_postdrop($1)
+ role $2 types postfix_postdrop_t;
++ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
+')
+
+########################################
@@ -121249,7 +121278,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..624afe6 100644
+index 29b9295..fcbe654 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -121353,6 +121382,14 @@ index 29b9295..624afe6 100644
')
optional_policy(`
+@@ -134,6 +149,7 @@ optional_policy(`
+
+ optional_policy(`
+ mta_read_config(procmail_t)
++ mta_manage_home_rw(procmail_t)
+ sendmail_domtrans(procmail_t)
+ sendmail_signal(procmail_t)
+ sendmail_dontaudit_rw_tcp_sockets(procmail_t)
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
index bc329d1..20bb463 100644
--- a/policy/modules/services/psad.if
@@ -124951,14 +124988,15 @@ index 0f262a7..4d10897 100644
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc
new file mode 100644
-index 0000000..b2a8835
+index 0000000..17e561f
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,14 @@
+
+/etc/rc\.d/init\.d/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0)
+
+/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
++/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
+
+/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
+
@@ -124967,6 +125005,7 @@ index 0000000..b2a8835
+/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0)
+
+/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
++/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if
new file mode 100644
index 0000000..6572600
@@ -125275,7 +125314,7 @@ index 0000000..6572600
+')
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
-index 0000000..fd0cbc3
+index 0000000..f82fdec
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.te
@@ -0,0 +1,71 @@
@@ -125327,7 +125366,7 @@ index 0000000..fd0cbc3
+
+manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
-+files_pid_filetrans(rhsmcertd_var_run_t, rhsmcertd_var_run_t, { file dir })
++files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+
+kernel_read_network_state(rhsmcertd_t)
+kernel_read_system_state(rhsmcertd_t)
@@ -129180,7 +129219,7 @@ index 275f9fb..f1343b7 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..f4d9c37 100644
+index 3d8d1b3..1ef6c7f 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -129197,7 +129236,7 @@ index 3d8d1b3..f4d9c37 100644
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config };
+
-+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config };
++allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
@@ -133489,7 +133528,7 @@ index ebc5414..8f8ac45 100644
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index d4349e9..2f0887d 100644
+index d4349e9..24ac39b 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -24,7 +24,7 @@ type uucpd_ro_t;
@@ -133501,7 +133540,15 @@ index d4349e9..2f0887d 100644
type uucpd_log_t;
logging_log_file(uucpd_log_t)
-@@ -125,6 +125,8 @@ optional_policy(`
+@@ -83,6 +83,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t)
+ corenet_tcp_sendrecv_all_ports(uucpd_t)
+ corenet_udp_sendrecv_all_ports(uucpd_t)
+ corenet_tcp_connect_ssh_port(uucpd_t)
++corenet_tcp_connect_uucpd_port(uucpd_t)
+
+ dev_read_urand(uucpd_t)
+
+@@ -125,6 +126,8 @@ optional_policy(`
allow uux_t self:capability { setuid setgid };
allow uux_t self:fifo_file write_fifo_file_perms;
@@ -133510,7 +133557,7 @@ index d4349e9..2f0887d 100644
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
-@@ -134,6 +136,8 @@ files_read_etc_files(uux_t)
+@@ -134,6 +137,8 @@ files_read_etc_files(uux_t)
fs_rw_anon_inodefs_files(uux_t)
@@ -133519,7 +133566,7 @@ index d4349e9..2f0887d 100644
logging_send_syslog_msg(uux_t)
miscfiles_read_localization(uux_t)
-@@ -145,5 +149,5 @@ optional_policy(`
+@@ -145,5 +150,5 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d732ae3..50543d0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 139%{?dist}
+Release: 140%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jul 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-140
+- Add support for rhnsd daemon
+- Allow cgclear to read cgconfig
+- Allow sys_ptrace capability for snmp
+- Allow freshclam to read /proc
+- Fix rhsmcertd pid filetrans
+- Allow NM to execute wpa_cli
+- Allow procmail to manage /home/user/Maildir content
+- Allow amavis to read clamd system state
+- Allow postdrop to use unix_stream_sockets leaked into it
+- Allow uucpd_t to uucpd port
+
* Sun Jul 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-139
- Add support for ecryptfs
* ecryptfs does not support xattr
More information about the scm-commits
mailing list