[selinux-policy/f17] * Mon Jun 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-132 - apcupsd needs to read /etc/passwd
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jun 18 21:55:53 UTC 2012
commit b1e217a9dc39ff715052ca08c8ec86793dca623d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jun 18 23:55:31 2012 +0200
* Mon Jun 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-132
- apcupsd needs to read /etc/passwd
- Sanlock allso sends sigkill
- Allow glance_registry to connect to the mysqld port
- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
- Allow firefox plugins/flash to connect to port 1234
- Allow mozilla plugins to delete user_tmp_t files
- Add transition name rule for printers.conf.O
- Allow virt_lxc_t to read urand
- Allow systemd_loigind to list gstreamer_home_dirs
- Fix labeling for /usr/bin
- Fixes for cloudform services
* support FIPS
- Allow polipo to work as web caching
- Allow chfn to execute tmux
policy-F16.patch | 200 ++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 18 +++++-
2 files changed, 145 insertions(+), 73 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index c8a3b71..f566d39 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -62685,7 +62685,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..b599f68 100644
+index 441cf22..f1654c5 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -62737,7 +62737,7 @@ index 441cf22..b599f68 100644
miscfiles_read_localization(chfn_t)
-@@ -113,11 +116,18 @@ logging_send_syslog_msg(chfn_t)
+@@ -113,11 +116,23 @@ logging_send_syslog_msg(chfn_t)
# uses unix_chkpwd for checking passwords
seutil_dontaudit_search_config(chfn_t)
@@ -62753,10 +62753,15 @@ index 441cf22..b599f68 100644
+ rssh_exec(chfn_t)
+')
+
++optional_policy(`
++ # allow to exec tmux
++ screen_exec(chfn_t)
++')
++
########################################
#
# Crack local policy
-@@ -194,8 +204,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +209,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -62767,7 +62772,7 @@ index 441cf22..b599f68 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -203,8 +213,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -203,8 +218,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -62777,7 +62782,7 @@ index 441cf22..b599f68 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -219,9 +229,10 @@ miscfiles_read_localization(groupadd_t)
+@@ -219,9 +234,10 @@ miscfiles_read_localization(groupadd_t)
auth_domtrans_chk_passwd(groupadd_t)
auth_rw_lastlog(groupadd_t)
auth_use_nsswitch(groupadd_t)
@@ -62789,7 +62794,7 @@ index 441cf22..b599f68 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -269,6 +280,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -269,6 +285,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -62797,7 +62802,7 @@ index 441cf22..b599f68 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -277,6 +289,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +294,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -62805,7 +62810,7 @@ index 441cf22..b599f68 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -291,26 +304,30 @@ selinux_compute_create_context(passwd_t)
+@@ -291,26 +309,30 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -62841,7 +62846,7 @@ index 441cf22..b599f68 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +340,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +345,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -62850,7 +62855,7 @@ index 441cf22..b599f68 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +349,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +354,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -62858,7 +62863,7 @@ index 441cf22..b599f68 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,9 +399,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,9 +404,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -62871,7 +62876,7 @@ index 441cf22..b599f68 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -396,7 +415,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -396,7 +420,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -62879,7 +62884,7 @@ index 441cf22..b599f68 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,7 +444,8 @@ optional_policy(`
+@@ -426,7 +449,8 @@ optional_policy(`
# Useradd local policy
#
@@ -62889,7 +62894,7 @@ index 441cf22..b599f68 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,10 +467,13 @@ corecmd_exec_shell(useradd_t)
+@@ -448,10 +472,13 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -62904,7 +62909,7 @@ index 441cf22..b599f68 100644
files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
-@@ -460,17 +482,15 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,17 +487,15 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -62929,7 +62934,7 @@ index 441cf22..b599f68 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -478,6 +498,7 @@ auth_rw_faillog(useradd_t)
+@@ -478,6 +503,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -62937,7 +62942,7 @@ index 441cf22..b599f68 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -495,24 +516,19 @@ seutil_read_file_contexts(useradd_t)
+@@ -495,24 +521,19 @@ seutil_read_file_contexts(useradd_t)
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_setfiles(useradd_t)
@@ -62950,10 +62955,10 @@ index 441cf22..b599f68 100644
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
-userdom_manage_user_home_dirs(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t)
@@ -67173,7 +67178,7 @@ index fbb5c5a..ce9aee0 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..094441e 100644
+index 2e9318b..ceef6bd 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67355,7 +67360,7 @@ index 2e9318b..094441e 100644
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -331,22 +359,31 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -331,22 +359,32 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -67382,6 +67387,7 @@ index 2e9318b..094441e 100644
+corenet_tcp_connect_soundd_port(mozilla_plugin_t)
+corenet_tcp_connect_vnc_port(mozilla_plugin_t)
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
++corenet_tcp_connect_monopd_port(mozilla_plugin_t)
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
@@ -67393,7 +67399,7 @@ index 2e9318b..094441e 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +392,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +393,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -67401,7 +67407,7 @@ index 2e9318b..094441e 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,11 +400,14 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,11 +401,14 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -67416,7 +67422,7 @@ index 2e9318b..094441e 100644
application_dontaudit_signull(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
-@@ -383,35 +424,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,35 +425,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -67429,6 +67435,7 @@ index 2e9318b..094441e 100644
userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_read_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
++userdom_delete_user_tmp_files(mozilla_plugin_t)
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
+userdom_manage_home_certs(mozilla_plugin_t)
userdom_read_user_tmp_symlinks(mozilla_plugin_t)
@@ -67463,7 +67470,7 @@ index 2e9318b..094441e 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,11 +453,19 @@ optional_policy(`
+@@ -421,24 +455,32 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67483,30 +67490,39 @@ index 2e9318b..094441e 100644
')
optional_policy(`
-@@ -438,18 +478,106 @@ optional_policy(`
+- java_exec(mozilla_plugin_t)
++ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+- mplayer_exec(mozilla_plugin_t)
+- mplayer_read_user_home_files(mozilla_plugin_t)
++ java_exec(mozilla_plugin_t)
')
optional_policy(`
- pcscd_stream_connect(mozilla_plugin_t)
--')
--
--optional_policy(`
- pulseaudio_exec(mozilla_plugin_t)
++ mplayer_exec(mozilla_plugin_t)
++ mplayer_read_user_home_files(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+@@ -446,10 +488,102 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
++ pcscd_stream_connect(mozilla_plugin_t)
+')
+
+optional_policy(`
-+ pcscd_stream_connect(mozilla_plugin_t)
++ rtkit_scheduled(mozilla_plugin_t)
+')
+
+optional_policy(`
-+ rtkit_scheduled(mozilla_plugin_t)
- ')
-
- optional_policy(`
+ udev_read_db(mozilla_plugin_t)
+')
+
@@ -70343,7 +70359,7 @@ index c8254dd..340a2d7 100644
/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index a57e81e..b0b3ce6 100644
+index a57e81e..534470f 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -25,6 +25,7 @@ template(`screen_role_template',`
@@ -70410,7 +70426,7 @@ index a57e81e..b0b3ce6 100644
manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
-@@ -87,77 +57,22 @@ template(`screen_role_template',`
+@@ -87,77 +57,41 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -70465,11 +70481,11 @@ index a57e81e..b0b3ce6 100644
- init_rw_utmp($1_screen_t)
-
- logging_send_syslog_msg($1_screen_t)
--
+
- miscfiles_read_localization($1_screen_t)
-
- seutil_read_config($1_screen_t)
-
+-
- userdom_use_user_terminals($1_screen_t)
- userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
@@ -70488,6 +70504,25 @@ index a57e81e..b0b3ce6 100644
- fs_read_nfs_symlinks($1_screen_t)
')
')
++
++######################################
++## <summary>
++## Execute the rssh program
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`screen_exec',`
++ gen_require(`
++ type screen_exec_t;
++ ')
++
++ can_exec($1, screen_exec_t)
++')
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 553bc73..0bd13e3 100644
--- a/policy/modules/apps/screen.te
@@ -72172,7 +72207,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..4172347 100644
+index 3fae11a..0ebbc4f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -72261,7 +72296,7 @@ index 3fae11a..4172347 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +184,94 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +184,93 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -72274,7 +72309,6 @@ index 3fae11a..4172347 100644
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-+/usr/bin/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/esh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -72401,7 +72435,7 @@ index 3fae11a..4172347 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +279,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +278,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -72421,7 +72455,7 @@ index 3fae11a..4172347 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +306,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +305,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -72432,7 +72466,7 @@ index 3fae11a..4172347 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +329,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +328,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -72453,7 +72487,7 @@ index 3fae11a..4172347 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +353,12 @@ ifdef(`distro_redhat', `
+@@ -306,10 +352,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -72468,7 +72502,7 @@ index 3fae11a..4172347 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +368,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +367,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -72480,7 +72514,7 @@ index 3fae11a..4172347 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +414,21 @@ ifdef(`distro_redhat', `
+@@ -363,20 +413,21 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -72506,7 +72540,7 @@ index 3fae11a..4172347 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +437,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +436,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -87988,7 +88022,7 @@ index e342775..1fedbe5 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
-index d052bf0..77e6e19 100644
+index d052bf0..6c7828b 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -88001,7 +88035,7 @@ index d052bf0..77e6e19 100644
########################################
#
# apcupsd local policy
-@@ -76,6 +79,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
+@@ -76,24 +79,31 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
term_use_unallocated_ttys(apcupsd_t)
@@ -88009,7 +88043,13 @@ index d052bf0..77e6e19 100644
#apcupsd runs shutdown, probably need a shutdown domain
init_rw_utmp(apcupsd_t)
-@@ -87,13 +91,17 @@ miscfiles_read_localization(apcupsd_t)
+ init_telinit(apcupsd_t)
+
++auth_read_passwd(apcupsd_t)
++
+ logging_send_syslog_msg(apcupsd_t)
+
+ miscfiles_read_localization(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
@@ -92596,10 +92636,10 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..f2968f8
+index 0000000..9a9d120
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -92616,8 +92656,7 @@ index 0000000..f2968f8
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+
-+
++/var/log/iwhd\.log -- gen_context(system_u:object_r:thin_log_t,s0)
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
@@ -92671,10 +92710,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..2709243
+index 0000000..787b40a
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,236 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -92688,6 +92727,9 @@ index 0000000..2709243
+cloudform_domain_template(mongod)
+cloudform_domain_template(thin)
+
++type thin_log_t;
++logging_log_file(thin_log_t)
++
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
+
@@ -92735,10 +92777,15 @@ index 0000000..2709243
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
+
++kernel_read_system_state(cloudform_domain)
++
++dev_read_rand(cloudform_domain)
+dev_read_urand(cloudform_domain)
+
+files_read_etc_files(cloudform_domain)
+
++auth_read_passwd(cloudform_domain)
++
+miscfiles_read_certs(cloudform_domain)
+miscfiles_read_localization(cloudform_domain)
+
@@ -92877,6 +92924,10 @@ index 0000000..2709243
+allow thin_t self:udp_socket create_socket_perms;
+allow thin_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(thin_t, thin_log_t, thin_log_t)
++manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
++logging_log_filetrans(thin_t, thin_log_t, { file dir })
++
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
+files_pid_filetrans(thin_t, thin_var_run_t, { file })
+
@@ -97096,7 +97147,7 @@ index 1b492ed..d3e9822 100644
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
-index 305ddf4..4d70951 100644
+index 305ddf4..d1b97fb 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -9,6 +9,11 @@
@@ -97199,7 +97250,7 @@ index 305ddf4..4d70951 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -341,18 +375,47 @@ interface(`cups_admin',`
+@@ -341,18 +375,48 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_lpd_var_run_t)
@@ -97243,6 +97294,7 @@ index 305ddf4..4d70951 100644
+
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "classes.conf")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "printers.conf")
++ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "printers.conf.O")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf.default")
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "lpoptions")
@@ -104329,10 +104381,10 @@ index 0000000..ebe1dde
+')
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..842165a
+index 0000000..40df3ea
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,118 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -104420,6 +104472,7 @@ index 0000000..842165a
+
+corenet_tcp_bind_generic_node(glance_registry_t)
+corenet_tcp_bind_glance_registry_port(glance_registry_t)
++corenet_tcp_connect_mysqld_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
+
+logging_send_syslog_msg(glance_registry_t)
@@ -118306,10 +118359,10 @@ index 0000000..d00f6ba
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
-index 0000000..c08cddc
+index 0000000..781625a
--- /dev/null
+++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,172 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -118415,6 +118468,7 @@ index 0000000..c08cddc
+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
+corenet_tcp_bind_http_cache_port(polipo_daemon)
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
++corenet_tcp_connect_http_port(polipo_daemon)
+
+files_read_usr_files(polipo_daemon)
+
@@ -127202,7 +127256,7 @@ index 0000000..3eb745d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..f1314b0
+index 0000000..c4130e0
--- /dev/null
+++ b/policy/modules/services/sanlock.te
@@ -0,0 +1,103 @@
@@ -127253,7 +127307,7 @@ index 0000000..f1314b0
+# sanlock local policy
+#
+allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice };
-+allow sanlock_t self:process { setsched signull signal };
++allow sanlock_t self:process { setsched signull signal sigkill };
+
+allow sanlock_t self:fifo_file rw_fifo_file_perms;
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
@@ -133579,7 +133633,7 @@ index 7c5d8d8..85b7d8b 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..55dd15c 100644
+index 3eca020..caef8cf 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,60 +1,91 @@
@@ -134176,7 +134230,7 @@ index 3eca020..55dd15c 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +658,429 @@ files_search_all(virt_domain)
+@@ -440,25 +658,430 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -134376,6 +134430,7 @@ index 3eca020..55dd15c 100644
+dev_relabel_all_dev_nodes(virtd_lxc_t)
+dev_rw_sysfs(virtd_lxc_t)
+dev_read_sysfs(virtd_lxc_t)
++dev_read_urand(virtd_lxc_t)
+
+domain_use_interactive_fds(virtd_lxc_t)
+
@@ -136362,7 +136417,7 @@ index 130ced9..d1576ab 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..3b5b571 100644
+index 143c893..d73a19c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -137081,7 +137136,7 @@ index 143c893..3b5b571 100644
+ gnome_read_usr_config(xdm_t)
+ gnome_read_gconf_config(xdm_t)
+ gnome_transition_gkeyringd(xdm_t)
-+ #gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
++ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
+')
+
+optional_policy(`
@@ -148593,10 +148648,10 @@ index 0000000..0898030
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d4c1b0f
+index 0000000..b7b7a83
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,418 @@
+@@ -0,0 +1,419 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -148756,6 +148811,7 @@ index 0000000..d4c1b0f
+ gnome_manage_home_config_dirs(systemd_logind_t)
+ gnome_manage_home_config(systemd_logind_t)
+ gnome_list_gkeyringd_tmp_dirs(systemd_logind_t)
++ gnome_manage_gstreamer_home_dirs(systemd_logind_t)
+')
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 161d616..301c28b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 131%{?dist}
+Release: 132%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jun 18 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-132
+- apcupsd needs to read /etc/passwd
+- Sanlock allso sends sigkill
+- Allow glance_registry to connect to the mysqld port
+- Dontaudit mozilla_plugin trying to getattr on /dev/gpmctl
+- Allow firefox plugins/flash to connect to port 1234
+- Allow mozilla plugins to delete user_tmp_t files
+- Add transition name rule for printers.conf.O
+- Allow virt_lxc_t to read urand
+- Allow systemd_loigind to list gstreamer_home_dirs
+- Fix labeling for /usr/bin
+- Fixes for cloudform services
+ * support FIPS
+- Allow polipo to work as web caching
+- Allow chfn to execute tmux
+
* Fri Jun 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-131
- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
- Allow dovecot to manage Maildir content, fix transitions to Maildir
More information about the scm-commits
mailing list