[selinux-policy/f17] * Thu Jun 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-135 - abrt_watch_log should be abrt_doma
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 28 14:52:40 UTC 2012
commit bfa6ef23b6ddd21eaa7c4e429d6528f6b7c82a31
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jun 28 16:52:11 2012 +0200
* Thu Jun 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-135
- abrt_watch_log should be abrt_domain
- add ptrace_child access to process
- Allow mozilla_plugin to connect to gatekeeper port
- Allow dbomatic to execute ruby
- Allow boinc domains to manage boinc_lib_t lnk_files
- Add support for boinc-client.service unit file
- add support for boinc.log
- Allow httpd_smokeping_cgi_script_t to read /etc/passwd
policy-F16.patch | 129 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 12 ++++-
2 files changed, 110 insertions(+), 31 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 6d0be41..e988fad 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58126,10 +58126,18 @@ index 1308871..c994c93 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index bf24160..4d0bdca 100644
+index bf24160..8bbcc13 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
-@@ -393,6 +393,10 @@ class system
+@@ -329,6 +329,7 @@ class process
+ execheap
+ setkeycreate
+ setsockcreate
++ ptrace_child
+ }
+
+
+@@ -393,6 +394,10 @@ class system
syslog_mod
syslog_console
module_request
@@ -58140,7 +58148,7 @@ index bf24160..4d0bdca 100644
}
#
-@@ -862,3 +866,20 @@ inherits database
+@@ -862,3 +867,20 @@ inherits database
implement
execute
}
@@ -67293,7 +67301,7 @@ index fbb5c5a..ce9aee0 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..71b15ca 100644
+index 2e9318b..ab6f730 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67476,7 +67484,7 @@ index 2e9318b..71b15ca 100644
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -331,22 +360,32 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -331,22 +360,33 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -67491,6 +67499,7 @@ index 2e9318b..71b15ca 100644
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
+corenet_tcp_connect_ftp_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
++corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
@@ -67515,7 +67524,7 @@ index 2e9318b..71b15ca 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +394,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +395,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -67523,7 +67532,7 @@ index 2e9318b..71b15ca 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +402,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +403,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -67545,7 +67554,7 @@ index 2e9318b..71b15ca 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,35 +429,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,35 +430,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -67593,7 +67602,7 @@ index 2e9318b..71b15ca 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,24 +459,33 @@ optional_policy(`
+@@ -421,24 +460,33 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -67631,7 +67640,7 @@ index 2e9318b..71b15ca 100644
')
optional_policy(`
-@@ -446,10 +493,105 @@ optional_policy(`
+@@ -446,10 +494,105 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -84791,7 +84800,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..9ea7f1f 100644
+index 30861ec..bb97cc2 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -84878,7 +84887,7 @@ index 30861ec..9ea7f1f 100644
+
+# Support abrt-watch log
+
-+type abrt_watch_log_t;
++type abrt_watch_log_t, abrt_domain;
+type abrt_watch_log_exec_t;
+init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
+
@@ -86758,7 +86767,7 @@ index 6480167..c453e35 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..8ce80e7 100644
+index 3136c6a..dff387e 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
@@ -87039,7 +87048,7 @@ index 3136c6a..8ce80e7 100644
-## Allow httpd to run gpg
-## </p>
+## <p>
-+## Allow httpd to access cifs file systems
++## Allow httpd to access FUSE file systems
+## </p>
+## </desc>
+gen_tunable(httpd_use_fusefs, false)
@@ -90107,24 +90116,28 @@ index 215b86b..d7c4d98 100644
')
diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
new file mode 100644
-index 0000000..c095160
+index 0000000..e59e51b
--- /dev/null
+++ b/policy/modules/services/boinc.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,12 @@
+
-+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
-+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
-+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
++
++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++
++/var/log/boinc\.log -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644
-index 0000000..9fe3f9e
+index 0000000..6d7e034
--- /dev/null
+++ b/policy/modules/services/boinc.if
-@@ -0,0 +1,154 @@
+@@ -0,0 +1,189 @@
+## <summary>policy for boinc</summary>
+
+########################################
@@ -90242,6 +90255,30 @@ index 0000000..9fe3f9e
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
++#######################################
++## <summary>
++## Execute boinc server in the boinc domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`boinc_systemctl',`
++ gen_require(`
++ type boinc_t;
++ type boinc_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 boinc_unit_file_t:file read_file_perms;
++ allow $1 boinc_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, boinc_t)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -90262,6 +90299,7 @@ index 0000000..9fe3f9e
+interface(`boinc_admin',`
+ gen_require(`
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
++ type boinc_unit_file_t;
+ ')
+
+ allow $1 boinc_t:process signal_perms;
@@ -90278,13 +90316,23 @@ index 0000000..9fe3f9e
+
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
++
++ boinc_systemctl($1)
++ admin_pattern($1, boinc_unit_file_t)
++
++ allow $1 boinc_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..b1c752c
+index 0000000..20156f6
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,190 @@
+@@ -0,0 +1,200 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -90310,6 +90358,12 @@ index 0000000..b1c752c
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
++type boinc_log_t;
++logging_log_file(boinc_log_t)
++
++type boinc_unit_file_t;
++systemd_unit_file(boinc_unit_file_t)
++
+type boinc_project_t;
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
@@ -90330,6 +90384,7 @@ index 0000000..b1c752c
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
+# needs read /proc/interrupts
+kernel_read_system_state(boinc_domain)
@@ -90385,6 +90440,9 @@ index 0000000..b1c752c
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
++manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
++logging_log_filetrans(boinc_t, boinc_log_t, { file })
++
+kernel_search_vm_sysctl(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
@@ -92842,10 +92900,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..579dff8
+index 0000000..da2404c
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,192 @@
+@@ -0,0 +1,195 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -93018,6 +93076,9 @@ index 0000000..579dff8
+#needed by dbomatic
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
+
++corecmd_exec_bin(mongod_t)
++corecmd_exec_shell(mongod_t)
++
+corenet_tcp_bind_generic_node(mongod_t)
+corenet_tcp_bind_mongod_port(mongod_t)
+
@@ -127385,7 +127446,7 @@ index 0000000..3eb745d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..c4130e0
+index 0000000..e9c2efe
--- /dev/null
+++ b/policy/modules/services/sanlock.te
@@ -0,0 +1,103 @@
@@ -127398,14 +127459,14 @@ index 0000000..c4130e0
+
+## <desc>
+## <p>
-+## Allow confined virtual guests to manage nfs files
++## Allow sanlock to manage nfs files
+## </p>
+## </desc>
+gen_tunable(sanlock_use_nfs, false)
+
+## <desc>
+## <p>
-+## Allow confined virtual guests to manage cifs files
++## Allow sanlock to manage cifs files
+## </p>
+## </desc>
+gen_tunable(sanlock_use_samba, false)
@@ -128549,7 +128610,7 @@ index 8265278..017b923 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
-index 740994a..a92ba26 100644
+index 740994a..a13519e 100644
--- a/policy/modules/services/smokeping.te
+++ b/policy/modules/services/smokeping.te
@@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t)
@@ -128561,6 +128622,14 @@ index 740994a..a92ba26 100644
allow smokeping_t self:fifo_file rw_fifo_file_perms;
allow smokeping_t self:udp_socket create_socket_perms;
allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
+@@ -73,5 +73,7 @@ optional_policy(`
+ files_search_tmp(httpd_smokeping_cgi_script_t)
+ files_search_var_lib(httpd_smokeping_cgi_script_t)
+
++ auth_read_passwd(httpd_smokeping_cgi_script_t)
++
+ sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+ ')
diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
index 623c8fa..0a802f7 100644
--- a/policy/modules/services/snmp.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f771c71..e623b71 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 134%{?dist}
+Release: 135%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jun 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-135
+- abrt_watch_log should be abrt_domain
+- add ptrace_child access to process
+- Allow mozilla_plugin to connect to gatekeeper port
+- Allow dbomatic to execute ruby
+- Allow boinc domains to manage boinc_lib_t lnk_files
+- Add support for boinc-client.service unit file
+- add support for boinc.log
+- Allow httpd_smokeping_cgi_script_t to read /etc/passwd
+
* Tue Jun 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-134
- Allow mozilla_plugin execmod on mozilla home files if allow_execmod
- Allow dovecot_deliver_t to read dovecot_var_run_t
More information about the scm-commits
mailing list