[selinux-policy/f17] * Thu Jun 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-135 - abrt_watch_log should be abrt_doma

Miroslav Grepl mgrepl at fedoraproject.org
Thu Jun 28 14:52:40 UTC 2012 

commit bfa6ef23b6ddd21eaa7c4e429d6528f6b7c82a31
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Thu Jun 28 16:52:11 2012 +0200

    * Thu Jun 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-135
    - abrt_watch_log should be abrt_domain
    - add ptrace_child access to process
    - Allow mozilla_plugin to connect to gatekeeper port
    - Allow dbomatic to execute ruby
    - Allow boinc domains to manage boinc_lib_t lnk_files
    - Add support for boinc-client.service unit file
    - add support for boinc.log
    - Allow httpd_smokeping_cgi_script_t to read /etc/passwd

 policy-F16.patch    |  129 +++++++++++++++++++++++++++++++++++++++------------
 selinux-policy.spec |   12 ++++-
 2 files changed, 110 insertions(+), 31 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 6d0be41..e988fad 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58126,10 +58126,18 @@ index 1308871..c994c93 100644
  # fork
  # setexec
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index bf24160..4d0bdca 100644
+index bf24160..8bbcc13 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
-@@ -393,6 +393,10 @@ class system
+@@ -329,6 +329,7 @@ class process
+ 	execheap
+ 	setkeycreate
+ 	setsockcreate
++	ptrace_child
+ }
+ 
+ 
+@@ -393,6 +394,10 @@ class system
  	syslog_mod
  	syslog_console
  	module_request
@@ -58140,7 +58148,7 @@ index bf24160..4d0bdca 100644
  }
  
  #
-@@ -862,3 +866,20 @@ inherits database
+@@ -862,3 +867,20 @@ inherits database
  	implement
  	execute
  }
@@ -67293,7 +67301,7 @@ index fbb5c5a..ce9aee0 100644
  ')
 +
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..71b15ca 100644
+index 2e9318b..ab6f730 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
 @@ -12,6 +12,13 @@ policy_module(mozilla, 2.3.3)
@@ -67476,7 +67484,7 @@ index 2e9318b..71b15ca 100644
  can_exec(mozilla_plugin_t, mozilla_exec_t)
  
  kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -331,22 +360,32 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -331,22 +360,33 @@ kernel_request_load_module(mozilla_plugin_t)
  
  corecmd_exec_bin(mozilla_plugin_t)
  corecmd_exec_shell(mozilla_plugin_t)
@@ -67491,6 +67499,7 @@ index 2e9318b..71b15ca 100644
 +corenet_tcp_connect_flash_port(mozilla_plugin_t)
 +corenet_tcp_connect_ftp_port(mozilla_plugin_t)
  corenet_tcp_connect_http_port(mozilla_plugin_t)
++corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
  corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
 -corenet_tcp_connect_squid_port(mozilla_plugin_t)
  corenet_tcp_connect_ipp_port(mozilla_plugin_t)
@@ -67515,7 +67524,7 @@ index 2e9318b..71b15ca 100644
  dev_read_video_dev(mozilla_plugin_t)
  dev_write_video_dev(mozilla_plugin_t)
  dev_read_sysfs(mozilla_plugin_t)
-@@ -355,6 +394,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -355,6 +395,7 @@ dev_write_sound(mozilla_plugin_t)
  # for nvidia driver
  dev_rw_xserver_misc(mozilla_plugin_t)
  dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -67523,7 +67532,7 @@ index 2e9318b..71b15ca 100644
  
  domain_use_interactive_fds(mozilla_plugin_t)
  domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +402,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +403,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
  files_read_config_files(mozilla_plugin_t)
  files_read_usr_files(mozilla_plugin_t)
  files_list_mnt(mozilla_plugin_t)
@@ -67545,7 +67554,7 @@ index 2e9318b..71b15ca 100644
  logging_send_syslog_msg(mozilla_plugin_t)
  
  miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,35 +429,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,35 +430,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
  
  term_getattr_all_ttys(mozilla_plugin_t)
  term_getattr_all_ptys(mozilla_plugin_t)
@@ -67593,7 +67602,7 @@ index 2e9318b..71b15ca 100644
  
  optional_policy(`
  	alsa_read_rw_config(mozilla_plugin_t)
-@@ -421,24 +459,33 @@ optional_policy(`
+@@ -421,24 +460,33 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(mozilla_plugin_t)
  	dbus_session_bus_client(mozilla_plugin_t)
@@ -67631,7 +67640,7 @@ index 2e9318b..71b15ca 100644
  ')
  
  optional_policy(`
-@@ -446,10 +493,105 @@ optional_policy(`
+@@ -446,10 +494,105 @@ optional_policy(`
  	pulseaudio_stream_connect(mozilla_plugin_t)
  	pulseaudio_setattr_home_dir(mozilla_plugin_t)
  	pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -84791,7 +84800,7 @@ index 0b827c5..ac79ca6 100644
 +	dontaudit $1 abrt_t:sock_file write;
  ')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..9ea7f1f 100644
+index 30861ec..bb97cc2 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
 @@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -84878,7 +84887,7 @@ index 30861ec..9ea7f1f 100644
 +
 +# Support abrt-watch log
 +
-+type abrt_watch_log_t;
++type abrt_watch_log_t, abrt_domain;
 +type abrt_watch_log_exec_t;
 +init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
 +
@@ -86758,7 +86767,7 @@ index 6480167..c453e35 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..8ce80e7 100644
+index 3136c6a..dff387e 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
 @@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
@@ -87039,7 +87048,7 @@ index 3136c6a..8ce80e7 100644
 -## Allow httpd to run gpg
 -## </p>
 +##	<p>
-+##	Allow httpd to access cifs file systems
++##	Allow httpd to access FUSE file systems
 +##	</p>
 +## </desc>
 +gen_tunable(httpd_use_fusefs, false)
@@ -90107,24 +90116,28 @@ index 215b86b..d7c4d98 100644
  ')
 diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
 new file mode 100644
-index 0000000..c095160
+index 0000000..e59e51b
 --- /dev/null
 +++ b/policy/modules/services/boinc.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,12 @@
 +
-+/etc/rc\.d/init\.d/boinc-client		-- 	gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/boinc-client	-- 		gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
 +
-+/usr/bin/boinc_client			--	gen_context(system_u:object_r:boinc_exec_t,s0)
++/usr/bin/boinc_client			--		gen_context(system_u:object_r:boinc_exec_t,s0)
 +
-+/var/lib/boinc(/.*)?				gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/usr/lib/systemd/system/boinc-client\.service        --  gen_context(system_u:object_r:boinc_unit_file_t,s0)
++
++/var/lib/boinc(/.*)?					gen_context(system_u:object_r:boinc_var_lib_t,s0)
 +/var/lib/boinc/projects(/.*)?			gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+/var/lib/boinc/slots(/.*)?          	 	gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)?				gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++
++/var/log/boinc\.log				--		gen_context(system_u:object_r:boinc_log_t,s0)
 diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
 new file mode 100644
-index 0000000..9fe3f9e
+index 0000000..6d7e034
 --- /dev/null
 +++ b/policy/modules/services/boinc.if
-@@ -0,0 +1,154 @@
+@@ -0,0 +1,189 @@
 +## <summary>policy for boinc</summary>
 +
 +########################################
@@ -90242,6 +90255,30 @@ index 0000000..9fe3f9e
 +	manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
 +')
 +
++#######################################
++## <summary>
++##  Execute boinc server in the boinc domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`boinc_systemctl',`
++    gen_require(`
++        type boinc_t;
++        type boinc_unit_file_t;
++    ')
++
++    systemd_exec_systemctl($1)
++    systemd_read_fifo_file_password_run($1)
++    allow $1 boinc_unit_file_t:file read_file_perms;
++    allow $1 boinc_unit_file_t:service manage_service_perms;
++
++    ps_process_pattern($1, boinc_t)
++')
++
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
@@ -90262,6 +90299,7 @@ index 0000000..9fe3f9e
 +interface(`boinc_admin',`
 +	gen_require(`
 +		type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
++		type boinc_unit_file_t;
 +	')
 +
 +	allow $1 boinc_t:process signal_perms;
@@ -90278,13 +90316,23 @@ index 0000000..9fe3f9e
 +
 +	files_list_var_lib($1)
 +	admin_pattern($1, boinc_var_lib_t)
++
++	boinc_systemctl($1)
++	admin_pattern($1, boinc_unit_file_t)
++
++	allow $1 boinc_unit_file_t:service all_service_perms;
++
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
 +')
 diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
 new file mode 100644
-index 0000000..b1c752c
+index 0000000..20156f6
 --- /dev/null
 +++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,190 @@
+@@ -0,0 +1,200 @@
 +policy_module(boinc, 1.0.0)
 +
 +########################################
@@ -90310,6 +90358,12 @@ index 0000000..b1c752c
 +type boinc_var_lib_t;
 +files_type(boinc_var_lib_t)
 +
++type boinc_log_t;
++logging_log_file(boinc_log_t)
++
++type boinc_unit_file_t;
++systemd_unit_file(boinc_unit_file_t)
++
 +type boinc_project_t;
 +domain_type(boinc_project_t)
 +role system_r types boinc_project_t;
@@ -90330,6 +90384,7 @@ index 0000000..b1c752c
 +
 +manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
 +manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
 +
 +# needs read /proc/interrupts
 +kernel_read_system_state(boinc_domain)
@@ -90385,6 +90440,9 @@ index 0000000..b1c752c
 +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
 +
++manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
++logging_log_filetrans(boinc_t, boinc_log_t, { file })
++
 +kernel_search_vm_sysctl(boinc_t)
 +
 +files_getattr_all_dirs(boinc_t)
@@ -92842,10 +92900,10 @@ index 0000000..7f55959
 +')
 diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
 new file mode 100644
-index 0000000..579dff8
+index 0000000..da2404c
 --- /dev/null
 +++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,192 @@
+@@ -0,0 +1,195 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -93018,6 +93076,9 @@ index 0000000..579dff8
 +#needed by dbomatic
 +files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
 +
++corecmd_exec_bin(mongod_t)
++corecmd_exec_shell(mongod_t)
++
 +corenet_tcp_bind_generic_node(mongod_t)
 +corenet_tcp_bind_mongod_port(mongod_t)
 +
@@ -127385,7 +127446,7 @@ index 0000000..3eb745d
 +')
 diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
 new file mode 100644
-index 0000000..c4130e0
+index 0000000..e9c2efe
 --- /dev/null
 +++ b/policy/modules/services/sanlock.te
 @@ -0,0 +1,103 @@
@@ -127398,14 +127459,14 @@ index 0000000..c4130e0
 +
 +## <desc>
 +##  <p>
-+##  Allow confined virtual guests to manage nfs files
++##  Allow sanlock to manage nfs files
 +##  </p>
 +## </desc>
 +gen_tunable(sanlock_use_nfs, false)
 +
 +## <desc>
 +##  <p>
-+##  Allow confined virtual guests to manage cifs files
++##  Allow sanlock to manage cifs files
 +##  </p>
 +## </desc>
 +gen_tunable(sanlock_use_samba, false)
@@ -128549,7 +128610,7 @@ index 8265278..017b923 100644
  	smokeping_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
-index 740994a..a92ba26 100644
+index 740994a..a13519e 100644
 --- a/policy/modules/services/smokeping.te
 +++ b/policy/modules/services/smokeping.te
 @@ -23,7 +23,7 @@ files_type(smokeping_var_lib_t)
@@ -128561,6 +128622,14 @@ index 740994a..a92ba26 100644
  allow smokeping_t self:fifo_file rw_fifo_file_perms;
  allow smokeping_t self:udp_socket create_socket_perms;
  allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
+@@ -73,5 +73,7 @@ optional_policy(`
+ 	files_search_tmp(httpd_smokeping_cgi_script_t)
+ 	files_search_var_lib(httpd_smokeping_cgi_script_t)
+ 
++	auth_read_passwd(httpd_smokeping_cgi_script_t)
++
+ 	sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+ ')
 diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
 index 623c8fa..0a802f7 100644
 --- a/policy/modules/services/snmp.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f771c71..e623b71 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 134%{?dist}
+Release: 135%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,16 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Jun 27 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-135
+- abrt_watch_log should be abrt_domain
+- add ptrace_child access to process
+- Allow mozilla_plugin to connect to gatekeeper port
+- Allow dbomatic to execute ruby
+- Allow boinc domains to manage boinc_lib_t lnk_files
+- Add support for boinc-client.service unit file
+- add support for boinc.log
+- Allow httpd_smokeping_cgi_script_t to read /etc/passwd
+
 * Tue Jun 26 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-134
 - Allow mozilla_plugin execmod on mozilla home files if allow_execmod
 - Allow dovecot_deliver_t to read dovecot_var_run_t

More information about the scm-commits mailing list