[selinux-policy/f17] * Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3 - Add new policy and man page for bcfg2 - cgc
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 28 19:31:33 UTC 2012
commit f36c2e209b90feeffd4a3195cde2c8b1f721e761
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Mar 28 21:31:19 2012 +0200
* Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3
- Add new policy and man page for bcfg2
- cgconfig needs to use getpw calls
- Allow domains that communicate with the keyring to u
- gnome-keyring wants to create a directory in cache_h
- sanlock calls getpw
policy-F16.patch | 470 ++++++++++++++++++++++++++++++++++++++++++++++++---
selinux-policy.spec | 9 +-
2 files changed, 454 insertions(+), 25 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index b48f2e1..f2b98da 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3599,6 +3599,113 @@ index 0000000..b76d620
+
+.SH "SEE ALSO"
+selinux(8), awstats(8), semanage(8), restorecon(8), chcon(1)
+diff --git a/man/man8/bcfg2_selinux.8 b/man/man8/bcfg2_selinux.8
+new file mode 100644
+index 0000000..fcb6393
+--- /dev/null
++++ b/man/man8/bcfg2_selinux.8
+@@ -0,0 +1,101 @@
++.TH "bcfg2_selinux" "8" "bcfg2" "dwalsh at redhat.com" "bcfg2 SELinux Policy documentation"
++.SH "NAME"
++bcfg2_selinux \- Security Enhanced Linux Policy for the bcfg2 processes
++.SH "DESCRIPTION"
++
++
++SELinux Linux secures
++.B bcfg2
++(policy for bcfg2)
++processes via flexible mandatory access
++control.
++
++
++
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
++.PP
++The following file types are defined for bcfg2:
++
++
++.EX
++.PP
++.B bcfg2_exec_t
++.EE
++
++- Set files with the bcfg2_exec_t type, if you want to transition an executable to the bcfg2_t domain.
++
++
++.EX
++.PP
++.B bcfg2_initrc_exec_t
++.EE
++
++- Set files with the bcfg2_initrc_exec_t type, if you want to transition an executable to the bcfg2_initrc_t domain.
++
++
++.EX
++.PP
++.B bcfg2_unit_file_t
++.EE
++
++- Set files with the bcfg2_unit_file_t type, if you want to treat the files as bcfg2 unit content.
++
++
++.EX
++.PP
++.B bcfg2_var_lib_t
++.EE
++
++- Set files with the bcfg2_var_lib_t type, if you want to store the bcfg2 files under the /var/lib directory.
++
++
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
++
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux bcfg2 policy is very flexible allowing users to setup their bcfg2 processes in as secure a method as possible.
++.PP
++The following process types are defined for bcfg2:
++
++.EX
++.B bcfg2_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.PP
++.B system-config-selinux
++is a GUI tool available to customize SELinux policy settings.
++
++.SH AUTHOR
++This manual page was autogenerated by genman.py.
++
++.SH "SEE ALSO"
++selinux(8), bcfg2(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/bitlbee_selinux.8 b/man/man8/bitlbee_selinux.8
new file mode 100644
index 0000000..7c1b8b9
@@ -63645,10 +63752,10 @@ index 00a19e3..3681873 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..3850fd9 100644
+index f5afe78..c33e026 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,899 @@
+@@ -1,44 +1,920 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -63800,10 +63907,12 @@ index f5afe78..3850fd9 100644
+ attribute gkeyringd_domain;
+ type gkeyringd_tmp_t;
+ type gconf_tmp_t;
++ type cache_home_t;
+ ')
+
+ allow $1 gconf_tmp_t:dir search_dir_perms;
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
++ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
+')
+
+########################################
@@ -64040,6 +64149,25 @@ index f5afe78..3850fd9 100644
+
+########################################
+## <summary>
++## Manage cache home dir (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_cache_home_dir',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ manage_dirs_pattern($1, cache_home_t, cache_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
+## append to generic cache home files (.cache)
+## </summary>
+## <param name="domain">
@@ -64566,7 +64694,7 @@ index f5afe78..3850fd9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +901,92 @@ interface(`gnome_role',`
+@@ -46,37 +922,92 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -64670,7 +64798,7 @@ index f5afe78..3850fd9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +994,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1015,53 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -64735,7 +64863,7 @@ index f5afe78..3850fd9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1048,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1069,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -64757,7 +64885,7 @@ index f5afe78..3850fd9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1066,301 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1087,301 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -65076,7 +65204,7 @@ index f5afe78..3850fd9 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..0bc94b0 100644
+index 2505654..7fc1975 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
@@ -65147,7 +65275,7 @@ index 2505654..0bc94b0 100644
##############################
#
# Local Policy
-@@ -75,3 +116,153 @@ optional_policy(`
+@@ -75,3 +116,154 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -65291,6 +65419,7 @@ index 2505654..0bc94b0 100644
+ gnome_read_home_config(gkeyringd_domain)
+ gnome_read_generic_cache_files(gkeyringd_domain)
+ gnome_write_generic_cache_files(gkeyringd_domain)
++ gnome_manage_cache_home_dir(gkeyringd_domain)
+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
+')
+
@@ -83939,10 +84068,20 @@ index c0f858d..10a0cd6 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..2a0a8e7 100644
+index 1632f10..3d2ca4c 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
-@@ -8,16 +8,22 @@ policy_module(accountsd, 1.0.0)
+@@ -1,5 +1,9 @@
+ policy_module(accountsd, 1.0.0)
+
++gen_require(`
++ class passwd { passwd chfn chsh rootok crontab };
++')
++
+ ########################################
+ #
+ # Declarations
+@@ -8,17 +12,24 @@ policy_module(accountsd, 1.0.0)
type accountsd_t;
type accountsd_exec_t;
dbus_system_domain(accountsd_t, accountsd_exec_t)
@@ -83964,9 +84103,11 @@ index 1632f10..2a0a8e7 100644
+allow accountsd_t self:capability { dac_override setuid setgid };
+allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
++allow accountsd_t self:passwd { rootok passwd chfn chsh };
manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-@@ -28,14 +34,18 @@ kernel_read_kernel_sysctls(accountsd_t)
+ manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+@@ -28,14 +39,18 @@ kernel_read_kernel_sysctls(accountsd_t)
corecmd_exec_bin(accountsd_t)
@@ -83985,7 +84126,7 @@ index 1632f10..2a0a8e7 100644
miscfiles_read_localization(accountsd_t)
-@@ -55,3 +65,8 @@ optional_policy(`
+@@ -55,3 +70,8 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
@@ -87471,6 +87612,263 @@ index a7a0e71..3b01eed 100644
seutil_sigchld_newrole(avahi_t)
')
+diff --git a/policy/modules/services/bcfg2.fc b/policy/modules/services/bcfg2.fc
+new file mode 100644
+index 0000000..97fa279
+--- /dev/null
++++ b/policy/modules/services/bcfg2.fc
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/bcfg2-server.service -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
++
++/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
++
++/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
+diff --git a/policy/modules/services/bcfg2.if b/policy/modules/services/bcfg2.if
+new file mode 100644
+index 0000000..e71ebe1
+--- /dev/null
++++ b/policy/modules/services/bcfg2.if
+@@ -0,0 +1,185 @@
++
++## <summary>policy for bcfg2</summary>
++
++########################################
++## <summary>
++## Transition to bcfg2.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bcfg2_domtrans',`
++ gen_require(`
++ type bcfg2_t, bcfg2_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
++')
++
++########################################
++## <summary>
++## Execute bcfg2 server in the bcfg2 domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_initrc_domtrans',`
++ gen_require(`
++ type bcfg2_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Search bcfg2 lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_search_lib',`
++ gen_require(`
++ type bcfg2_var_lib_t;
++ ')
++
++ allow $1 bcfg2_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read bcfg2 lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_read_lib_files',`
++ gen_require(`
++ type bcfg2_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage bcfg2 lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_manage_lib_files',`
++ gen_require(`
++ type bcfg2_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage bcfg2 lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bcfg2_manage_lib_dirs',`
++ gen_require(`
++ type bcfg2_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
++')
++
++########################################
++## <summary>
++## Execute bcfg2 server in the bcfg2 domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bcfg2_systemctl',`
++ gen_require(`
++ type bcfg2_t;
++ type bcfg2_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 bcfg2_unit_file_t:file read_file_perms;
++ allow $1 bcfg2_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, bcfg2_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an bcfg2 environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`bcfg2_admin',`
++ gen_require(`
++ type bcfg2_t;
++ type bcfg2_initrc_exec_t;
++ type bcfg2_var_lib_t;
++ type bcfg2_unit_file_t;
++ ')
++
++ allow $1 bcfg2_t:process { ptrace signal_perms };
++ ps_process_pattern($1, bcfg2_t)
++
++ bcfg2_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 bcfg2_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, bcfg2_var_lib_t)
++
++ bcfg2_systemctl($1)
++ admin_pattern($1, bcfg2_unit_file_t)
++ allow $1 bcfg2_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/services/bcfg2.te b/policy/modules/services/bcfg2.te
+new file mode 100644
+index 0000000..5fbce5c
+--- /dev/null
++++ b/policy/modules/services/bcfg2.te
+@@ -0,0 +1,47 @@
++policy_module(bcfg2, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bcfg2_t;
++type bcfg2_exec_t;
++init_daemon_domain(bcfg2_t, bcfg2_exec_t)
++
++type bcfg2_initrc_exec_t;
++init_script_file(bcfg2_initrc_exec_t)
++
++type bcfg2_var_lib_t;
++files_type(bcfg2_var_lib_t)
++
++type bcfg2_unit_file_t;
++systemd_unit_file(bcfg2_unit_file_t)
++
++########################################
++#
++# bcfg2 local policy
++#
++allow bcfg2_t self:fifo_file rw_fifo_file_perms;
++allow bcfg2_t self:unix_stream_socket { connectto create_stream_socket_perms };
++
++manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
++manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
++files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, { dir file })
++
++kernel_read_system_state(bcfg2_t)
++
++corecmd_exec_bin(bcfg2_t)
++
++dev_read_urand(bcfg2_t)
++
++domain_use_interactive_fds(bcfg2_t)
++
++files_read_etc_files(bcfg2_t)
++files_read_usr_files(bcfg2_t)
++
++auth_use_nsswitch(bcfg2_t)
++
++logging_send_syslog_msg(bcfg2_t)
++
++miscfiles_read_localization(bcfg2_t)
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index 59aa54f..d5d9ca1 100644
--- a/policy/modules/services/bind.fc
@@ -90086,7 +90484,7 @@ index 33facaf..225e70c 100644
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index dad226c..944cc0f 100644
+index dad226c..59c2a27 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -90108,7 +90506,14 @@ index dad226c..944cc0f 100644
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
kernel_read_system_state(cgclear_t)
-@@ -77,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t)
+@@ -72,12 +71,15 @@ fs_mount_cgroup(cgconfig_t)
+ fs_mounton_cgroup(cgconfig_t)
+ fs_unmount_cgroup(cgconfig_t)
+
++auth_use_nsswitch(cgconfig_t)
++
+ ########################################
+ #
# cgred personal policy.
#
@@ -90118,7 +90523,7 @@ index dad226c..944cc0f 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -86,6 +86,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
+@@ -86,6 +88,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -90128,7 +90533,7 @@ index dad226c..944cc0f 100644
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-@@ -104,6 +107,8 @@ files_read_etc_files(cgred_t)
+@@ -104,6 +109,8 @@ files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
@@ -123346,10 +123751,10 @@ index 0000000..3eb745d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..64d3e6a
+index 0000000..d5d96e7
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,102 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -123420,6 +123825,8 @@ index 0000000..64d3e6a
+
+dev_read_urand(sanlock_t)
+
++auth_use_nsswitch(sanlock_t)
++
+init_read_utmp(sanlock_t)
+init_dontaudit_write_utmp(sanlock_t)
+
@@ -126759,6 +127166,19 @@ index 2dad3c8..9a5c6a6 100644
+optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
+diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
+index 4271815..4bc00ea 100644
+--- a/policy/modules/services/sssd.fc
++++ b/policy/modules/services/sssd.fc
+@@ -4,6 +4,8 @@
+
+ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
++/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
++
+ /var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
+ /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..e1095f0 100644
--- a/policy/modules/services/sssd.if
@@ -129142,7 +129562,7 @@ index 7c5d8d8..c542fe7 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..114fbeb 100644
+index 3eca020..38fb812 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -129688,7 +130108,7 @@ index 3eca020..114fbeb 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +617,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +617,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -129697,11 +130117,12 @@ index 3eca020..114fbeb 100644
corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
++dev_getattr_fs(virt_domain)
+dev_read_generic_symlinks(virt_domain)
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +629,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +630,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -129714,7 +130135,7 @@ index 3eca020..114fbeb 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +642,393 @@ files_search_all(virt_domain)
+@@ -440,25 +643,393 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -143756,10 +144177,10 @@ index 0000000..a7e3666
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..4bddff8
+index 0000000..de488ad
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,399 @@
+@@ -0,0 +1,400 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -143998,6 +144419,7 @@ index 0000000..4bddff8
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
++files_delete_boot_flag(systemd_tmpfiles_t)
+files_delete_all_non_security_files(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d1f9902..9fe6871 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 107%{?dist}
+Release: 108%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -484,6 +484,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-108
+- Add new policy and man page for bcfg2
+- cgconfig needs to use getpw calls
+- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt
+- gnome-keyring wants to create a directory in cache_home_t
+- sanlock calls getpw
+
* Wed Mar 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-107
- Add numad policy and numad man page
- Add fixes for interface bugs discovered by SEWatch
More information about the scm-commits
mailing list