[selinux-policy/f18] - Add port defintion for tcp/9000 - Fix labeling for /usr/share/cluster/checkquorum to label also ch
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Nov 7 14:02:26 UTC 2012
commit fc49fba5da54bbc6bc836d7fc892703d27dd62de
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Nov 7 15:01:15 2012 +0100
- Add port defintion for tcp/9000
- Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdm
- Add rules and labeling for $HOME/cache/\.gstreamer-.* directory
- Add support for CIM provider openlmi-networking which uses NetworkManager dbu
- Allow shorewall_t to create netlink_socket
- Allow krb5admind to block suspend
- Fix labels on /var/run/dlm_controld /var/log/dlm_controld
- Allow krb5kdc to block suspend
- gnomessytemmm_t needs to read /etc/passwd
- Allow cgred to read all sysctls
policy-rawhide.patch | 8 +-
policy_contrib-rawhide.patch | 214 ++++++++++++++++++++++++++++--------------
selinux-policy.spec | 14 +++-
3 files changed, 161 insertions(+), 75 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 50a27ea..20183a8 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -112377,7 +112377,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index db981df..a98772f 100644
+index db981df..1d3222c 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -112600,7 +112600,7 @@ index db981df..a98772f 100644
+/usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/checkquorum -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/cluster/checkquorum.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
@@ -114333,7 +114333,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..b40ab61 100644
+index fe2ee5e..cf2222f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
@@ -114472,7 +114472,7 @@ index fe2ee5e..b40ab61 100644
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
+network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
-+network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
++network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port
+network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 446d3bd..6fe1a6b 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -6111,7 +6111,7 @@ index 6355318..98ba16a 100644
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.te b/blueman.te
-index 70969fa..ccc64a8 100644
+index 70969fa..fcbd031 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,6 @@ policy_module(blueman, 1.0.0)
@@ -6128,7 +6128,7 @@ index 70969fa..ccc64a8 100644
#
+
+allow blueman_t self:capability sys_nice;
-+allow blueman_t self:process setsched;
++allow blueman_t self:process { signal_perms setsched };
+
allow blueman_t self:fifo_file rw_fifo_file_perms;
@@ -8390,7 +8390,7 @@ index 33facaf..11700ae 100644
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 806191a..9be883e 100644
+index 806191a..d962a82 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -8442,7 +8442,7 @@ index 806191a..9be883e 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -86,6 +92,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
+@@ -86,12 +92,16 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -8452,7 +8452,14 @@ index 806191a..9be883e 100644
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-@@ -100,10 +109,9 @@ files_getattr_all_files(cgred_t)
+ files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
+
+ kernel_read_system_state(cgred_t)
++kernel_read_all_sysctls(cgred_t)
+
+ domain_read_all_domains_state(cgred_t)
+ domain_setpriority_all_domains(cgred_t)
+@@ -100,10 +110,9 @@ files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
# /etc/group
@@ -11976,7 +11983,7 @@ index 5220c9d..885b25d 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
-index 04969e5..7ba4458 100644
+index 04969e5..de92da0 100644
--- a/corosync.te
+++ b/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -12032,7 +12039,7 @@ index 04969e5..7ba4458 100644
manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
-@@ -60,44 +71,84 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
+@@ -60,44 +71,93 @@ logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
@@ -12086,13 +12093,18 @@ index 04969e5..7ba4458 100644
- rhcs_rw_dlm_controld_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
-+
+
+- rhcs_rw_fenced_semaphores(corosync_t)
+optional_policy(`
-+ dbus_system_bus_client(corosync_t)
++ consoletype_exec(corosync_t)
+')
-- rhcs_rw_fenced_semaphores(corosync_t)
+- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
++ dbus_system_bus_client(corosync_t)
+ ')
+
+ optional_policy(`
+ drbd_domtrans(corosync_t)
+')
+
@@ -12100,13 +12112,12 @@ index 04969e5..7ba4458 100644
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
-
-- rhcs_rw_gfs_controld_semaphores(corosync_t)
++
+optional_policy(`
+ qpidd_rw_shm(corosync_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ rhcs_getattr_fenced(corosync_t)
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
@@ -12124,6 +12135,11 @@ index 04969e5..7ba4458 100644
+
rgmanager_manage_tmpfs_files(corosync_t)
')
++
++optional_policy(`
++ rpc_search_nfs_state_data(corosync_t)
++')
++
diff --git a/couchdb.fc b/couchdb.fc
new file mode 100644
index 0000000..196461b
@@ -23083,10 +23099,10 @@ index 0000000..d35f2b0
+
+userdom_manage_user_home_dirs(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
-index 00a19e3..17006fc 100644
+index 00a19e3..20d0474 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,9 +1,54 @@
+@@ -1,9 +1,56 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -23101,6 +23117,7 @@ index 00a19e3..17006fc 100644
+HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/cache/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
@@ -23121,6 +23138,7 @@ index 00a19e3..17006fc 100644
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++/root/cache/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
+/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -23144,7 +23162,7 @@ index 00a19e3..17006fc 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..d7b3c70 100644
+index f5afe78..8973bed 100644
--- a/gnome.if
+++ b/gnome.if
@@ -1,44 +1,1003 @@
@@ -24272,7 +24290,7 @@ index f5afe78..d7b3c70 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +1097,101 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1097,107 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -24358,6 +24376,12 @@ index f5afe78..d7b3c70 100644
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
++ gnome_cache_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
+')
+
+#######################################
@@ -24385,7 +24409,7 @@ index f5afe78..d7b3c70 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1199,36 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1205,36 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -24426,7 +24450,7 @@ index f5afe78..d7b3c70 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1236,274 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1242,274 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -24718,7 +24742,7 @@ index f5afe78..d7b3c70 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/gnome.te b/gnome.te
-index 783c5fb..5b4f2e5 100644
+index 783c5fb..57588e6 100644
--- a/gnome.te
+++ b/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
@@ -24797,7 +24821,7 @@ index 783c5fb..5b4f2e5 100644
logging_send_syslog_msg(gconfd_t)
-@@ -73,3 +113,157 @@ optional_policy(`
+@@ -73,3 +113,159 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -24871,6 +24895,8 @@ index 783c5fb..5b4f2e5 100644
+
+fs_getattr_xattr_fs(gnomesystemmm_t)
+
++auth_read_passwd(gnomesystemmm_t)
++
+logging_send_syslog_msg(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
@@ -28117,10 +28143,10 @@ index 0000000..868c7d0
+')
diff --git a/jockey.te b/jockey.te
new file mode 100644
-index 0000000..c847302
+index 0000000..03a01b4
--- /dev/null
+++ b/jockey.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,62 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -28153,6 +28179,8 @@ index 0000000..c847302
+manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
+logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
+
++kernel_read_system_state(jockey_t)
++
+corecmd_exec_bin(jockey_t)
+corecmd_exec_shell(jockey_t)
+
@@ -28948,7 +28976,7 @@ index 604f67b..7e5f97e 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
+')
diff --git a/kerberos.te b/kerberos.te
-index 6a95faf..dfa98ca 100644
+index 6a95faf..69502c9 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0)
@@ -28989,16 +29017,18 @@ index 6a95faf..dfa98ca 100644
# types for KDC principal file(s)
type krb5kdc_principal_t;
-@@ -80,7 +81,7 @@ files_pid_file(krb5kdc_var_run_t)
+@@ -79,8 +80,9 @@ files_pid_file(krb5kdc_var_run_t)
+
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
++allow kadmind_t self:capability2 block_suspend;
dontaudit kadmind_t self:capability sys_tty_config;
-allow kadmind_t self:process { setfscreate signal_perms };
+allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
allow kadmind_t self:unix_dgram_socket { connect create write };
allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-@@ -92,10 +93,9 @@ logging_log_filetrans(kadmind_t, kadmind_log_t, file)
+@@ -92,10 +94,9 @@ logging_log_filetrans(kadmind_t, kadmind_log_t, file)
allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
@@ -29011,7 +29041,7 @@ index 6a95faf..dfa98ca 100644
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
-@@ -115,7 +115,9 @@ kernel_read_network_state(kadmind_t)
+@@ -115,7 +116,9 @@ kernel_read_network_state(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
kernel_read_system_state(kadmind_t)
@@ -29022,7 +29052,7 @@ index 6a95faf..dfa98ca 100644
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_generic_if(kadmind_t)
corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -126,10 +128,14 @@ corenet_udp_sendrecv_all_ports(kadmind_t)
+@@ -126,10 +129,14 @@ corenet_udp_sendrecv_all_ports(kadmind_t)
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
@@ -29037,7 +29067,7 @@ index 6a95faf..dfa98ca 100644
dev_read_sysfs(kadmind_t)
dev_read_rand(kadmind_t)
-@@ -137,6 +143,7 @@ dev_read_urand(kadmind_t)
+@@ -137,6 +144,7 @@ dev_read_urand(kadmind_t)
fs_getattr_all_fs(kadmind_t)
fs_search_auto_mountpoints(kadmind_t)
@@ -29045,7 +29075,7 @@ index 6a95faf..dfa98ca 100644
domain_use_interactive_fds(kadmind_t)
-@@ -149,8 +156,9 @@ selinux_validate_context(kadmind_t)
+@@ -149,8 +157,9 @@ selinux_validate_context(kadmind_t)
logging_send_syslog_msg(kadmind_t)
@@ -29056,7 +29086,7 @@ index 6a95faf..dfa98ca 100644
seutil_read_file_contexts(kadmind_t)
sysnet_read_config(kadmind_t)
-@@ -164,6 +172,10 @@ optional_policy(`
+@@ -164,6 +173,10 @@ optional_policy(`
')
optional_policy(`
@@ -29067,7 +29097,15 @@ index 6a95faf..dfa98ca 100644
nis_use_ypbind(kadmind_t)
')
-@@ -197,13 +209,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
+@@ -182,6 +195,7 @@ optional_policy(`
+
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
++allow krb5kdc_t self:capability2 block_suspend;
+ dontaudit krb5kdc_t self:capability sys_tty_config;
+ allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
+ allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -197,13 +211,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
@@ -29083,7 +29121,7 @@ index 6a95faf..dfa98ca 100644
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
-@@ -221,7 +232,6 @@ kernel_search_network_sysctl(krb5kdc_t)
+@@ -221,7 +234,6 @@ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
@@ -29091,7 +29129,7 @@ index 6a95faf..dfa98ca 100644
corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_generic_if(krb5kdc_t)
corenet_udp_sendrecv_generic_if(krb5kdc_t)
-@@ -242,6 +252,7 @@ dev_read_urand(krb5kdc_t)
+@@ -242,6 +254,7 @@ dev_read_urand(krb5kdc_t)
fs_getattr_all_fs(krb5kdc_t)
fs_search_auto_mountpoints(krb5kdc_t)
@@ -29099,7 +29137,7 @@ index 6a95faf..dfa98ca 100644
domain_use_interactive_fds(krb5kdc_t)
-@@ -253,7 +264,7 @@ selinux_validate_context(krb5kdc_t)
+@@ -253,7 +266,7 @@ selinux_validate_context(krb5kdc_t)
logging_send_syslog_msg(krb5kdc_t)
@@ -29108,7 +29146,7 @@ index 6a95faf..dfa98ca 100644
seutil_read_file_contexts(krb5kdc_t)
-@@ -268,6 +279,10 @@ optional_policy(`
+@@ -268,6 +281,10 @@ optional_policy(`
')
optional_policy(`
@@ -29119,7 +29157,7 @@ index 6a95faf..dfa98ca 100644
nis_use_ypbind(krb5kdc_t)
')
-@@ -308,7 +323,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -308,7 +325,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -29127,7 +29165,7 @@ index 6a95faf..dfa98ca 100644
corenet_tcp_sendrecv_generic_if(kpropd_t)
corenet_tcp_sendrecv_generic_node(kpropd_t)
corenet_tcp_sendrecv_all_ports(kpropd_t)
-@@ -324,8 +338,6 @@ selinux_validate_context(kpropd_t)
+@@ -324,8 +340,6 @@ selinux_validate_context(kpropd_t)
logging_send_syslog_msg(kpropd_t)
@@ -36025,7 +36063,7 @@ index 84a7d66..15738c9 100644
+ clamav_stream_connect(mta_user_agent)
+')
diff --git a/munin.fc b/munin.fc
-index fd71d69..26597b2 100644
+index fd71d69..5987e1c 100644
--- a/munin.fc
+++ b/munin.fc
@@ -41,6 +41,9 @@
@@ -36046,7 +36084,13 @@ index fd71d69..26597b2 100644
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -63,6 +67,7 @@
+@@ -58,11 +62,13 @@
+ /usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
++/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
@@ -36151,7 +36195,7 @@ index c358d8f..3cd66f7 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..ab34522 100644
+index f17583b..022bd91 100644
--- a/munin.te
+++ b/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -36384,13 +36428,17 @@ index f17583b..ab34522 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +345,41 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +345,45 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
+term_getattr_all_ttys(system_munin_plugin_t)
+term_getattr_all_ptys(system_munin_plugin_t)
+
++optional_policy(`
++ bind_read_config(system_munin_plugin_t)
++')
++
+#######################################
+#
+# Unconfined plugin policy
@@ -43558,7 +43606,7 @@ index ceafba6..47b690d 100644
+ udev_read_db(pcscd_t)
+')
diff --git a/pegasus.te b/pegasus.te
-index 3185114..2a4e326 100644
+index 3185114..5a51349 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -9,6 +9,9 @@ type pegasus_t;
@@ -43651,10 +43699,15 @@ index 3185114..2a4e326 100644
sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
-@@ -121,12 +130,39 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -121,12 +130,44 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
++ dbus_system_bus_client(pegasus_t)
++ dbus_connect_system_bus(pegasus_t)
++')
++
++optional_policy(`
+ corosync_stream_connect(pegasus_t)
+')
+
@@ -43692,7 +43745,7 @@ index 3185114..2a4e326 100644
')
optional_policy(`
-@@ -136,3 +172,14 @@ optional_policy(`
+@@ -136,3 +177,14 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
@@ -53645,10 +53698,10 @@ index 3786c45..1ad9c12 100644
rpc_domtrans_nfsd(rgmanager_t)
rpc_domtrans_rpcd(rgmanager_t)
diff --git a/rhcs.fc b/rhcs.fc
-index c2ba53b..bd4e3c0 100644
+index c2ba53b..977f2eb 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,22 +1,28 @@
+@@ -1,22 +1,30 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
@@ -53669,17 +53722,19 @@ index c2ba53b..bd4e3c0 100644
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
++/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index de37806..3578975 100644
+index de37806..aee7ba7 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -13,7 +13,7 @@
@@ -53707,7 +53762,17 @@ index de37806..3578975 100644
files_pid_file($1_var_run_t)
##############################
-@@ -50,8 +50,11 @@ template(`rhcs_domain_template',`
+@@ -43,15 +43,20 @@ template(`rhcs_domain_template',`
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
+
++ manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+- logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
++ logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
+
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
@@ -53720,7 +53785,7 @@ index de37806..3578975 100644
')
######################################
-@@ -59,9 +62,9 @@ template(`rhcs_domain_template',`
+@@ -59,9 +64,9 @@ template(`rhcs_domain_template',`
## Execute a domain transition to run dlm_controld.
## </summary>
## <param name="domain">
@@ -53732,7 +53797,7 @@ index de37806..3578975 100644
## </param>
#
interface(`rhcs_domtrans_dlm_controld',`
-@@ -133,6 +136,24 @@ interface(`rhcs_domtrans_fenced',`
+@@ -133,6 +138,24 @@ interface(`rhcs_domtrans_fenced',`
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
@@ -53757,7 +53822,7 @@ index de37806..3578975 100644
######################################
## <summary>
## Allow read and write access to fenced semaphores.
-@@ -156,7 +177,26 @@ interface(`rhcs_rw_fenced_semaphores',`
+@@ -156,7 +179,26 @@ interface(`rhcs_rw_fenced_semaphores',`
######################################
## <summary>
@@ -53785,7 +53850,7 @@ index de37806..3578975 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -169,9 +209,8 @@ interface(`rhcs_stream_connect_fenced',`
+@@ -169,9 +211,8 @@ interface(`rhcs_stream_connect_fenced',`
type fenced_var_run_t, fenced_t;
')
@@ -53796,7 +53861,7 @@ index de37806..3578975 100644
')
#####################################
-@@ -237,7 +276,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
+@@ -237,7 +278,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
#####################################
## <summary>
@@ -53805,7 +53870,7 @@ index de37806..3578975 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,6 +374,65 @@ interface(`rhcs_rw_groupd_shm',`
+@@ -335,6 +376,65 @@ interface(`rhcs_rw_groupd_shm',`
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
@@ -53871,7 +53936,7 @@ index de37806..3578975 100644
######################################
## <summary>
## Execute a domain transition to run qdiskd.
-@@ -353,3 +451,80 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -353,3 +453,80 @@ interface(`rhcs_domtrans_qdiskd',`
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
@@ -61177,10 +61242,10 @@ index 781ad7e..d5ce40a 100644
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/shorewall.te b/shorewall.te
-index 4723c6b..91229bd 100644
+index 4723c6b..3ae4ead 100644
--- a/shorewall.te
+++ b/shorewall.te
-@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
+@@ -37,9 +37,10 @@ logging_log_file(shorewall_log_t)
# shorewall local policy
#
@@ -61188,8 +61253,11 @@ index 4723c6b..91229bd 100644
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
dontaudit shorewall_t self:capability sys_tty_config;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
++allow shorewall_t self:netlink_socket create_socket_perms;
-@@ -59,6 +59,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+ list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+@@ -59,6 +60,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
@@ -61199,7 +61267,7 @@ index 4723c6b..91229bd 100644
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-@@ -75,7 +78,6 @@ dev_read_urand(shorewall_t)
+@@ -75,7 +79,6 @@ dev_read_urand(shorewall_t)
domain_read_all_domains_state(shorewall_t)
files_getattr_kernel_modules(shorewall_t)
@@ -61207,7 +61275,7 @@ index 4723c6b..91229bd 100644
files_read_usr_files(shorewall_t)
files_search_kernel_modules(shorewall_t)
-@@ -83,13 +85,20 @@ fs_getattr_all_fs(shorewall_t)
+@@ -83,13 +86,20 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
@@ -69415,7 +69483,7 @@ index 6f0736b..cebdb3e 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..3bbd7cf 100644
+index 947bbc6..ea2746e 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,94 @@ policy_module(virt, 1.5.0)
@@ -70083,7 +70151,7 @@ index 947bbc6..3bbd7cf 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,23 +694,513 @@ files_search_all(virt_domain)
+@@ -449,23 +694,519 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -70091,12 +70159,12 @@ index 947bbc6..3bbd7cf 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -70592,6 +70660,9 @@ index 947bbc6..3bbd7cf 100644
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file )
+
++corecmd_exec_shell(virt_qemu_ga_t)
++corecmd_exec_bin(virt_qemu_ga_t)
++
+files_read_etc_files(virt_qemu_ga_t)
+
+term_use_virtio_console(virt_qemu_ga_t)
@@ -70600,6 +70671,9 @@ index 947bbc6..3bbd7cf 100644
+
+sysnet_dns_name_resolve(virt_qemu_ga_t)
+
++optional_policy(`
++ devicekit_manage_pid_files(virt_qemu_ga_t)
++')
diff --git a/vlock.te b/vlock.te
index 2511093..669dc13 100644
--- a/vlock.te
@@ -72297,7 +72371,7 @@ index c9981d1..38ce620 100644
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/zabbix.te b/zabbix.te
-index 8c0bd70..40b1c56 100644
+index 8c0bd70..24dd920 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -5,6 +5,13 @@ policy_module(zabbix, 1.5.0)
@@ -72333,7 +72407,7 @@ index 8c0bd70..40b1c56 100644
-allow zabbix_t self:fifo_file rw_file_perms;
-allow zabbix_t self:process { setsched getsched signal };
+allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
-+allow zabbix_t self:process setsched;
++allow zabbix_t self:process { setsched signal_perms };
+allow zabbix_t self:sem create_sem_perms;
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b1e249d..d28d998 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 50%{?dist}
+Release: 51%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -523,6 +523,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Nov 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-51
+- Add port defintion for tcp/9000
+- Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd
+- Add rules and labeling for $HOME/cache/\.gstreamer-.* directory
+- Add support for CIM provider openlmi-networking which uses NetworkManager dbus API
+- Allow shorewall_t to create netlink_socket
+- Allow krb5admind to block suspend
+- Fix labels on /var/run/dlm_controld /var/log/dlm_controld
+- Allow krb5kdc to block suspend
+- gnomessytemmm_t needs to read /etc/passwd
+- Allow cgred to read all sysctls
+
* Tue Nov 5 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-50
- Allow all domains to read /proc/sys/vm/overcommit_memory
- Make proc_numa_t an MLS Trusted Object
More information about the scm-commits
mailing list