[selinux-policy/f17] - Backport tomcat fixes from F18 - Add filename transition for mongod.log - Dontaudit jockey to sear
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Sep 24 18:26:46 UTC 2012
commit db9cbd73eefa64e542b849bc49e211b293fa4183
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Sep 24 20:26:26 2012 +0200
- Backport tomcat fixes from F18
- Add filename transition for mongod.log
- Dontaudit jockey to search /root/.local
- Fix passenger labeling
- fix corenetwork interfaces which needs to require ephemeral_port_t
- Allow user domains to use tmpfs_t when it is created by the kernel and inherited by
policy-F16.patch | 218 ++++++++++++++++++++++++++++-----------------------
selinux-policy.spec | 10 ++-
2 files changed, 129 insertions(+), 99 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index a87e93b..4f509ef 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -65095,18 +65095,20 @@ index e0791b9..98d188e 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/passenger.fc b/policy/modules/admin/passenger.fc
-index 545518d..1f3251d 100644
+index 545518d..9a77810 100644
--- a/policy/modules/admin/passenger.fc
+++ b/policy/modules/admin/passenger.fc
-@@ -1,7 +1,7 @@
+@@ -1,7 +1,9 @@
-/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
@@ -71305,10 +71307,10 @@ index 0000000..fb58f33
+')
diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
new file mode 100644
-index 0000000..daf38ab
+index 0000000..6479dae
--- /dev/null
+++ b/policy/modules/apps/jockey.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,57 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -71358,6 +71360,10 @@ index 0000000..daf38ab
+miscfiles_read_localization(jockey_t)
+
+optional_policy(`
++ gnome_dontaudit_search_config(jockey_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(jockey_t)
+ modutils_read_module_config(jockey_t)
+ modutils_list_module_config(jockey_t)
@@ -72189,7 +72195,7 @@ index fbb5c5a..67c1168 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..25de928 100644
+index 2e9318b..4476c7f 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
@@ -72265,7 +72271,12 @@ index 2e9318b..25de928 100644
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
-@@ -156,6 +183,10 @@ fs_rw_tmpfs_files(mozilla_t)
+@@ -152,10 +179,14 @@ files_dontaudit_getattr_boot_dirs(mozilla_t)
+
+ fs_search_auto_mountpoints(mozilla_t)
+ fs_list_inotifyfs(mozilla_t)
+-fs_rw_tmpfs_files(mozilla_t)
++fs_rw_inherited_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -72443,7 +72454,7 @@ index 2e9318b..25de928 100644
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
+files_exec_usr_files(mozilla_plugin_t)
-+fs_dontaudit_read_tmpfs_files(mozilla_plugin_t)
++fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
fs_list_dos(mozilla_plugin_t)
@@ -76065,7 +76076,7 @@ index 3cfb128..d49274d 100644
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..92f0ecb 100644
+index 2533ea0..8c499f3 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -26,12 +26,18 @@ attribute telepathy_executable;
@@ -76254,7 +76265,7 @@ index 2533ea0..92f0ecb 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -361,14 +405,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+@@ -361,13 +405,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
allow telepathy_domain self:tcp_socket create_socket_perms;
allow telepathy_domain self:udp_socket create_socket_perms;
@@ -76267,13 +76278,13 @@ index 2533ea0..92f0ecb 100644
+fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
-
--auth_use_nsswitch(telepathy_domain)
-
+-auth_use_nsswitch(telepathy_domain)
++fs_rw_inherited_tmpfs_files(telepathy_domain)
+
miscfiles_read_localization(telepathy_domain)
- optional_policy(`
-@@ -376,5 +422,23 @@ optional_policy(`
+@@ -376,5 +423,23 @@ optional_policy(`
')
optional_policy(`
@@ -76451,10 +76462,10 @@ index 0000000..9127cec
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..d776250
+index 0000000..c7af0d8
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,121 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -76536,6 +76547,7 @@ index 0000000..d776250
+
+fs_getattr_all_fs(thumb_t)
+fs_read_dos_files(thumb_t)
++fs_rw_inherited_tmpfs_files(thumb_t)
+
+auth_use_nsswitch(thumb_t)
+
@@ -77801,7 +77813,7 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..0ebac89 100644
+index 4f3b542..ba64277 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@@ -77934,10 +77946,10 @@ index 4f3b542..0ebac89 100644
+#
+interface(`corenet_dccp_sendrecv_generic_port',`
+ gen_require(`
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
-+ allow $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg };
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
+')
+
+########################################
@@ -77950,10 +77962,10 @@ index 4f3b542..0ebac89 100644
interface(`corenet_tcp_sendrecv_generic_port',`
gen_require(`
- type port_t;
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
-+ allow $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg };
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
+')
+
+########################################
@@ -77970,11 +77982,11 @@ index 4f3b542..0ebac89 100644
+#
+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
+ gen_require(`
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
')
- allow $1 port_t:tcp_socket { send_msg recv_msg };
-+ dontaudit $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg };
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg };
')
########################################
@@ -77983,11 +77995,11 @@ index 4f3b542..0ebac89 100644
interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
gen_require(`
- type port_t;
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
')
- dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
-+ dontaudit $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg };
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg };
')
########################################
@@ -77996,11 +78008,11 @@ index 4f3b542..0ebac89 100644
interface(`corenet_udp_send_generic_port',`
gen_require(`
- type port_t;
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
')
- allow $1 port_t:udp_socket send_msg;
-+ allow $1 { port_t unreserved_port_t }:udp_socket send_msg;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg;
')
########################################
@@ -78009,11 +78021,11 @@ index 4f3b542..0ebac89 100644
interface(`corenet_udp_receive_generic_port',`
gen_require(`
- type port_t;
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
')
- allow $1 port_t:udp_socket recv_msg;
-+ allow $1 { port_t unreserved_port_t }:udp_socket recv_msg;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg;
')
########################################
@@ -78031,11 +78043,11 @@ index 4f3b542..0ebac89 100644
+#
+interface(`corenet_dccp_bind_generic_port',`
+ gen_require(`
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
+ ')
+
-+ allow $1 { port_t unreserved_port_t }:dccp_socket name_bind;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
+ dontaudit $1 defined_port_type:dccp_socket name_bind;
+')
+
@@ -78050,11 +78062,11 @@ index 4f3b542..0ebac89 100644
gen_require(`
- type port_t;
- attribute port_type;
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
+ ')
+
-+ allow $1 { port_t unreserved_port_t }:tcp_socket name_bind;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
+ dontaudit $1 defined_port_type:tcp_socket name_bind;
+')
+
@@ -78071,12 +78083,12 @@ index 4f3b542..0ebac89 100644
+#
+interface(`corenet_dontaudit_dccp_bind_generic_port',`
+ gen_require(`
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
')
- allow $1 port_t:tcp_socket name_bind;
- dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
-+ dontaudit $1 { port_t unreserved_port_t }:dccp_socket name_bind;
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind;
')
########################################
@@ -78085,11 +78097,11 @@ index 4f3b542..0ebac89 100644
interface(`corenet_dontaudit_tcp_bind_generic_port',`
gen_require(`
- type port_t;
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
')
- dontaudit $1 port_t:tcp_socket name_bind;
-+ dontaudit $1 { port_t unreserved_port_t }:tcp_socket name_bind;
++ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind;
')
########################################
@@ -78099,13 +78111,13 @@ index 4f3b542..0ebac89 100644
gen_require(`
- type port_t;
- attribute port_type;
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
')
- allow $1 port_t:udp_socket name_bind;
- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
-+ allow $1 { port_t unreserved_port_t }:udp_socket name_bind;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind;
+ dontaudit $1 defined_port_type:udp_socket name_bind;
+')
+
@@ -78121,10 +78133,10 @@ index 4f3b542..0ebac89 100644
+#
+interface(`corenet_dccp_connect_generic_port',`
+ gen_require(`
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t,ephemeral_port_t;
+ ')
+
-+ allow $1 { port_t unreserved_port_t }:dccp_socket name_connect;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect;
')
########################################
@@ -78133,11 +78145,11 @@ index 4f3b542..0ebac89 100644
interface(`corenet_tcp_connect_generic_port',`
gen_require(`
- type port_t;
-+ type port_t, unreserved_port_t;
++ type port_t, unreserved_port_t, ephemeral_port_t;
')
- allow $1 port_t:tcp_socket name_connect;
-+ allow $1 { port_t unreserved_port_t }:tcp_socket name_connect;
++ allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect;
+')
+
+########################################
@@ -98337,10 +98349,10 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..e59cc85
+index 0000000..1f7fa13
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -98356,6 +98368,8 @@ index 0000000..e59cc85
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/mongo(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/mongo/mongod\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/aeolus-conductor/dbomatic\.log -- gen_context(system_u:object_r:mongod_log_t,s0)
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
@@ -98409,10 +98423,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..7e1d71e
+index 0000000..a6fb987
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,199 @@
+@@ -0,0 +1,200 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -98574,6 +98588,7 @@ index 0000000..7e1d71e
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
++logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
+
+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
@@ -122884,10 +122899,10 @@ index 0000000..548d0a2
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..44c7098
+index 0000000..3c8fe44
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,302 @@
+@@ -0,0 +1,306 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -123115,6 +123130,10 @@ index 0000000..44c7098
+')
+
+optional_policy(`
++ iptables_domtrans(piranha_pulse_t)
++')
++
++optional_policy(`
+ ldap_systemctl(piranha_pulse_t)
+ ldap_initrc_domtrans(piranha_pulse_t)
+ ldap_domtrans(piranha_pulse_t)
@@ -138329,10 +138348,10 @@ index 0000000..a8385bc
+/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
diff --git a/policy/modules/services/tomcat.if b/policy/modules/services/tomcat.if
new file mode 100644
-index 0000000..23251b7
+index 0000000..226293f
--- /dev/null
+++ b/policy/modules/services/tomcat.if
-@@ -0,0 +1,353 @@
+@@ -0,0 +1,395 @@
+
+## <summary>policy for tomcat</summary>
+
@@ -138353,11 +138372,54 @@ index 0000000..23251b7
+ ')
+
+ type $1_t, tomcat_domain;
-+ type $1_exec_t;
-+ init_daemon_domain($1_t, $1_exec_t)
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ type $1_cache_t;
++ files_type($1_cache_t)
++
++ type $1_log_t;
++ logging_log_file($1_log_t)
++
++ type $1_var_lib_t;
++ files_type($1_var_lib_t)
++
++ type $1_var_run_t;
++ files_pid_file($1_var_run_t)
++
++ type $1_tmp_t;
++ files_tmp_file($1_tmp_t)
++
++ ##################################
++ #
++ # Local policy
++ #
++
++ manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t)
++ manage_files_pattern($1_t, $1_cache_t, $1_cache_t)
++ manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t)
++ files_var_filetrans($1_t, $1_cache_t, { dir file })
++
++ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
++ manage_files_pattern($1_t, $1_log_t, $1_log_t)
++ logging_log_filetrans($1_t, $1_log_t, { dir file })
++
++ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++ files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file })
++
++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++ files_pid_filetrans($1_t, $1_var_run_t, { dir file })
++
++ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
++ files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir })
+
+ can_exec($1_t, $1_exec_t)
+
++ kernel_read_system_state($1_t)
+')
+
+########################################
@@ -138628,7 +138690,6 @@ index 0000000..23251b7
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_read_fifo_file_password_run($1)
+ allow $1 tomcat_unit_file_t:file read_file_perms;
+ allow $1 tomcat_unit_file_t:service manage_service_perms;
+
@@ -138688,10 +138749,10 @@ index 0000000..23251b7
+')
diff --git a/policy/modules/services/tomcat.te b/policy/modules/services/tomcat.te
new file mode 100644
-index 0000000..a986de8
+index 0000000..0ed60d6
--- /dev/null
+++ b/policy/modules/services/tomcat.te
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,69 @@
+policy_module(tomcat, 1.0.0)
+
+########################################
@@ -138703,21 +138764,6 @@ index 0000000..a986de8
+
+tomcat_domain_template(tomcat)
+
-+type tomcat_cache_t;
-+files_type(tomcat_cache_t)
-+
-+type tomcat_log_t;
-+logging_log_file(tomcat_log_t)
-+
-+type tomcat_var_lib_t;
-+files_type(tomcat_var_lib_t)
-+
-+type tomcat_var_run_t;
-+files_pid_file(tomcat_var_run_t)
-+
-+type tomcat_tmp_t;
-+files_tmp_file(tomcat_tmp_t)
-+
+type tomcat_unit_file_t;
+systemd_unit_file(tomcat_unit_file_t)
+
@@ -138742,33 +138788,10 @@ index 0000000..a986de8
+allow tomcat_domain self:fifo_file rw_fifo_file_perms;
+allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
+
-+manage_dirs_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t)
-+manage_files_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t)
-+manage_lnk_files_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t)
-+files_var_filetrans(tomcat_domain, tomcat_cache_t, { dir file })
-+
-+manage_dirs_pattern(tomcat_domain, tomcat_log_t, tomcat_log_t)
-+manage_files_pattern(tomcat_domain, tomcat_log_t, tomcat_log_t)
-+logging_log_filetrans(tomcat_domain, tomcat_log_t, { dir file })
-+
-+manage_dirs_pattern(tomcat_domain, tomcat_var_lib_t, tomcat_var_lib_t)
-+manage_files_pattern(tomcat_domain, tomcat_var_lib_t, tomcat_var_lib_t)
-+files_var_lib_filetrans(tomcat_domain, tomcat_var_lib_t, { dir file })
-+
-+manage_dirs_pattern(tomcat_domain, tomcat_var_run_t, tomcat_var_run_t)
-+manage_files_pattern(tomcat_domain, tomcat_var_run_t, tomcat_var_run_t)
-+files_pid_filetrans(tomcat_domain, tomcat_var_run_t, { dir file })
-+
-+manage_dirs_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t)
-+manage_files_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t)
-+manage_fifo_files_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t)
-+files_tmp_filetrans(tomcat_t, tomcat_tmp_t, { file fifo_file dir })
-+
+# we want to stay in a new tomcat domain if we call tomcat binary from a script
+# initrc_t at tomcat_test_exec_t->tomcat_test_t at tomcat_exec_t->tomcat_test_t
+can_exec(tomcat_domain, tomcat_exec_t)
+
-+kernel_read_system_state(tomcat_domain)
+kernel_read_network_state(tomcat_domain)
+
+corecmd_exec_bin(tomcat_domain)
@@ -138796,7 +138819,6 @@ index 0000000..a986de8
+
+auth_read_passwd(tomcat_domain)
+
-+miscfiles_read_localization(tomcat_domain)
+
+sysnet_dns_name_resolve(tomcat_domain)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index da2b817..f4183fc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 149%{?dist}
+Release: 150%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-150
+- Backport tomcat fixes from F18
+- Add filename transition for mongod.log
+- Dontaudit jockey to search /root/.local
+- Fix passenger labeling
+- fix corenetwork interfaces which needs to require ephemeral_port_t
+- Allow user domains to use tmpfs_t when it is created by the kernel and inherited by the app, IE No Open
+
* Mon Sep 17 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-149
- Add sanlock_use_fusefs boolean
- Add stapserver policy from F18
More information about the scm-commits
mailing list