[selinux-policy/f18] - More access required for openshift_cron_t - Fix init_status calling
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 5 07:34:49 UTC 2013
commit 5e1fe71ffed109af16fe35d0e544f80376f4682e
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Feb 5 08:33:42 2013 +0100
- More access required for openshift_cron_t
- Fix init_status calling
policy-f18-base.patch | 5 ++-
policy-f18-contrib.patch | 84 ++++++++++++++++++++++++++++++++++++++++++++-
selinux-policy.spec | 6 +++-
3 files changed, 90 insertions(+), 5 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 0e3f339..d1cefd3 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -133055,7 +133055,7 @@ index d2e40b8..3ba2e4c 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..95c1bd8 100644
+index d26fe81..cd5ad89 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -106,6 +106,8 @@ interface(`init_domain',`
@@ -133862,7 +133862,7 @@ index d26fe81..95c1bd8 100644
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
## </summary>
-@@ -1792,3 +2207,283 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2207,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -134089,6 +134089,7 @@ index d26fe81..95c1bd8 100644
+ ')
+
+ allow $1 init_t:system status;
++ allow $1 init_t:service status;
+')
+
+########################################
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index a58192a..5959f6a 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -18584,6 +18584,36 @@ index bf4321a..1820764 100644
/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+diff --git a/dmidecode.if b/dmidecode.if
+index 4bf435c..c8c7347 100644
+--- a/dmidecode.if
++++ b/dmidecode.if
+@@ -23,6 +23,25 @@ interface(`dmidecode_domtrans',`
+ allow dmidecode_t $1:process sigchld;
+ ')
+
++######################################
++## <summary>
++## Execute dmidecode in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dmidecode_exec',`
++ gen_require(`
++ type dmidecode_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, dmidecode_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute dmidecode in the dmidecode domain, and
diff --git a/dmidecode.te b/dmidecode.te
index d6356b5..5db989e 100644
--- a/dmidecode.te
@@ -43512,10 +43542,10 @@ index 0000000..6e20e72
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..5b43299
+index 0000000..8d6a35b
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,418 @@
+@@ -0,0 +1,468 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -43917,6 +43947,11 @@ index 0000000..5b43299
+#
+# openshift_cron local policy
+#
++allow openshift_cron_t self:capability net_admin;
++allow openshift_cron_t self:process signal_perms;
++allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
++allow openshift_cron_t self:udp_socket create_socket_perms;
++allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
+allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
@@ -43926,7 +43961,11 @@ index 0000000..5b43299
+manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
+files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file })
+
++openshift_manage_lib_dirs(openshift_cron_t)
++openshift_manage_lib_files(openshift_cron_t)
++
+kernel_search_network_sysctl(openshift_cron_t)
++kernel_read_network_state(openshift_cron_t)
+kernel_read_system_state(openshift_cron_t)
+
+corecmd_exec_bin(openshift_cron_t)
@@ -43934,6 +43973,47 @@ index 0000000..5b43299
+
+dev_read_raw_memory(openshift_cron_t)
+dev_read_urand(openshift_cron_t)
++
++corenet_udp_bind_generic_node(openshift_cron_t)
++corenet_udp_bind_generic_port(openshift_cron_t)
++
++dev_getattr_fs(openshift_cron_t)
++dev_list_sysfs(openshift_cron_t)
++dev_read_sysfs(openshift_cron_t)
++
++files_getattr_home_dir(openshift_cron_t)
++files_manage_etc_files(openshift_cron_t)
++
++fs_getattr_tmpfs_dirs(openshift_cron_t)
++fs_getattr_all_fs(openshift_cron_t)
++fs_list_hugetlbfs(openshift_cron_t)
++fs_search_cgroup_dirs(openshift_cron_t)
++
++seutil_domtrans_setfiles(openshift_cron_t)
++
++term_getattr_pty_fs(openshift_cron_t)
++term_search_ptys(openshift_cron_t)
++
++auth_use_nsswitch(openshift_cron_t)
++
++miscfiles_read_generic_certs(openshift_cron_t)
++miscfiles_read_hwdata(openshift_cron_t)
++
++sysnet_exec_ifconfig(openshift_cron_t)
++sysnet_read_config(openshift_cron_t)
++
++optional_policy(`
++ dmidecode_exec(openshift_cron_t)
++')
++
++optional_policy(`
++ hostname_exec(openshift_cron_t)
++')
++
++optional_policy(`
++ ssh_exec_keygen(openshift_cron_t)
++ ssh_dontaudit_read_server_keys(openshift_cron_t)
++')
diff --git a/openvpn.if b/openvpn.if
index d883214..d6afa87 100644
--- a/openvpn.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bcfbe5e..6f25e5a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 75%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Feb 5 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-76
+- More access required for openshift_cron_t
+- Fix init_status calling
+
* Mon Feb 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-75
- Fix smartmontools
- Fix userdom_restricted_xwindows_user_template() interface
More information about the scm-commits
mailing list