[selinux-policy/f18] - Fix iptables labels - Allow munin CGI scripts to append munin log file - Allow munin plugin domain
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 4 11:49:57 UTC 2013
commit fb4ae98090af590a39f135a4f917ae2f1635ef61
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Mar 4 12:48:53 2013 +0100
- Fix iptables labels
- Allow munin CGI scripts to append munin log file
- Allow munin plugin domains to read passwd
- Allow collectd CGI script to create /tmp content
- Add mising gluster boolean
- Allow collectd to create netlink_tcpdiag_socket
- Allow proceman to check the state of the network
policy-f18-base.patch | 30 ++++++---
policy-f18-contrib.patch | 154 ++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 11 +++-
3 files changed, 130 insertions(+), 65 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 7c2db27..21a4bcc 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -135971,10 +135971,10 @@ index a30840c..77206a0 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 14cffd2..5effebe 100644
+index 14cffd2..b2532aa 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,7 +1,8 @@
+@@ -1,20 +1,27 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -135986,7 +135986,15 @@ index 14cffd2..5effebe 100644
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -14,7 +15,13 @@
+ /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -135996,9 +136004,9 @@ index 14cffd2..5effebe 100644
-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -144961,7 +144969,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..ef5c047 100644
+index e720dcd..1714a93 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -147679,10 +147687,12 @@ index e720dcd..ef5c047 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4171,1365 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3295,4 +4170,1367 @@ interface(`userdom_dbus_send_all_users',`
+ ')
allow $1 userdomain:dbus send_msg;
- ')
++ ps_process_pattern($1, userdomain)
++')
+
+########################################
+## <summary>
@@ -149044,7 +149054,7 @@ index e720dcd..ef5c047 100644
+ ')
+
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
-+')
+ ')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 6a4bd85..0d03483 100644
--- a/policy/modules/system/userdomain.te
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 57e3993..e05c39b 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -11038,10 +11038,10 @@ index 0000000..40415f8
+
diff --git a/collectd.te b/collectd.te
new file mode 100644
-index 0000000..e3f985b
+index 0000000..62f1fd5
--- /dev/null
+++ b/collectd.te
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,103 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -11073,6 +11073,9 @@ index 0000000..e3f985b
+type collectd_unit_file_t;
+systemd_unit_file(collectd_unit_file_t)
+
++type httpd_collectd_script_tmp_t;
++files_tmp_file(httpd_collectd_script_tmp_t)
++
+########################################
+#
+# collectd local policy
@@ -11084,6 +11087,7 @@ index 0000000..e3f985b
+allow collectd_t self:fifo_file rw_fifo_file_perms;
+allow collectd_t self:packet_socket create_socket_perms;
+allow collectd_t self:unix_stream_socket create_stream_socket_perms;
++allow collectd_t self:netlink_tcpdiag_socket create_socket_perms;
+
+manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
+manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
@@ -11095,9 +11099,8 @@ index 0000000..e3f985b
+
+domain_use_interactive_fds(collectd_t)
+
-+kernel_read_network_state(collectd_t)
-+kernel_read_net_sysctls(collectd_t)
-+kernel_read_system_state(collectd_t)
++kernel_read_all_sysctls(collectd_t)
++kernel_read_all_proc(collectd_t)
+
+dev_read_sysfs(collectd_t)
+dev_read_urand(collectd_t)
@@ -11122,19 +11125,26 @@ index 0000000..e3f985b
+')
+
+optional_policy(`
-+ apache_content_template(collectd)
-+
-+ files_search_var_lib(httpd_collectd_script_t)
-+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
-+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
-+
-+ auth_read_passwd(httpd_collectd_script_t)
-+')
-+
-+optional_policy(`
+ virt_read_config(collectd_t)
+')
++
++########################################
++#
++# collectd local policy
++#
++
++apache_content_template(collectd)
++
++files_search_var_lib(httpd_collectd_script_t)
++read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
++miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
++
++manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
++manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
++files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })
++
++auth_read_passwd(httpd_collectd_script_t)
diff --git a/colord.fc b/colord.fc
index 78b2fea..ef975ac 100644
--- a/colord.fc
@@ -23912,7 +23922,7 @@ index 7ff9d6d..b1c97f2 100644
allow $1 glance_api_t:process signal_perms;
ps_process_pattern($1, glance_api_t)
diff --git a/glance.te b/glance.te
-index 4afb81f..8dca97a 100644
+index 4afb81f..dfddf79 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.0)
@@ -23946,12 +23956,17 @@ index 4afb81f..8dca97a 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket create_stream_socket_perms;
-@@ -54,16 +56,25 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -54,16 +56,31 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
-kernel_read_system_state(glance_domain)
--
++corenet_tcp_sendrecv_generic_if(glance_domain)
++corenet_tcp_sendrecv_generic_node(glance_domain)
++corenet_tcp_sendrecv_all_ports(glance_domain)
++corenet_tcp_bind_generic_node(glance_domain)
++corenet_tcp_connect_mysqld_port(glance_domain)
+
corecmd_exec_bin(glance_domain)
+corecmd_exec_shell(glance_domain)
@@ -23975,7 +23990,7 @@ index 4afb81f..8dca97a 100644
optional_policy(`
sysnet_dns_name_resolve(glance_domain)
-@@ -78,8 +89,17 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -78,8 +95,16 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
@@ -23985,7 +24000,6 @@ index 4afb81f..8dca97a 100644
+
corenet_tcp_bind_generic_node(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
-+corenet_tcp_connect_mysqld_port(glance_registry_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
+
+logging_send_syslog_msg(glance_registry_t)
@@ -23993,7 +24007,7 @@ index 4afb81f..8dca97a 100644
########################################
#
-@@ -94,11 +114,11 @@ can_exec(glance_api_t, glance_tmp_t)
+@@ -94,11 +119,11 @@ can_exec(glance_api_t, glance_tmp_t)
corecmd_exec_shell(glance_api_t)
corenet_tcp_bind_generic_node(glance_api_t)
@@ -24184,10 +24198,10 @@ index 0000000..e15bbb0
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..3685c24
+index 0000000..b25e643
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,141 @@
+policy_module(glusterd, 1.0.0)
+
+## <desc>
@@ -24315,6 +24329,20 @@ index 0000000..3685c24
+sysnet_read_config(glusterd_t)
+
+userdom_manage_user_home_dirs(glusterd_t)
++
++tunable_policy(`gluster_anon_write',`
++ miscfiles_manage_public_files(glusterd_t)
++')
++
++tunable_policy(`gluster_export_all_ro',`
++ fs_read_noxattr_fs_files(glusterd_t)
++ files_read_non_security_files(glusterd_t)
++')
++
++tunable_policy(`gluster_export_all_rw',`
++ fs_manage_noxattr_fs_files(glusterd_t)
++ files_manage_non_security_files(glusterd_t)
++')
diff --git a/gnome.fc b/gnome.fc
index 00a19e3..52e5a3a 100644
--- a/gnome.fc
@@ -30997,10 +31025,10 @@ index 0000000..f20248c
+')
diff --git a/keystone.te b/keystone.te
new file mode 100644
-index 0000000..ff9f684
+index 0000000..28af309
--- /dev/null
+++ b/keystone.te
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,83 @@
+policy_module(keystone, 1.0.0)
+
+########################################
@@ -31056,7 +31084,15 @@ index 0000000..ff9f684
+corenet_tcp_bind_keystone_port(keystone_t)
+corenet_tcp_bind_generic_node(keystone_t)
+
-+dev_read_urand(keystone_t)
++corenet_tcp_connect_mysqld_port(keystone_t)
++
++#corenet_sendrecv_commplex_main_server_packets(keystone_t)
++#corenet_tcp_bind_commplex_main_port(keystone_t)
++#corenet_tcp_sendrecv_commplex_main_port(keystone_t)
++
++corenet_sendrecv_keystone_server_packets(keystone_t)
++corenet_tcp_bind_keystone_port(keystone_t)
++corenet_tcp_sendrecv_keystone_port(keystone_t)
+
+domain_use_interactive_fds(keystone_t)
+
@@ -31065,6 +31101,8 @@ index 0000000..ff9f684
+
+auth_use_pam(keystone_t)
+
++dev_read_urand(keystone_t)
++
+libs_exec_ldconfig(keystone_t)
+
+optional_policy(`
@@ -38180,7 +38218,7 @@ index c358d8f..1cc176c 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..f076c38 100644
+index f17583b..27d3100 100644
--- a/munin.te
+++ b/munin.te
@@ -1,10 +1,13 @@
@@ -38198,7 +38236,7 @@ index f17583b..f076c38 100644
type munin_t alias lrrd_t;
type munin_exec_t alias lrrd_exec_t;
init_daemon_domain(munin_t, munin_exec_t)
-@@ -24,40 +27,77 @@ files_tmp_file(munin_tmp_t)
+@@ -24,40 +27,79 @@ files_tmp_file(munin_tmp_t)
type munin_var_lib_t alias lrrd_var_lib_t;
files_type(munin_var_lib_t)
@@ -38249,6 +38287,8 @@ index f17583b..f076c38 100644
+
+fs_getattr_all_fs(munin_plugin_domain)
+
++auth_read_passwd(munin_plugin_domain)
++
+optional_policy(`
+ nscd_use(munin_plugin_domain)
+')
@@ -38290,7 +38330,7 @@ index f17583b..f076c38 100644
logging_log_filetrans(munin_t, munin_log_t, { file dir })
manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
-@@ -65,15 +105,18 @@ manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
+@@ -65,15 +107,18 @@ manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
manage_sock_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
@@ -38312,7 +38352,7 @@ index f17583b..f076c38 100644
kernel_read_system_state(munin_t)
kernel_read_network_state(munin_t)
-@@ -82,18 +125,20 @@ kernel_read_all_sysctls(munin_t)
+@@ -82,18 +127,20 @@ kernel_read_all_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corecmd_exec_shell(munin_t)
@@ -38338,7 +38378,7 @@ index f17583b..f076c38 100644
dev_read_sysfs(munin_t)
dev_read_urand(munin_t)
-@@ -101,9 +146,7 @@ dev_read_urand(munin_t)
+@@ -101,9 +148,7 @@ dev_read_urand(munin_t)
domain_use_interactive_fds(munin_t)
domain_read_all_domains_state(munin_t)
@@ -38348,7 +38388,7 @@ index f17583b..f076c38 100644
files_list_spool(munin_t)
fs_getattr_all_fs(munin_t)
-@@ -115,20 +158,13 @@ logging_send_syslog_msg(munin_t)
+@@ -115,20 +160,13 @@ logging_send_syslog_msg(munin_t)
logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
@@ -38370,7 +38410,7 @@ index f17583b..f076c38 100644
optional_policy(`
cron_system_entry(munin_t, munin_exec_t)
-@@ -143,9 +179,10 @@ optional_policy(`
+@@ -143,9 +181,10 @@ optional_policy(`
')
optional_policy(`
@@ -38382,7 +38422,7 @@ index f17583b..f076c38 100644
')
optional_policy(`
-@@ -155,6 +192,8 @@ optional_policy(`
+@@ -155,6 +194,8 @@ optional_policy(`
optional_policy(`
netutils_domtrans_ping(munin_t)
@@ -38391,7 +38431,7 @@ index f17583b..f076c38 100644
')
optional_policy(`
-@@ -179,26 +218,29 @@ optional_policy(`
+@@ -179,26 +220,29 @@ optional_policy(`
###################################
#
@@ -38419,16 +38459,16 @@ index f17583b..f076c38 100644
dev_read_sysfs(disk_munin_plugin_t)
dev_read_urand(disk_munin_plugin_t)
+dev_read_all_blk_files(munin_disk_plugin_t)
-
--storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
++
+fs_getattr_all_fs(disk_munin_plugin_t)
+fs_getattr_all_dirs(disk_munin_plugin_t)
-+
+
+-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
sysnet_read_config(disk_munin_plugin_t)
-@@ -212,56 +254,81 @@ optional_policy(`
+@@ -212,56 +256,81 @@ optional_policy(`
####################################
#
@@ -38522,7 +38562,7 @@ index f17583b..f076c38 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +346,14 @@ optional_policy(`
+@@ -279,6 +348,14 @@ optional_policy(`
')
optional_policy(`
@@ -38537,7 +38577,7 @@ index f17583b..f076c38 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,30 +361,79 @@ optional_policy(`
+@@ -286,30 +363,81 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -38563,11 +38603,12 @@ index f17583b..f076c38 100644
+
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
-
+-
-corecmd_exec_shell(system_munin_plugin_t)
-
-fs_getattr_all_fs(system_munin_plugin_t)
--
++kernel_read_fs_sysctls(system_munin_plugin_t)
+
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
@@ -38614,7 +38655,8 @@ index f17583b..f076c38 100644
+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
+
-+allow httpd_munin_script_t munin_log_t:file read_file_perms;
++read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
++append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
+
+files_search_var_lib(httpd_munin_script_t)
+
@@ -40824,7 +40866,7 @@ index 0000000..7d11148
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..34762bb
+index 0000000..c961e48
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,328 @@
@@ -40886,6 +40928,7 @@ index 0000000..34762bb
+
+corecmd_exec_bin(nova_domain)
+corecmd_exec_shell(nova_domain)
++corenet_tcp_connect_mysqld_port(nova_domain)
+
+dev_read_urand(nova_domain)
+
@@ -40897,7 +40940,6 @@ index 0000000..34762bb
+
+files_read_etc_files(nova_domain)
+
-+
+optional_policy(`
+ sysnet_read_config(nova_domain)
+')
@@ -51963,7 +52005,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/procmail.te b/procmail.te
-index 29b9295..23625fc 100644
+index 29b9295..d75017c 100644
--- a/procmail.te
+++ b/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -51985,7 +52027,11 @@ index 29b9295..23625fc 100644
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -44,7 +47,6 @@ files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+@@ -41,10 +44,10 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+ allow procmail_t procmail_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
+
++kernel_read_network_state(procmail_t)
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
@@ -51993,7 +52039,7 @@ index 29b9295..23625fc 100644
corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_generic_if(procmail_t)
corenet_udp_sendrecv_generic_if(procmail_t)
-@@ -67,17 +69,23 @@ auth_use_nsswitch(procmail_t)
+@@ -67,17 +70,23 @@ auth_use_nsswitch(procmail_t)
corecmd_exec_bin(procmail_t)
corecmd_exec_shell(procmail_t)
@@ -52020,7 +52066,7 @@ index 29b9295..23625fc 100644
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
-@@ -87,8 +95,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +96,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
@@ -52031,7 +52077,7 @@ index 29b9295..23625fc 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -97,21 +105,19 @@ ifdef(`hide_broken_symptoms',`
+@@ -97,21 +106,19 @@ ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
')
@@ -52061,7 +52107,7 @@ index 29b9295..23625fc 100644
')
optional_policy(`
-@@ -125,6 +131,11 @@ optional_policy(`
+@@ -125,6 +132,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -52073,7 +52119,7 @@ index 29b9295..23625fc 100644
')
optional_policy(`
-@@ -134,6 +145,7 @@ optional_policy(`
+@@ -134,6 +146,7 @@ optional_policy(`
optional_policy(`
mta_read_config(procmail_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e8f551b..362e687 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 82%{?dist}
+Release: 83%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-83
+- Fix iptables labels
+- Allow munin CGI scripts to append munin log file
+- Allow munin plugin domains to read passwd
+- Allow collectd CGI script to create /tmp content
+- Add mising gluster boolean
+- Allow collectd to create netlink_tcpdiag_socket
+- Allow proceman to check the state of the network
+
* Thu Feb 28 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-82
- Allow logrotate to read /sys
- Allow mandb to setattr on man dirs
More information about the scm-commits
mailing list