[selinux-policy/f19] - Allow lvm to create its own unit files - Label /var/lib/sepolgen as selinux_config_t - Add filetra
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Apr 26 11:50:02 UTC 2013
commit ae0bb74aac1bd6047466393beb3c59299b61b5af
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Apr 26 13:49:47 2013 +0200
- Allow lvm to create its own unit files
- Label /var/lib/sepolgen as selinux_config_t
- Add filetrans rules for tw devices
- Add transition from cupsd_config_t to cupsd_t
policy-rawhide-base.patch | 110 ++++++++++++++++++++++++++++++++---------
policy-rawhide-contrib.patch | 94 +++++++++++++++++-------------------
selinux-policy.spec | 8 +++-
3 files changed, 137 insertions(+), 75 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 926bff0..11b68a1 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -31853,7 +31853,7 @@ index 39ea221..4dd92d4 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..e2a9f15 100644
+index 879bb1e..7daaff3 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
@@ -31892,12 +31892,14 @@ index 879bb1e..e2a9f15 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +94,69 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',`
#
# /usr
#
-/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
-/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/systemd/generator/lvm.* gen_context(system_u:object_r:lvm_unit_file_t,s0)
++
+/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
+/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -31964,7 +31966,7 @@ index 879bb1e..e2a9f15 100644
#
# /var
-@@ -97,5 +164,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -32073,7 +32075,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..df70cac 100644
+index e8c59a5..5c935e3 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -32095,7 +32097,17 @@ index e8c59a5..df70cac 100644
type lvm_lock_t;
files_lock_file(lvm_lock_t)
-@@ -49,15 +52,19 @@ files_tmp_file(lvm_tmp_t)
+@@ -41,6 +44,9 @@ files_pid_file(lvm_var_run_t)
+ type lvm_tmp_t;
+ files_tmp_file(lvm_tmp_t)
+
++type lvm_unit_file_t;
++systemd_unit_file(lvm_unit_file_t)
++
+ ########################################
+ #
+ # Cluster LVM daemon local policy
+@@ -49,15 +55,19 @@ files_tmp_file(lvm_tmp_t)
allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
dontaudit clvmd_t self:capability sys_tty_config;
allow clvmd_t self:process { signal_perms setsched };
@@ -32117,7 +32129,7 @@ index e8c59a5..df70cac 100644
read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
-@@ -71,7 +78,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
+@@ -71,7 +81,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
corecmd_exec_shell(clvmd_t)
corecmd_getattr_bin_files(clvmd_t)
@@ -32125,7 +32137,7 @@ index e8c59a5..df70cac 100644
corenet_all_recvfrom_netlabel(clvmd_t)
corenet_tcp_sendrecv_generic_if(clvmd_t)
corenet_udp_sendrecv_generic_if(clvmd_t)
-@@ -120,9 +126,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
+@@ -120,9 +129,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
logging_send_syslog_msg(clvmd_t)
@@ -32135,7 +32147,7 @@ index e8c59a5..df70cac 100644
seutil_sigchld_newrole(clvmd_t)
seutil_read_config(clvmd_t)
seutil_read_file_contexts(clvmd_t)
-@@ -141,6 +145,11 @@ ifdef(`distro_redhat',`
+@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -32147,7 +32159,7 @@ index e8c59a5..df70cac 100644
ccs_stream_connect(clvmd_t)
')
-@@ -170,6 +179,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@@ -32155,7 +32167,17 @@ index e8c59a5..df70cac 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -191,10 +201,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -179,6 +192,9 @@ allow lvm_t self:sem create_sem_perms;
+ allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
+
++allow lvm_t lvm_unit_file_t:file manage_file_perms;
++systemd_unit_file_filetrans(lvm_t, lvm_unit_file_t, file)
++
+ manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
+ manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
+ files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
+@@ -191,10 +207,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
@@ -32168,7 +32190,7 @@ index e8c59a5..df70cac 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -202,8 +214,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -202,8 +220,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@@ -32180,7 +32202,7 @@ index e8c59a5..df70cac 100644
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -220,6 +234,7 @@ kernel_read_kernel_sysctls(lvm_t)
+@@ -220,6 +240,7 @@ kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@@ -32188,7 +32210,7 @@ index e8c59a5..df70cac 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -230,11 +245,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +251,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -32203,7 +32225,7 @@ index e8c59a5..df70cac 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
-@@ -246,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +269,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -32211,7 +32233,7 @@ index e8c59a5..df70cac 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -255,17 +273,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +279,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -32234,7 +32256,7 @@ index e8c59a5..df70cac 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -285,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +313,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -32243,7 +32265,7 @@ index e8c59a5..df70cac 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +315,22 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +321,22 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@@ -32267,7 +32289,7 @@ index e8c59a5..df70cac 100644
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -313,6 +342,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +348,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -32279,7 +32301,7 @@ index e8c59a5..df70cac 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -333,14 +367,26 @@ optional_policy(`
+@@ -333,14 +373,26 @@ optional_policy(`
')
optional_policy(`
@@ -33768,7 +33790,7 @@ index cbbda4a..8dcc346 100644
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
+
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index d43f3b1..c4182e8 100644
+index d43f3b1..f958391 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -6,13 +6,14 @@
@@ -33789,7 +33811,7 @@ index d43f3b1..c4182e8 100644
#
# /root
-@@ -35,12 +36,14 @@
+@@ -35,19 +36,26 @@
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
@@ -33805,7 +33827,11 @@ index d43f3b1..c4182e8 100644
#
# /var/lib
-@@ -51,3 +54,7 @@
+ #
+ /var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_var_lib_t,s0)
++/var/lib/sepolgen(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+
+ #
# /var/run
#
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
@@ -35957,10 +35983,10 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..5894afb
+index 0000000..2e5b822
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1159 @@
+@@ -0,0 +1,1195 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -36806,6 +36832,42 @@ index 0000000..5894afb
+ allow $1 hostname_etc_t:file read_file_perms;
+')
+
++#######################################
++## <summary>
++## Create objects in /run/systemd/generator directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`systemd_unit_file_filetrans',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ files_search_pids($1)
++ filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4)
++')
++
+########################################
+## <summary>
+## Transition to systemd named content
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 8043880..efe35c0 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -4426,7 +4426,7 @@ index 83e899c..c0ece1b 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..c2a14a5 100644
+index 1a82e29..cb872c5 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,360 @@
@@ -5476,7 +5476,7 @@ index 1a82e29..c2a14a5 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +799,42 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +799,38 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5495,11 +5495,10 @@ index 1a82e29..c2a14a5 100644
+# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
- userdom_use_user_terminals(httpd_t)
+-',`
+- userdom_dontaudit_use_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ',`
- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
')
-tunable_policy(`httpd_use_cifs',`
@@ -5519,7 +5518,7 @@ index 1a82e29..c2a14a5 100644
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
-
+-
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
- fs_exec_fusefs_files(httpd_t)
-')
@@ -5551,7 +5550,7 @@ index 1a82e29..c2a14a5 100644
')
optional_policy(`
-@@ -743,14 +845,6 @@ optional_policy(`
+@@ -743,14 +841,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5566,7 +5565,7 @@ index 1a82e29..c2a14a5 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +859,23 @@ optional_policy(`
+@@ -765,6 +855,23 @@ optional_policy(`
')
optional_policy(`
@@ -5590,7 +5589,7 @@ index 1a82e29..c2a14a5 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +892,42 @@ optional_policy(`
+@@ -781,34 +888,42 @@ optional_policy(`
')
optional_policy(`
@@ -5644,7 +5643,7 @@ index 1a82e29..c2a14a5 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +935,18 @@ optional_policy(`
+@@ -816,8 +931,18 @@ optional_policy(`
')
optional_policy(`
@@ -5663,7 +5662,7 @@ index 1a82e29..c2a14a5 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +955,7 @@ optional_policy(`
+@@ -826,6 +951,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5671,7 +5670,7 @@ index 1a82e29..c2a14a5 100644
')
optional_policy(`
-@@ -836,20 +966,38 @@ optional_policy(`
+@@ -836,20 +962,38 @@ optional_policy(`
')
optional_policy(`
@@ -5716,7 +5715,7 @@ index 1a82e29..c2a14a5 100644
')
optional_policy(`
-@@ -857,6 +1005,16 @@ optional_policy(`
+@@ -857,6 +1001,16 @@ optional_policy(`
')
optional_policy(`
@@ -5733,7 +5732,7 @@ index 1a82e29..c2a14a5 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,6 +1023,7 @@ optional_policy(`
+@@ -865,6 +1019,7 @@ optional_policy(`
')
optional_policy(`
@@ -5741,7 +5740,7 @@ index 1a82e29..c2a14a5 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -877,65 +1036,166 @@ optional_policy(`
+@@ -877,65 +1032,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5930,7 +5929,7 @@ index 1a82e29..c2a14a5 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1204,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1200,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6085,7 +6084,7 @@ index 1a82e29..c2a14a5 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1288,104 @@ optional_policy(`
+@@ -1077,172 +1284,104 @@ optional_policy(`
')
')
@@ -6321,7 +6320,7 @@ index 1a82e29..c2a14a5 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1393,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1389,70 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6415,7 +6414,7 @@ index 1a82e29..c2a14a5 100644
########################################
#
-@@ -1315,8 +1464,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1460,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6432,7 +6431,7 @@ index 1a82e29..c2a14a5 100644
')
########################################
-@@ -1324,49 +1480,36 @@ optional_policy(`
+@@ -1324,49 +1476,36 @@ optional_policy(`
# User content local policy
#
@@ -6496,7 +6495,7 @@ index 1a82e29..c2a14a5 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1519,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1515,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -10168,7 +10167,7 @@ index 0000000..88107d7
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
diff --git a/chrome.if b/chrome.if
new file mode 100644
-index 0000000..efebae7
+index 0000000..36bd6be
--- /dev/null
+++ b/chrome.if
@@ -0,0 +1,134 @@
@@ -10258,7 +10257,7 @@ index 0000000..efebae7
+
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
-+ allow chrome_sandbox_t $2:unix_stream_socket { getattr read write };
++ allow chrome_sandbox_t $2:unix_stream_socket { append getattr read write };
+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write };
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
@@ -16253,7 +16252,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..6264572 100644
+index 9f34c2e..c861b5b 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16577,7 +16576,7 @@ index 9f34c2e..6264572 100644
')
########################################
-@@ -345,11 +381,9 @@ optional_policy(`
+@@ -345,12 +381,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16589,9 +16588,11 @@ index 9f34c2e..6264572 100644
-allow cupsd_config_t self:tcp_socket { accept listen };
+allow cupsd_config_t self:process { getsched };
++domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+
+@@ -375,18 +410,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16611,7 +16612,7 @@ index 9f34c2e..6264572 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +427,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16632,7 +16633,7 @@ index 9f34c2e..6264572 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +444,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16644,7 +16645,7 @@ index 9f34c2e..6264572 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +470,12 @@ optional_policy(`
+@@ -452,9 +471,12 @@ optional_policy(`
')
optional_policy(`
@@ -16658,7 +16659,7 @@ index 9f34c2e..6264572 100644
')
optional_policy(`
-@@ -490,10 +511,6 @@ optional_policy(`
+@@ -490,10 +512,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16669,7 +16670,7 @@ index 9f34c2e..6264572 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +529,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16702,7 +16703,7 @@ index 9f34c2e..6264572 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +554,6 @@ optional_policy(`
+@@ -546,7 +555,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16710,7 +16711,7 @@ index 9f34c2e..6264572 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +569,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +570,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16862,7 +16863,7 @@ index 9f34c2e..6264572 100644
########################################
#
-@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +614,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16870,7 +16871,7 @@ index 9f34c2e..6264572 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +623,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16884,7 +16885,7 @@ index 9f34c2e..6264572 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +635,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -75308,7 +75309,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..a7c3d7c 100644
+index 49b12ae..a89828e 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -75397,7 +75398,7 @@ index 49b12ae..a7c3d7c 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
-@@ -79,13 +85,13 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
+@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
domain_signull_all_domains(setroubleshootd_t)
@@ -75405,14 +75406,7 @@ index 49b12ae..a7c3d7c 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
- files_getattr_all_sockets(setroubleshootd_t)
- files_read_all_symlinks(setroubleshootd_t)
- files_read_mnt_files(setroubleshootd_t)
-+files_read_var_lib_files(setroubleshootd_t)
-
- fs_getattr_all_dirs(setroubleshootd_t)
- fs_getattr_all_files(setroubleshootd_t)
-@@ -107,27 +113,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -75445,7 +75439,7 @@ index 49b12ae..a7c3d7c 100644
')
optional_policy(`
-@@ -135,10 +138,18 @@ optional_policy(`
+@@ -135,10 +137,18 @@ optional_policy(`
')
optional_policy(`
@@ -75464,7 +75458,7 @@ index 49b12ae..a7c3d7c 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -148,15 +159,17 @@ optional_policy(`
+@@ -148,15 +158,17 @@ optional_policy(`
########################################
#
@@ -75483,7 +75477,7 @@ index 49b12ae..a7c3d7c 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +178,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
@@ -75498,7 +75492,7 @@ index 49b12ae..a7c3d7c 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ef221a2..a51744a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 36%{?dist}
+Release: 37%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-37
+- Allow lvm to create its own unit files
+- Label /var/lib/sepolgen as selinux_config_t
+- Add filetrans rules for tw devices
+- Add transition from cupsd_config_t to cupsd_t
+
* Wed Apr 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-36
- Add filetrans rules for tw devices
- Cleanup bad transition lines
More information about the scm-commits
mailing list