[selinux-policy/f19] - accountservice watches when accounts come and go in wtmp - /usr/java/jre1.7.0_21/bin/java needs to
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 13 13:14:27 UTC 2013
commit 573f5879dbe4c5aaa9e93cda712f6fbcdb7d5d7e
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jun 13 15:14:06 2013 +0200
- accountservice watches when accounts come and go in wtmp
- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket
- Add httpd_use_sasl boolean
- Allow net_admin for tuned_t
- iscsid needs sys_module to auto-load kernel modules
- Allow blueman to read bluetooth conf
- Add nova_manage_lib_files() interface
- Fix mplayer_filetrans_home_content()
- Add mplayer_filetrans_home_content()
- mozilla_plugin_config_roles need to be able to access mozilla_plugi
- Revert "Allow thumb_t to append inherited xdm stream socket"
- Add iscsi_filetrans_named_content() interface
- Allow to create .mplayer with the correct labeling for unconfined
- Allow iscsiadmin to create lock file with the correct labeling
policy-rawhide-base.patch | 176 ++++++++++++--------------
policy-rawhide-contrib.patch | 294 ++++++++++++++++++++++++++++--------------
selinux-policy.spec | 18 +++-
3 files changed, 297 insertions(+), 191 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a1ab260..b8c55f3 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8389,7 +8389,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..29e6ec0 100644
+index cf04cb5..19c3e01 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8517,7 +8517,7 @@ index cf04cb5..29e6ec0 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +229,279 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +229,287 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -8611,6 +8611,10 @@ index cf04cb5..29e6ec0 100644
+')
+
+optional_policy(`
++ iscsi_filetrans_named_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ kerberos_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -8619,6 +8623,10 @@ index cf04cb5..29e6ec0 100644
+')
+
+optional_policy(`
++ mplayer_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
+ modules_filetrans_named_content(unconfined_domain_type)
+')
+
@@ -20785,7 +20793,7 @@ index d1f64a0..97140ee 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..f0080ba 100644
+index 6bf0ecc..18223e7 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -21257,7 +21265,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -765,11 +904,71 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +904,91 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -21273,6 +21281,26 @@ index 6bf0ecc..f0080ba 100644
+
+########################################
+## <summary>
++## Allow domain to append XDM unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++
++interface(`xserver_append_xdm_stream_socket',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:unix_stream_socket append;
++')
++
++########################################
++## <summary>
+## Read XDM files in user home directories.
+## </summary>
+## <param name="domain">
@@ -21331,7 +21359,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -793,6 +992,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +1012,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -21357,7 +21385,7 @@ index 6bf0ecc..f0080ba 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -806,7 +1024,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1044,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -21384,7 +21412,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -846,7 +1082,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1102,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -21412,7 +21440,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -869,6 +1124,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1144,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -21437,7 +21465,7 @@ index 6bf0ecc..f0080ba 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -938,7 +1211,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1231,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -21465,7 +21493,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -957,7 +1249,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1269,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -21474,7 +21502,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -1004,6 +1296,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1316,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -21520,7 +21548,7 @@ index 6bf0ecc..f0080ba 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1017,7 +1348,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1368,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -21529,113 +21557,73 @@ index 6bf0ecc..f0080ba 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,53 +1410,91 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,7 +1430,43 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
-## Do not audit attempts to get the attributes of
--## xdm temporary named sockets.
+## Create, read, write, and delete xdm temporary dirs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
++## </summary>
++## </param>
++#
+interface(`xserver_relabel_xdm_tmp_dirs',`
- gen_require(`
- type xdm_tmp_t;
- ')
-
-- dontaudit $1 xdm_tmp_t:sock_file getattr;
-+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## Execute the X server in the X server domain.
-+## Create, read, write, and delete xdm temporary dirs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed to transition.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`xserver_domtrans',`
-+interface(`xserver_manage_xdm_tmp_dirs',`
- gen_require(`
-- type xserver_t, xserver_exec_t;
-+ type xdm_tmp_t;
- ')
-
-- allow $1 xserver_t:process siginh;
-- domtrans_pattern($1, xserver_exec_t, xserver_t)
-+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Signal X servers
-+## Do not audit attempts to get the attributes of
-+## xdm temporary named sockets.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
--interface(`xserver_signal',`
-+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
-+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
++ allow $1 xdm_tmp_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
-+## Execute the X server in the X server domain.
++## Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed to transition.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`xserver_domtrans',`
++interface(`xserver_manage_xdm_tmp_dirs',`
+ gen_require(`
-+ type xserver_t, xserver_exec_t;
++ type xdm_tmp_t;
+ ')
+
-+ allow $1 xserver_t:process siginh;
-+ domtrans_pattern($1, xserver_exec_t, xserver_t)
-+
-+ allow xserver_t $1:process getpgid;
++ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
-+## Signal X servers
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`xserver_signal',`
- gen_require(`
- type xserver_t;
++## Do not audit attempts to get the attributes of
+ ## xdm temporary named sockets.
+ ## </summary>
+ ## <param name="domain">
+@@ -1093,7 +1480,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+ type xdm_tmp_t;
+ ')
+
+- dontaudit $1 xdm_tmp_t:sock_file getattr;
++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms;
+ ')
+
+ ########################################
+@@ -1111,8 +1498,10 @@ interface(`xserver_domtrans',`
+ type xserver_t, xserver_exec_t;
')
-@@ -1210,6 +1579,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+
+- allow $1 xserver_t:process siginh;
++ allow $1 xserver_t:process siginh;
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
++
++ allow xserver_t $1:process getpgid;
+ ')
+
+ ########################################
+@@ -1210,6 +1599,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
## <summary>
@@ -21661,7 +21649,7 @@ index 6bf0ecc..f0080ba 100644
## Connect to the X server over a unix domain
## stream socket.
## </summary>
-@@ -1226,6 +1614,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1634,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -21688,7 +21676,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -1251,7 +1659,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1679,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -21697,7 +21685,7 @@ index 6bf0ecc..f0080ba 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1261,13 +1669,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1689,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -21722,7 +21710,7 @@ index 6bf0ecc..f0080ba 100644
')
########################################
-@@ -1284,10 +1702,604 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1722,604 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 0763094..68c500f 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1098,7 +1098,7 @@ index bd5ec9a..a5ed692 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 313b33f..f9d3343 100644
+index 313b33f..6e0a894 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -1137,16 +1137,18 @@ index 313b33f..f9d3343 100644
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
-@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
+@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t)
auth_read_login_records(accountsd_t)
auth_read_shadow(accountsd_t)
-miscfiles_read_localization(accountsd_t)
+init_dbus_chat(accountsd_t)
++logging_list_logs(accountsd_t)
logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
-@@ -65,9 +72,16 @@ optional_policy(`
+
+@@ -65,9 +73,16 @@ optional_policy(`
')
optional_policy(`
@@ -4509,10 +4511,10 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..73b1638 100644
+index 1a82e29..a434dfd 100644
--- a/apache.te
+++ b/apache.te
-@@ -1,297 +1,360 @@
+@@ -1,297 +1,367 @@
-policy_module(apache, 2.6.10)
+policy_module(apache, 2.4.0)
+
@@ -4929,6 +4931,13 @@ index 1a82e29..73b1638 100644
-## nfs file systems.
-## </p>
+## <p>
++## Allow httpd to connect to sasl
++## </p>
++## </desc>
++gen_tunable(httpd_use_sasl, false)
++
++## <desc>
++## <p>
+## Allow httpd to access nfs file systems
+## </p>
## </desc>
@@ -5022,7 +5031,7 @@ index 1a82e29..73b1638 100644
type httpd_rotatelogs_t;
type httpd_rotatelogs_exec_t;
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +362,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
type httpd_squirrelmail_t;
files_type(httpd_squirrelmail_t)
@@ -5035,7 +5044,7 @@ index 1a82e29..73b1638 100644
type httpd_suexec_exec_t;
domain_type(httpd_suexec_t)
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +372,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t;
type httpd_suexec_tmp_t;
files_tmp_file(httpd_suexec_tmp_t)
@@ -5057,7 +5066,7 @@ index 1a82e29..73b1638 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -323,12 +394,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -5077,7 +5086,7 @@ index 1a82e29..73b1638 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +421,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
@@ -5128,7 +5137,7 @@ index 1a82e29..73b1638 100644
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +463,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5170,7 +5179,7 @@ index 1a82e29..73b1638 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +500,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5179,7 +5188,7 @@ index 1a82e29..73b1638 100644
allow httpd_t httpd_rotatelogs_t:process signal_perms;
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +510,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -5190,7 +5199,7 @@ index 1a82e29..73b1638 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +544,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5418,7 +5427,7 @@ index 1a82e29..73b1638 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +710,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +717,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5478,7 +5487,7 @@ index 1a82e29..73b1638 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +762,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +769,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5524,18 +5533,18 @@ index 1a82e29..73b1638 100644
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
--')
--
--optional_policy(`
-- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-- spamassassin_domtrans_client(httpd_t)
-- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
+-optional_policy(`
+- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+- spamassassin_domtrans_client(httpd_t)
+- ')
+-')
+-
-tunable_policy(`httpd_graceful_shutdown',`
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
@@ -5563,7 +5572,7 @@ index 1a82e29..73b1638 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +803,42 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +810,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5591,26 +5600,22 @@ index 1a82e29..73b1638 100644
- fs_manage_cifs_dirs(httpd_t)
- fs_manage_cifs_files(httpd_t)
- fs_manage_cifs_symlinks(httpd_t)
--')
--
--tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
-- fs_exec_cifs_files(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_t)
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
')
--tunable_policy(`httpd_use_fusefs',`
-- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_fusefs_dirs(httpd_t)
-- fs_manage_fusefs_files(httpd_t)
-- fs_read_fusefs_symlinks(httpd_t)
+-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
+- fs_exec_cifs_files(httpd_t)
-')
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_t)
+-tunable_policy(`httpd_use_fusefs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_fusefs_dirs(httpd_t)
+- fs_manage_fusefs_files(httpd_t)
+- fs_read_fusefs_symlinks(httpd_t)
-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
@@ -5619,13 +5624,21 @@ index 1a82e29..73b1638 100644
+ cobbler_search_lib(httpd_t)
+ ')
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_t)
++ tunable_policy(`httpd_can_network_connect_cobbler',`
++ corenet_tcp_connect_cobbler_port(httpd_t)
++ ')
+ ')
+
-tunable_policy(`httpd_use_nfs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_nfs_dirs(httpd_t)
- fs_manage_nfs_files(httpd_t)
- fs_manage_nfs_symlinks(httpd_t)
-+ tunable_policy(`httpd_can_network_connect_cobbler',`
-+ corenet_tcp_connect_cobbler_port(httpd_t)
++optional_policy(`
++ tunable_policy(`httpd_use_sasl',`
++ sasl_connect(httpd_t)
+ ')
')
@@ -5640,7 +5653,7 @@ index 1a82e29..73b1638 100644
')
optional_policy(`
-@@ -743,14 +849,6 @@ optional_policy(`
+@@ -743,14 +862,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5655,7 +5668,7 @@ index 1a82e29..73b1638 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +863,23 @@ optional_policy(`
+@@ -765,6 +876,23 @@ optional_policy(`
')
optional_policy(`
@@ -5679,7 +5692,7 @@ index 1a82e29..73b1638 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +896,42 @@ optional_policy(`
+@@ -781,34 +909,42 @@ optional_policy(`
')
optional_policy(`
@@ -5733,7 +5746,7 @@ index 1a82e29..73b1638 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +939,18 @@ optional_policy(`
+@@ -816,8 +952,18 @@ optional_policy(`
')
optional_policy(`
@@ -5752,7 +5765,7 @@ index 1a82e29..73b1638 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +959,7 @@ optional_policy(`
+@@ -826,6 +972,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5760,7 +5773,7 @@ index 1a82e29..73b1638 100644
')
optional_policy(`
-@@ -836,20 +970,38 @@ optional_policy(`
+@@ -836,20 +983,38 @@ optional_policy(`
')
optional_policy(`
@@ -5805,7 +5818,7 @@ index 1a82e29..73b1638 100644
')
optional_policy(`
-@@ -857,6 +1009,16 @@ optional_policy(`
+@@ -857,6 +1022,16 @@ optional_policy(`
')
optional_policy(`
@@ -5822,7 +5835,7 @@ index 1a82e29..73b1638 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,11 +1027,16 @@ optional_policy(`
+@@ -865,11 +1040,16 @@ optional_policy(`
')
optional_policy(`
@@ -5839,7 +5852,7 @@ index 1a82e29..73b1638 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1044,166 @@ optional_policy(`
+@@ -877,65 +1057,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5905,11 +5918,10 @@ index 1a82e29..73b1638 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache PHP script local policy
+#
+
@@ -5968,10 +5980,11 @@ index 1a82e29..73b1638 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache suexec local policy
#
@@ -6028,7 +6041,7 @@ index 1a82e29..73b1638 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1212,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1225,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6183,7 +6196,7 @@ index 1a82e29..73b1638 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1296,104 @@ optional_policy(`
+@@ -1077,172 +1309,104 @@ optional_policy(`
')
')
@@ -6203,13 +6216,13 @@ index 1a82e29..73b1638 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-+allow httpd_sys_script_t self:process getsched;
-
+-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
++allow httpd_sys_script_t self:process getsched;
+
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6362,7 +6375,8 @@ index 1a82e29..73b1638 100644
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
-
-kernel_read_kernel_sysctls(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-fs_search_auto_mountpoints(httpd_sys_script_t)
-
-files_read_var_symlinks(httpd_sys_script_t)
@@ -6372,8 +6386,7 @@ index 1a82e29..73b1638 100644
-apache_domtrans_rotatelogs(httpd_sys_script_t)
-
-auth_use_nsswitch(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
-tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
@@ -6419,7 +6432,7 @@ index 1a82e29..73b1638 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1401,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1414,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6516,7 +6529,7 @@ index 1a82e29..73b1638 100644
########################################
#
-@@ -1315,8 +1476,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1489,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6533,7 +6546,7 @@ index 1a82e29..73b1638 100644
')
########################################
-@@ -1324,49 +1492,36 @@ optional_policy(`
+@@ -1324,49 +1505,36 @@ optional_policy(`
# User content local policy
#
@@ -6597,7 +6610,7 @@ index 1a82e29..73b1638 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1531,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1544,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -8383,7 +8396,7 @@ index 16ec525..1dd4059 100644
########################################
diff --git a/blueman.te b/blueman.te
-index bc5c984..216e900 100644
+index bc5c984..63a4b1d 100644
--- a/blueman.te
+++ b/blueman.te
@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
@@ -8414,7 +8427,7 @@ index bc5c984..216e900 100644
kernel_read_system_state(blueman_t)
kernel_request_load_module(blueman_t)
-@@ -41,29 +42,40 @@ corecmd_exec_bin(blueman_t)
+@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t)
dev_read_rand(blueman_t)
dev_read_urand(blueman_t)
dev_rw_wireless(blueman_t)
@@ -8439,6 +8452,10 @@ index bc5c984..216e900 100644
')
optional_policy(`
++ bluetooth_read_config(blueman_t)
++')
++
++optional_policy(`
+ dbus_system_domain(blueman_t, blueman_exec_t)
+')
+
@@ -29536,21 +29553,47 @@ index 08b7560..417e630 100644
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
-index 1a35420..1d27695 100644
+index 1a35420..4b9b978 100644
--- a/iscsi.if
+++ b/iscsi.if
-@@ -88,27 +88,21 @@ interface(`iscsi_read_lib_files',`
- ## Domain allowed access.
+@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',`
+
+ ########################################
+ ## <summary>
+-## All of the rules required to
+-## administrate an iscsi environment.
++## Transition to iscsi named content
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
--## <summary>
++#
++interface(`iscsi_filetrans_named_content',`
++ gen_require(`
++ type iscsi_lock_t;
++ ')
++
++ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
++')
++
++
++########################################
++## <summary>
++## All of the rules required to
++## administrate an iscsi environment.
++## </summary>
++## <param name="domain">
+ ## <summary>
-## Role allowed access.
--## </summary>
--## </param>
++## Domain allowed access.
+ ## </summary>
+ ## </param>
## <rolecap/>
- #
- interface(`iscsi_admin',`
+@@ -99,16 +113,15 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -29572,7 +29615,7 @@ index 1a35420..1d27695 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index 57304e4..4fbe254 100644
+index 57304e4..46e5e3d 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@@ -29586,11 +29629,13 @@ index 57304e4..4fbe254 100644
type iscsi_lock_t;
files_lock_file(iscsi_lock_t)
-@@ -33,7 +33,6 @@ files_pid_file(iscsi_var_run_t)
+@@ -32,8 +32,7 @@ files_pid_file(iscsi_var_run_t)
+ # Local policy
#
- allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
-dontaudit iscsid_t self:capability sys_ptrace;
++allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
@@ -38192,7 +38237,7 @@ index 6194b80..af1201e 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..7337554 100644
+index 6a306ee..550e8d7 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -38258,7 +38303,7 @@ index 6a306ee..7337554 100644
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,29 +58,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
@@ -38287,13 +38332,12 @@ index 6a306ee..7337554 100644
type mozilla_plugin_config_t;
type mozilla_plugin_config_exec_t;
-userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
--role mozilla_plugin_config_roles types mozilla_plugin_config_t;
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
+role mozilla_roles types mozilla_plugin_config_t;
+ role mozilla_plugin_config_roles types mozilla_plugin_config_t;
type mozilla_tmp_t;
- userdom_user_tmp_file(mozilla_tmp_t)
-@@ -63,10 +85,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
@@ -38304,7 +38348,7 @@ index 6a306ee..7337554 100644
########################################
#
# Local policy
-@@ -75,27 +93,30 @@ optional_policy(`
+@@ -75,27 +94,30 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -38348,7 +38392,7 @@ index 6a306ee..7337554 100644
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +124,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -38456,7 +38500,7 @@ index 6a306ee..7337554 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +195,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -38567,7 +38611,7 @@ index 6a306ee..7337554 100644
')
optional_policy(`
-@@ -244,19 +275,12 @@ optional_policy(`
+@@ -244,19 +276,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -38589,7 +38633,7 @@ index 6a306ee..7337554 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +289,32 @@ optional_policy(`
+@@ -265,33 +290,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -38637,7 +38681,7 @@ index 6a306ee..7337554 100644
')
optional_policy(`
-@@ -300,221 +323,178 @@ optional_policy(`
+@@ -300,221 +324,179 @@ optional_policy(`
########################################
#
@@ -38653,6 +38697,7 @@ index 6a306ee..7337554 100644
+
+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -38956,7 +39001,7 @@ index 6a306ee..7337554 100644
')
optional_policy(`
-@@ -523,36 +503,48 @@ optional_policy(`
+@@ -523,36 +505,48 @@ optional_policy(`
')
optional_policy(`
@@ -39018,7 +39063,7 @@ index 6a306ee..7337554 100644
')
optional_policy(`
-@@ -560,7 +552,7 @@ optional_policy(`
+@@ -560,7 +554,7 @@ optional_policy(`
')
optional_policy(`
@@ -39027,7 +39072,7 @@ index 6a306ee..7337554 100644
')
optional_policy(`
-@@ -568,108 +560,118 @@ optional_policy(`
+@@ -568,108 +562,118 @@ optional_policy(`
')
optional_policy(`
@@ -39340,6 +39385,44 @@ index 7c8afcc..97f2b6f 100644
udev_read_db(mpd_t)
')
+diff --git a/mplayer.if b/mplayer.if
+index 861d5e9..87fd115 100644
+--- a/mplayer.if
++++ b/mplayer.if
+@@ -161,3 +161,33 @@ interface(`mplayer_home_filetrans_mplayer_home',`
+
+ userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3)
+ ')
++
++########################################
++## <summary>
++## Create specified objects in user home
++## directories with the generic mplayer
++## home type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## Class of the object being created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`mplayer_filetrans_home_content',`
++ gen_require(`
++ type mplayer_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
++')
diff --git a/mplayer.te b/mplayer.te
index 9aca704..f92829c 100644
--- a/mplayer.te
@@ -45109,12 +45192,31 @@ index 0000000..02dc6dc
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
-index 0000000..7d11148
+index 0000000..cf8f660
--- /dev/null
+++ b/nova.if
-@@ -0,0 +1,36 @@
+@@ -0,0 +1,55 @@
+## <summary>openstack-nova</summary>
+
++######################################
++## <summary>
++## Manage nova lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nova_manage_lib_files',`
++ gen_require(`
++ type nova_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t)
++')
++
+#######################################
+## <summary>
+## Creates types and rules for a basic
@@ -84787,7 +84889,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..8beef17 100644
+index 7116181..971952e 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -84805,7 +84907,7 @@ index 7116181..8beef17 100644
#
-allow tuned_t self:capability { sys_admin sys_nice };
-+allow tuned_t self:capability { sys_admin sys_nice sys_rawio };
++allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal };
+allow tuned_t self:process { setsched signal };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c58f618..36979ff 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 50%{?dist}
+Release: 51%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -530,6 +530,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jun 13 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-51
+- accountservice watches when accounts come and go in wtmp
+- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket
+- Add httpd_use_sasl boolean
+- Allow net_admin for tuned_t
+- iscsid needs sys_module to auto-load kernel modules
+- Allow blueman to read bluetooth conf
+- Add nova_manage_lib_files() interface
+- Fix mplayer_filetrans_home_content()
+- Add mplayer_filetrans_home_content()
+- mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t
+- Revert "Allow thumb_t to append inherited xdm stream socket"
+- Add iscsi_filetrans_named_content() interface
+- Allow to create .mplayer with the correct labeling for unconfined
+- Allow iscsiadmin to create lock file with the correct labeling
+
* Tue Jun 11 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-50
- Allow wine to manage wine home content
- Make amanda working with socket actiovation
More information about the scm-commits
mailing list