[selinux-policy/f19] - Make DSPAM to act as a LDA working - Allow ntop to create netlink socket - Allow policykit to send
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jun 26 19:55:55 UTC 2013
commit 16759ea7a6084d6ad78cd2ac541dbf64bf385b5d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jun 26 21:55:27 2013 +0200
- Make DSPAM to act as a LDA working
- Allow ntop to create netlink socket
- Allow policykit to send a signal to policykit-auth
- Allow stapserver to dbus chat with avahi/systemd-logind
- Fix labeling on haproxy unit file
- Clean up haproxy policy
- A new policy for haproxy and placed it to rhcs.te
- Add support for ldirectord and treat it with cluster_t
- Make sure anaconda log dir is created with var_log_t
policy-rawhide-base.patch | 44 ++++++-----
policy-rawhide-contrib.patch | 173 ++++++++++++++++++++++++++++++------------
selinux-policy.spec | 13 +++-
3 files changed, 160 insertions(+), 70 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 5de1404..26827c4 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -29915,7 +29915,7 @@ index b50c5fe..2faaaf2 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..5481f47 100644
+index 4e94884..55d2481 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -30011,11 +30011,18 @@ index 4e94884..5481f47 100644
gen_require(`
- type syslogd_t, devlog_t;
+ attribute syslog_client_type;
-+ ')
-+
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
+ typeattribute $1 syslog_client_type;
+')
-+
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@@ -30030,7 +30037,11 @@ index 4e94884..5481f47 100644
+ gen_require(`
+ type devlog_t;
+ ')
-+
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file)
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
@@ -30067,18 +30078,11 @@ index 4e94884..5481f47 100644
+interface(`logging_relabel_syslog_pid_socket',`
+ gen_require(`
+ type devlog_t;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
++ ')
++
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
++
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@@ -30093,11 +30097,7 @@ index 4e94884..5481f47 100644
+ gen_require(`
+ type syslogd_t, syslogd_var_run_t;
+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
++
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
')
@@ -30288,7 +30288,7 @@ index 4e94884..5481f47 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1323,33 @@ interface(`logging_admin',`
+@@ -1085,3 +1323,35 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -30321,6 +30321,8 @@ index 4e94884..5481f47 100644
+ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
+
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
++
++ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 39ea221..7094526 100644
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 25a1ae2..74e826a 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -22423,7 +22423,7 @@ index 18f2452..a446210 100644
+
')
diff --git a/dspam.te b/dspam.te
-index 266cb8f..d606e12 100644
+index 266cb8f..63643a8 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@@ -22473,6 +22473,18 @@ index 266cb8f..d606e12 100644
')
optional_policy(`
+@@ -87,3 +109,11 @@ optional_policy(`
+
+ postgresql_tcp_connect(dspam_t)
+ ')
++
++optional_policy(`
++ postfix_rw_inherited_master_pipes(dspam_t)
++')
++
++optional_policy(`
++ procmail_domtrans(dspam_t)
++')
diff --git a/entropyd.te b/entropyd.te
index a0da189..d8bc9d5 100644
--- a/entropyd.te
@@ -47704,10 +47716,18 @@ index 0000000..7d839fe
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
-index 52757d8..6ce5c69 100644
+index 52757d8..0f7f5e4 100644
--- a/ntop.te
+++ b/ntop.te
-@@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t)
+@@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
+ dontaudit ntop_t self:capability sys_tty_config;
+ allow ntop_t self:process signal_perms;
+ allow ntop_t self:fifo_file rw_fifo_file_perms;
++allow ntop_t self:netlink_socket create_socket_perms;
+ allow ntop_t self:tcp_socket { accept listen };
+ allow ntop_t self:unix_stream_socket { accept listen };
+ allow ntop_t self:packet_socket create_socket_perms;
+@@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t)
kernel_read_network_state(ntop_t)
kernel_read_kernel_sysctls(ntop_t)
@@ -47715,7 +47735,7 @@ index 52757d8..6ce5c69 100644
corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t)
-@@ -78,10 +77,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
+@@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
dev_read_sysfs(ntop_t)
dev_rw_generic_usb_dev(ntop_t)
@@ -54846,7 +54866,7 @@ index 032a84d..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 49694e8..12483ae 100644
+index 49694e8..d14cc7d 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,4 +1,4 @@
@@ -54878,7 +54898,7 @@ index 49694e8..12483ae 100644
type policykit_resolve_t, policykit_domain;
type policykit_resolve_exec_t;
-@@ -42,63 +37,65 @@ files_pid_file(policykit_var_run_t)
+@@ -42,63 +37,66 @@ files_pid_file(policykit_var_run_t)
#######################################
#
@@ -54914,6 +54934,7 @@ index 49694e8..12483ae 100644
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+policykit_domtrans_auth(policykit_t)
++allow policykit_t policykit_auth_t:process signal;
+
+can_exec(policykit_t, policykit_exec_t)
+corecmd_exec_bin(policykit_t)
@@ -54963,7 +54984,7 @@ index 49694e8..12483ae 100644
optional_policy(`
consolekit_dbus_chat(policykit_t)
')
-@@ -109,29 +106,43 @@ optional_policy(`
+@@ -109,29 +107,43 @@ optional_policy(`
')
optional_policy(`
@@ -55015,7 +55036,7 @@ index 49694e8..12483ae 100644
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -145,9 +156,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,9 +157,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -55025,7 +55046,7 @@ index 49694e8..12483ae 100644
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
dev_read_video_dev(policykit_auth_t)
-@@ -157,53 +165,64 @@ files_search_home(policykit_auth_t)
+@@ -157,53 +166,64 @@ files_search_home(policykit_auth_t)
fs_getattr_all_fs(policykit_auth_t)
fs_search_tmpfs(policykit_auth_t)
@@ -55100,7 +55121,7 @@ index 49694e8..12483ae 100644
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
-@@ -211,23 +230,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +231,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
@@ -55127,7 +55148,7 @@ index 49694e8..12483ae 100644
optional_policy(`
consolekit_dbus_chat(policykit_grant_t)
')
-@@ -235,26 +251,28 @@ optional_policy(`
+@@ -235,26 +252,28 @@ optional_policy(`
########################################
#
@@ -55162,7 +55183,7 @@ index 49694e8..12483ae 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -266,6 +284,7 @@ optional_policy(`
+@@ -266,6 +285,7 @@ optional_policy(`
')
optional_policy(`
@@ -66629,22 +66650,23 @@ index b418d1c..1ad9c12 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..1f5dbf8 100644
+index 47de2d6..347ddf7 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,74 @@
+@@ -1,31 +1,80 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0)
-+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
-+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
-+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
++/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
++/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
++/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0)
++/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
-/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
@@ -66654,23 +66676,26 @@ index 47de2d6..1f5dbf8 100644
-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
++/usr/lib/systemd/system/haproxy.* -- gen_context(system_u:object_r:haproxy_unit_file_t,s0)
-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
++/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+
+-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
++/var/lib/haproxy(/.*)? gen_context(system_u:object_r:haproxy_var_lib_t,s0)
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
--/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
--
-/var/log/cluster/.*\.*log <<none>>
+/var/log/cluster/.*\.*log <<none>>
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
-/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
-+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
++/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
-+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
- /var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+-/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
++/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
++/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
-/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
@@ -66682,10 +66707,11 @@ index 47de2d6..1f5dbf8 100644
-/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-+/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
-+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
++/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
++/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
+# cluster administrative domains file spec
@@ -66705,6 +66731,7 @@ index 47de2d6..1f5dbf8 100644
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
+
@@ -67437,7 +67464,7 @@ index 56bc01f..895e16e 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..2bf6984 100644
+index 2c2de9a..1eaca34 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -67468,7 +67495,21 @@ index 2c2de9a..2bf6984 100644
attribute cluster_domain;
attribute cluster_log;
attribute cluster_pid;
-@@ -50,28 +71,267 @@ rhcs_domain_template(qdiskd)
+@@ -44,34 +65,281 @@ type foghorn_initrc_exec_t;
+ init_script_file(foghorn_initrc_exec_t)
+
+ rhcs_domain_template(gfs_controld)
++rhcs_domain_template(haproxy)
++
++type haproxy_var_lib_t;
++files_type(haproxy_var_lib_t)
++
++type haproxy_unit_file_t;
++systemd_unit_file(haproxy_unit_file_t)
++
+ rhcs_domain_template(groupd)
+ rhcs_domain_template(qdiskd)
+
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
@@ -67740,7 +67781,7 @@ index 2c2de9a..2bf6984 100644
')
#####################################
-@@ -79,7 +339,7 @@ optional_policy(`
+@@ -79,7 +347,7 @@ optional_policy(`
# dlm_controld local policy
#
@@ -67749,7 +67790,7 @@ index 2c2de9a..2bf6984 100644
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-@@ -98,6 +358,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,6 +366,16 @@ fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
@@ -67766,7 +67807,7 @@ index 2c2de9a..2bf6984 100644
#######################################
#
# fenced local policy
-@@ -105,9 +375,13 @@ init_rw_script_tmp_files(dlm_controld_t)
+@@ -105,9 +383,13 @@ init_rw_script_tmp_files(dlm_controld_t)
allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms };
@@ -67781,7 +67822,7 @@ index 2c2de9a..2bf6984 100644
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +392,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +400,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@@ -67792,7 +67833,7 @@ index 2c2de9a..2bf6984 100644
corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)
-@@ -148,9 +421,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +429,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
@@ -67803,7 +67844,7 @@ index 2c2de9a..2bf6984 100644
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +431,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +439,7 @@ term_getattr_pty_fs(fenced_t)
term_use_generic_ptys(fenced_t)
term_use_ptmx(fenced_t)
@@ -67812,7 +67853,7 @@ index 2c2de9a..2bf6984 100644
tunable_policy(`fenced_can_network_connect',`
corenet_sendrecv_all_client_packets(fenced_t)
-@@ -190,10 +461,6 @@ optional_policy(`
+@@ -190,10 +469,6 @@ optional_policy(`
')
optional_policy(`
@@ -67823,7 +67864,7 @@ index 2c2de9a..2bf6984 100644
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
-@@ -203,6 +470,13 @@ optional_policy(`
+@@ -203,6 +478,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -67837,7 +67878,7 @@ index 2c2de9a..2bf6984 100644
#######################################
#
# foghorn local policy
-@@ -223,14 +497,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
+@@ -223,14 +505,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
dev_read_urand(foghorn_t)
@@ -67856,7 +67897,7 @@ index 2c2de9a..2bf6984 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +533,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +541,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -67865,7 +67906,7 @@ index 2c2de9a..2bf6984 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +553,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +561,36 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -67875,10 +67916,36 @@ index 2c2de9a..2bf6984 100644
+logging_send_syslog_msg(groupd_t)
+
++########################################
++#
++# haproxy local policy
++#
++
++# bug in haproxy and process vs pid owner
++allow haproxy_t self:capability dac_override;
++
++allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
++allow haproxy_t self:process { fork setrlimit signal_perms };
++allow haproxy_t self:fifo_file rw_fifo_file_perms;
++allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
++allow haproxy_t self:tcp_socket { accept listen };
++
++manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
++manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
++manage_lnk_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
++manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
++files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
++
++corenet_tcp_connect_commplex_link_port(haproxy_t)
++corenet_tcp_connect_commplex_main_port(haproxy_t)
++corenet_tcp_bind_commplex_main_port(haproxy_t)
++
++sysnet_dns_name_resolve(haproxy_t)
++
######################################
#
# qdiskd local policy
-@@ -321,6 +599,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +633,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -71013,7 +71080,7 @@ index 0628d50..84f2fd7 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
-index 5cbe81c..ff2b58e 100644
+index 5cbe81c..94b945c 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -71412,7 +71479,7 @@ index 5cbe81c..ff2b58e 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -363,40 +379,54 @@ ifdef(`distro_redhat',`
+@@ -363,40 +379,58 @@ ifdef(`distro_redhat',`
')
')
@@ -71436,11 +71503,15 @@ index 5cbe81c..ff2b58e 100644
optional_policy(`
dbus_system_bus_client(rpm_script_t)
-+')
- optional_policy(`
- unconfined_dbus_chat(rpm_script_t)
- ')
++ optional_policy(`
++ systemd_dbus_chat_logind(rpm_script_t)
++ ')
++')
++
+optional_policy(`
+ lvm_domtrans(rpm_script_t, rpm_script_roles)
+')
@@ -71477,7 +71548,7 @@ index 5cbe81c..ff2b58e 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
-@@ -409,6 +439,6 @@ optional_policy(`
+@@ -409,6 +443,6 @@ optional_policy(`
')
optional_policy(`
@@ -81602,10 +81673,10 @@ index 0000000..80c6480
+')
diff --git a/stapserver.te b/stapserver.te
new file mode 100644
-index 0000000..3ac6ad7
+index 0000000..e472397
--- /dev/null
+++ b/stapserver.te
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,113 @@
+policy_module(stapserver, 1.0.0)
+
+########################################
@@ -81691,9 +81762,15 @@ index 0000000..3ac6ad7
+#lspci
+miscfiles_read_hwdata(stapserver_t)
+
++systemd_dbus_chat_logind(stapserver_t)
++
+userdom_use_user_terminals(stapserver_t)
+
+optional_policy(`
++ avahi_dbus_chat(stapserver_t)
++')
++
++optional_policy(`
+ consoletype_exec(stapserver_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 85e2df0..a76120a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 56%{?dist}
+Release: 57%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jun 26 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-57
+- Make DSPAM to act as a LDA working
+- Allow ntop to create netlink socket
+- Allow policykit to send a signal to policykit-auth
+- Allow stapserver to dbus chat with avahi/systemd-logind
+- Fix labeling on haproxy unit file
+- Clean up haproxy policy
+- A new policy for haproxy and placed it to rhcs.te
+- Add support for ldirectord and treat it with cluster_t
+- Make sure anaconda log dir is created with var_log_t
+
* Mon Jun 24 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-56
- Allow lvm_t to create default targets for filesystem handling
- Fix labeling for razor-lightdm binaries
More information about the scm-commits
mailing list