[selinux-policy/f19] - Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jul 9 14:16:52 UTC 2013
commit 5dba96234217fa9ac022adb1c93af0b7a24d3c87
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jul 9 16:16:24 2013 +0200
- Allow mdamd to execute systemctl
- Allow mdadm to read /dev/kvm
- Allow ipsec_mgmt_t to read l2tpd pid content
policy-rawhide-base.patch | 19 +++++++++++++++----
policy-rawhide-contrib.patch | 15 +++++++++------
selinux-policy.spec | 7 ++++++-
3 files changed, 30 insertions(+), 11 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e4654a0..b2f2392 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -28623,7 +28623,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..468dc31 100644
+index 9e54bf9..9a068f6 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28791,7 +28791,18 @@ index 9e54bf9..468dc31 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t)
+@@ -322,6 +349,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ l2tpd_read_pid_files(ipsec_mgmt_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(ipsec_mgmt_t)
+ ')
+
+@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -28811,7 +28822,7 @@ index 9e54bf9..468dc31 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -28824,7 +28835,7 @@ index 9e54bf9..468dc31 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d522f2d..69b3776 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -65573,7 +65573,7 @@ index 951db7f..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
-index 2c1730b..36f43a3 100644
+index 2c1730b..e9c20b8 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@@ -65586,7 +65586,7 @@ index 2c1730b..36f43a3 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,23 +28,29 @@ dev_associate(mdadm_var_run_t)
+@@ -25,23 +28,31 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -65610,6 +65610,8 @@ index 2c1730b..36f43a3 100644
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file })
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
++
++can_exec(mdadm_t, mdadm_exec_t)
kernel_getattr_core_if(mdadm_t)
kernel_read_system_state(mdadm_t)
@@ -65620,7 +65622,7 @@ index 2c1730b..36f43a3 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
-@@ -49,19 +58,24 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,19 +60,25 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -65628,6 +65630,7 @@ index 2c1730b..36f43a3 100644
+dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
++dev_read_kvm(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
@@ -65647,7 +65650,7 @@ index 2c1730b..36f43a3 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,16 +84,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +87,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -65664,10 +65667,10 @@ index 2c1730b..36f43a3 100644
logging_send_syslog_msg(mdadm_t)
-miscfiles_read_localization(mdadm_t)
--
++systemd_exec_systemctl(mdadm_t)
+
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
- userdom_dontaudit_use_user_terminals(mdadm_t)
diff --git a/razor.fc b/razor.fc
index 6723f4d..6e26673 100644
--- a/razor.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e018030..03605ec 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 60%{?dist}
+Release: 61%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jul 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-61
+- Allow mdamd to execute systemctl
+- Allow mdadm to read /dev/kvm
+- Allow ipsec_mgmt_t to read l2tpd pid content
+
* Mon Jul 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-60
- Allow nsd_t to read /dev/urand
- Allow mdadm_t to read framebuffer
More information about the scm-commits
mailing list