[selinux-policy/f19] - Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd

Miroslav Grepl mgrepl at fedoraproject.org
Tue Jul 9 14:16:52 UTC 2013 

commit 5dba96234217fa9ac022adb1c93af0b7a24d3c87
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Jul 9 16:16:24 2013 +0200

    - Allow mdamd to execute systemctl
    - Allow mdadm to read /dev/kvm
    - Allow ipsec_mgmt_t to read l2tpd pid content

 policy-rawhide-base.patch    |   19 +++++++++++++++----
 policy-rawhide-contrib.patch |   15 +++++++++------
 selinux-policy.spec          |    7 ++++++-
 3 files changed, 30 insertions(+), 11 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index e4654a0..b2f2392 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -28623,7 +28623,7 @@ index 0d4c8d3..a89c4a2 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..468dc31 100644
+index 9e54bf9..9a068f6 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28791,7 +28791,18 @@ index 9e54bf9..468dc31 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t)
+@@ -322,6 +349,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	l2tpd_read_pid_files(ipsec_mgmt_t)
++')
++
++optional_policy(`
+ 	modutils_domtrans_insmod(ipsec_mgmt_t)
+ ')
+ 
+@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -28811,7 +28822,7 @@ index 9e54bf9..468dc31 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -28824,7 +28835,7 @@ index 9e54bf9..468dc31 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index d522f2d..69b3776 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -65573,7 +65573,7 @@ index 951db7f..6d6ec1d 100644
 +	allow $1 mdadm_exec_t:file { getattr_file_perms execute };
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..36f43a3 100644
+index 2c1730b..e9c20b8 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@@ -65586,7 +65586,7 @@ index 2c1730b..36f43a3 100644
  type mdadm_var_run_t alias mdadm_map_t;
  files_pid_file(mdadm_var_run_t)
  dev_associate(mdadm_var_run_t)
-@@ -25,23 +28,29 @@ dev_associate(mdadm_var_run_t)
+@@ -25,23 +28,31 @@ dev_associate(mdadm_var_run_t)
  #
  
  allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -65610,6 +65610,8 @@ index 2c1730b..36f43a3 100644
 -files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file })
 +files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
 +dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
++
++can_exec(mdadm_t, mdadm_exec_t)
  
  kernel_getattr_core_if(mdadm_t)
  kernel_read_system_state(mdadm_t)
@@ -65620,7 +65622,7 @@ index 2c1730b..36f43a3 100644
  
  corecmd_exec_bin(mdadm_t)
  corecmd_exec_shell(mdadm_t)
-@@ -49,19 +58,24 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,19 +60,25 @@ corecmd_exec_shell(mdadm_t)
  dev_rw_sysfs(mdadm_t)
  dev_dontaudit_getattr_all_blk_files(mdadm_t)
  dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -65628,6 +65630,7 @@ index 2c1730b..36f43a3 100644
 +dev_read_framebuffer(mdadm_t)
  dev_read_realtime_clock(mdadm_t)
  dev_read_raw_memory(mdadm_t)
++dev_read_kvm(mdadm_t)
 +dev_read_nvram(mdadm_t)
 +dev_read_generic_files(mdadm_t)
  
@@ -65647,7 +65650,7 @@ index 2c1730b..36f43a3 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -70,16 +84,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +87,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -65664,10 +65667,10 @@ index 2c1730b..36f43a3 100644
  logging_send_syslog_msg(mdadm_t)
  
 -miscfiles_read_localization(mdadm_t)
--
++systemd_exec_systemctl(mdadm_t)
+ 
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
- userdom_dontaudit_use_user_terminals(mdadm_t)
 diff --git a/razor.fc b/razor.fc
 index 6723f4d..6e26673 100644
 --- a/razor.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e018030..03605ec 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 60%{?dist}
+Release: 61%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Jul 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-61
+- Allow mdamd to execute systemctl
+- Allow mdadm to read /dev/kvm
+- Allow ipsec_mgmt_t to read l2tpd pid content
+
 * Mon Jul 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-60
 - Allow nsd_t to read /dev/urand
 - Allow mdadm_t to read framebuffer

More information about the scm-commits mailing list