[gogoc] Update SELinux policy to 1.0.3
Juan Orti
jorti at fedoraproject.org
Thu Aug 22 11:51:13 UTC 2013
commit 598ea98a9120816c7fcb2e9ec4d35ac2f541913f
Author: Juan Orti Alcaine <jorti at fedoraproject.org>
Date: Thu Aug 22 13:50:38 2013 +0200
Update SELinux policy to 1.0.3
gogoc.fc | 4 +---
gogoc.spec | 9 ++++++++-
gogoc.te | 44 +++++++++++++++++---------------------------
3 files changed, 26 insertions(+), 31 deletions(-)
---
diff --git a/gogoc.fc b/gogoc.fc
index 08e002d..3d9dcf5 100644
--- a/gogoc.fc
+++ b/gogoc.fc
@@ -8,6 +8,4 @@
/var/run/gogoc(/.*)? gen_context(system_u:object_r:gogoc_var_run_t,s0)
-/var/run/gogoc/gogoc-rtadvd.conf gen_context(system_u:object_r:radvd_etc_t,s0)
-
-/etc/gogoc(/.*)? gen_context(system_u:object_r:gogoc_etc_t,s0)
+/etc/gogoc(/.*)? gen_context(system_u:object_r:gogoc_conf_t,s0)
diff --git a/gogoc.spec b/gogoc.spec
index cd6ee06..b3b443c 100644
--- a/gogoc.spec
+++ b/gogoc.spec
@@ -6,7 +6,7 @@
Name: gogoc
Version: 1.2
-Release: 31%{?dist}
+Release: 32%{?dist}
Summary: IPv6 TSP client for gogo6
Group: System Environment/Daemons
@@ -43,6 +43,7 @@ Requires: selinux-policy >= %{selinux_policyver}
Requires(post): systemd
Requires(post): /usr/sbin/semodule
Requires(post): /sbin/fixfiles
+Requires(post): policycoreutils-python
Requires(preun): systemd
Requires(postun): systemd
Requires(postun): /usr/sbin/semodule
@@ -125,6 +126,9 @@ cd -
%post
%systemd_post %{name}.service
+# Remove old SELinux file context
+semanage fcontext -d -t radvd_etc_t '%{_localstatedir}/run/%{name}/%{name}-rtadvd.conf' 2>/dev/null || :
+
# Install SELinux policy
for selinuxvariant in %{selinux_variants}
do
@@ -167,6 +171,9 @@ fi
%{_datadir}/selinux/*/%{name}.pp
%changelog
+* Thu Aug 22 2013 Juan Orti Alcaine <jorti at fedoraproject.org> - 1.2-32
+- Update SELinux policy to 1.0.3
+
* Thu Aug 22 2013 Juan Orti Alcaine <jorti at fedoraproject.org> - 1.2-31
- Fix selinux-policy dependency
- Fix patches to apply cleanly
diff --git a/gogoc.te b/gogoc.te
index a745f14..54db602 100644
--- a/gogoc.te
+++ b/gogoc.te
@@ -1,4 +1,4 @@
-policy_module(gogoc, 1.0.2)
+policy_module(gogoc, 1.0.3)
########################################
#
@@ -21,8 +21,8 @@ files_type(gogoc_var_lib_t)
type gogoc_var_run_t;
files_pid_file(gogoc_var_run_t)
-type gogoc_etc_t;
-files_config_file(gogoc_etc_t)
+type gogoc_conf_t;
+files_config_file(gogoc_conf_t)
type gogoc_unit_file_t;
systemd_unit_file(gogoc_unit_file_t)
@@ -31,29 +31,20 @@ systemd_unit_file(gogoc_unit_file_t)
#
# gogoc local policy
#
-allow gogoc_t gogoc_log_t:file manage_file_perms;
-allow gogoc_t gogoc_var_lib_t:file manage_file_perms;
-allow gogoc_t gogoc_var_lib_t:dir rw_dir_perms;
-allow gogoc_t gogoc_tmp_t:file manage_file_perms;
-allow gogoc_t gogoc_var_run_t:file manage_file_perms;
-allow gogoc_t gogoc_var_run_t:dir rw_dir_perms;
-allow gogoc_t gogoc_etc_t:file read_file_perms;
-allow gogoc_t gogoc_etc_t:dir list_dir_perms;
-allow gogoc_t self:udp_socket create_socket_perms;
-allow gogoc_t self:unix_dgram_socket create_socket_perms;
-allow gogoc_t self:capability { net_admin net_raw kill };
-allow gogoc_t self:tun_socket create;
-allow gogoc_t self:rawip_socket create;
-
-manage_dirs_pattern(gogoc_t, gogoc_tmp_t, gogoc_tmp_t)
+create_files_pattern(gogoc_t, gogoc_log_t, gogoc_log_t)
+allow gogoc_t gogoc_log_t:file { append_file_perms read_file_perms setattr_file_perms };
+manage_files_pattern(gogoc_t, gogoc_var_lib_t, gogoc_var_lib_t)
+manage_files_pattern(gogoc_t, gogoc_var_run_t, gogoc_var_run_t)
+read_files_pattern(gogoc_t, gogoc_conf_t, gogoc_conf_t)
manage_files_pattern(gogoc_t, gogoc_tmp_t, gogoc_tmp_t)
-files_tmp_filetrans(gogoc_t, gogoc_tmp_t, { file dir })
+files_tmp_filetrans(gogoc_t, gogoc_tmp_t, { dir file })
+
+allow gogoc_t self:capability { net_admin net_raw kill };
+allow gogoc_t self:tun_socket create_socket_perms;
+allow gogoc_t self:rawip_socket create_socket_perms;
-sysnet_read_config(gogoc_t)
-sysnet_exec_ifconfig(gogoc_t)
kernel_read_network_state(gogoc_t)
kernel_read_system_state(gogoc_t)
-kernel_read_unix_sysctls(gogoc_t)
kernel_request_load_module(gogoc_t)
kernel_rw_net_sysctls(gogoc_t)
corenet_rw_tun_tap_dev(gogoc_t)
@@ -63,17 +54,16 @@ dev_read_urand(gogoc_t)
dev_read_rand(gogoc_t)
corecmd_exec_shell(gogoc_t)
corecmd_exec_bin(gogoc_t)
-fs_getattr_xattr_fs(gogoc_t)
+sysnet_exec_ifconfig(gogoc_t)
fs_getattr_tmpfs(gogoc_t)
optional_policy(`
gen_require(`
type radvd_exec_t, radvd_t, radvd_etc_t;
')
- domtrans_pattern(gogoc_t, radvd_exec_t, radvd_t)
+ domtrans_pattern(gogoc_t, radvd_exec_t, radvd_t) # Execute radvd in its own domain
+ rw_files_pattern(radvd_t, gogoc_var_run_t, gogoc_var_run_t) # For radvd to write temp file and read config
radvd_read_pid_files(gogoc_t) # For gogoc to read the pid file of radvd
- gogoc_read_pid_files(radvd_t) # For radvd to read the generated config file
- allow gogoc_t radvd_etc_t:file manage_file_perms; # Create config file for radvd
allow gogoc_t radvd_t:process signal; # Kill radvd
- allow radvd_t gogoc_var_run_t:file rw_file_perms;
+ allow radvd_t gogoc_t:udp_socket rw_socket_perms;
')
More information about the scm-commits
mailing list