[gogoc] Update SELinux policy to 1.0.3

Juan Orti jorti at fedoraproject.org
Thu Aug 22 11:51:13 UTC 2013 

commit 598ea98a9120816c7fcb2e9ec4d35ac2f541913f
Author: Juan Orti Alcaine <jorti at fedoraproject.org>
Date:   Thu Aug 22 13:50:38 2013 +0200

    Update SELinux policy to 1.0.3

 gogoc.fc   |    4 +---
 gogoc.spec |    9 ++++++++-
 gogoc.te   |   44 +++++++++++++++++---------------------------
 3 files changed, 26 insertions(+), 31 deletions(-)
---
diff --git a/gogoc.fc b/gogoc.fc
index 08e002d..3d9dcf5 100644
--- a/gogoc.fc
+++ b/gogoc.fc
@@ -8,6 +8,4 @@
 
 /var/run/gogoc(/.*)?		gen_context(system_u:object_r:gogoc_var_run_t,s0)
 
-/var/run/gogoc/gogoc-rtadvd.conf		gen_context(system_u:object_r:radvd_etc_t,s0)
-
-/etc/gogoc(/.*)?            gen_context(system_u:object_r:gogoc_etc_t,s0)
+/etc/gogoc(/.*)?            gen_context(system_u:object_r:gogoc_conf_t,s0)
diff --git a/gogoc.spec b/gogoc.spec
index cd6ee06..b3b443c 100644
--- a/gogoc.spec
+++ b/gogoc.spec
@@ -6,7 +6,7 @@
 
 Name:           gogoc
 Version:        1.2
-Release:        31%{?dist}
+Release:        32%{?dist}
 Summary:        IPv6 TSP client for gogo6
 
 Group:          System Environment/Daemons
@@ -43,6 +43,7 @@ Requires:       selinux-policy >= %{selinux_policyver}
 Requires(post): systemd
 Requires(post): /usr/sbin/semodule
 Requires(post): /sbin/fixfiles
+Requires(post): policycoreutils-python
 Requires(preun): systemd
 Requires(postun): systemd
 Requires(postun): /usr/sbin/semodule
@@ -125,6 +126,9 @@ cd -
 %post
 %systemd_post %{name}.service
 
+# Remove old SELinux file context
+semanage fcontext -d -t radvd_etc_t '%{_localstatedir}/run/%{name}/%{name}-rtadvd.conf' 2>/dev/null || :
+
 # Install SELinux policy
 for selinuxvariant in %{selinux_variants}
 do
@@ -167,6 +171,9 @@ fi
 %{_datadir}/selinux/*/%{name}.pp
 
 %changelog
+* Thu Aug 22 2013 Juan Orti Alcaine <jorti at fedoraproject.org> - 1.2-32
+- Update SELinux policy to 1.0.3
+
 * Thu Aug 22 2013 Juan Orti Alcaine <jorti at fedoraproject.org> - 1.2-31
 - Fix selinux-policy dependency
 - Fix patches to apply cleanly
diff --git a/gogoc.te b/gogoc.te
index a745f14..54db602 100644
--- a/gogoc.te
+++ b/gogoc.te
@@ -1,4 +1,4 @@
-policy_module(gogoc, 1.0.2)
+policy_module(gogoc, 1.0.3)
 
 ########################################
 #
@@ -21,8 +21,8 @@ files_type(gogoc_var_lib_t)
 type gogoc_var_run_t;
 files_pid_file(gogoc_var_run_t)
 
-type gogoc_etc_t;
-files_config_file(gogoc_etc_t)
+type gogoc_conf_t;
+files_config_file(gogoc_conf_t)
 
 type gogoc_unit_file_t;
 systemd_unit_file(gogoc_unit_file_t)
@@ -31,29 +31,20 @@ systemd_unit_file(gogoc_unit_file_t)
 #
 # gogoc local policy
 #
-allow gogoc_t gogoc_log_t:file manage_file_perms;
-allow gogoc_t gogoc_var_lib_t:file manage_file_perms;
-allow gogoc_t gogoc_var_lib_t:dir rw_dir_perms;
-allow gogoc_t gogoc_tmp_t:file manage_file_perms;
-allow gogoc_t gogoc_var_run_t:file manage_file_perms;
-allow gogoc_t gogoc_var_run_t:dir rw_dir_perms;
-allow gogoc_t gogoc_etc_t:file read_file_perms;
-allow gogoc_t gogoc_etc_t:dir list_dir_perms;
-allow gogoc_t self:udp_socket create_socket_perms;
-allow gogoc_t self:unix_dgram_socket create_socket_perms;
-allow gogoc_t self:capability { net_admin net_raw kill };
-allow gogoc_t self:tun_socket create;
-allow gogoc_t self:rawip_socket create;
-
-manage_dirs_pattern(gogoc_t, gogoc_tmp_t, gogoc_tmp_t)
+create_files_pattern(gogoc_t, gogoc_log_t, gogoc_log_t)
+allow gogoc_t gogoc_log_t:file { append_file_perms read_file_perms setattr_file_perms };
+manage_files_pattern(gogoc_t, gogoc_var_lib_t, gogoc_var_lib_t)
+manage_files_pattern(gogoc_t, gogoc_var_run_t, gogoc_var_run_t)
+read_files_pattern(gogoc_t, gogoc_conf_t, gogoc_conf_t)
 manage_files_pattern(gogoc_t, gogoc_tmp_t, gogoc_tmp_t)
-files_tmp_filetrans(gogoc_t, gogoc_tmp_t, { file dir })
+files_tmp_filetrans(gogoc_t, gogoc_tmp_t, { dir file })
+
+allow gogoc_t self:capability { net_admin net_raw kill };
+allow gogoc_t self:tun_socket create_socket_perms;
+allow gogoc_t self:rawip_socket create_socket_perms;
 
-sysnet_read_config(gogoc_t)
-sysnet_exec_ifconfig(gogoc_t)
 kernel_read_network_state(gogoc_t)
 kernel_read_system_state(gogoc_t)
-kernel_read_unix_sysctls(gogoc_t)
 kernel_request_load_module(gogoc_t)
 kernel_rw_net_sysctls(gogoc_t)
 corenet_rw_tun_tap_dev(gogoc_t)
@@ -63,17 +54,16 @@ dev_read_urand(gogoc_t)
 dev_read_rand(gogoc_t)
 corecmd_exec_shell(gogoc_t)
 corecmd_exec_bin(gogoc_t)
-fs_getattr_xattr_fs(gogoc_t)
+sysnet_exec_ifconfig(gogoc_t)
 fs_getattr_tmpfs(gogoc_t)
 
 optional_policy(`
    gen_require(`
       type radvd_exec_t, radvd_t, radvd_etc_t;
    ')
-   domtrans_pattern(gogoc_t, radvd_exec_t, radvd_t)
+   domtrans_pattern(gogoc_t, radvd_exec_t, radvd_t) # Execute radvd in its own domain
+   rw_files_pattern(radvd_t, gogoc_var_run_t, gogoc_var_run_t) # For radvd to write temp file and read config
    radvd_read_pid_files(gogoc_t) # For gogoc to read the pid file of radvd
-   gogoc_read_pid_files(radvd_t) # For radvd to read the generated config file
-   allow gogoc_t radvd_etc_t:file manage_file_perms; # Create config file for radvd
    allow gogoc_t radvd_t:process signal; # Kill radvd
-   allow radvd_t gogoc_var_run_t:file rw_file_perms;
+   allow radvd_t gogoc_t:udp_socket rw_socket_perms;
 ')

More information about the scm-commits mailing list