[selinux-policy/f19] * Thu Sep 26 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1.74.8 - Get labeling right on ipsec.secret
Lukas Vrabec
lvrabec at fedoraproject.org
Thu Sep 26 08:01:32 UTC 2013
commit 308723179b10e7d77013ec93111330e9ac142d81
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Thu Sep 26 10:01:07 2013 +0200
* Thu Sep 26 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1.74.8
- Get labeling right on ipsec.secrets
- Allow systemd to read dhcpc_state
- Allow amanda to write to /etc/amanda/DailySet1 directory
- Fix english on gssd_read_tmp boolean descriptions
- Allow cloud-init to domtrans to rpm
- Allow abrt daemon to manage abrt-watch tmp files
- Allow abrt-upload-watcher to search /var/spool directory
- Fix typo in abrt.te
policy-f19-base.patch | 162 +++++++++++++++++++++++++---------------------
policy-f19-contrib.patch | 20 ++++--
selinux-policy.spec | 12 +++-
3 files changed, 112 insertions(+), 82 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index e8c0f81..ce5354b 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -27655,7 +27655,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..ee26201 100644
+index dd3be8d..5fc4cd6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27895,7 +27895,7 @@ index dd3be8d..ee26201 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +273,186 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +273,188 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27921,6 +27921,8 @@ index dd3be8d..ee26201 100644
+
+storage_raw_rw_fixed_disk(init_t)
+
++sysnet_read_dhcpc_state(init_t)
++
+optional_policy(`
+ kdump_read_crash(init_t)
+')
@@ -28090,7 +28092,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -216,6 +460,27 @@ optional_policy(`
+@@ -216,6 +462,27 @@ optional_policy(`
')
optional_policy(`
@@ -28118,7 +28120,7 @@ index dd3be8d..ee26201 100644
unconfined_domain(init_t)
')
-@@ -225,8 +490,9 @@ optional_policy(`
+@@ -225,8 +492,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28130,7 +28132,7 @@ index dd3be8d..ee26201 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +523,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +525,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28147,7 +28149,7 @@ index dd3be8d..ee26201 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +548,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +550,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28190,7 +28192,7 @@ index dd3be8d..ee26201 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +585,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +587,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28202,7 +28204,7 @@ index dd3be8d..ee26201 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +597,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +599,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28213,7 +28215,7 @@ index dd3be8d..ee26201 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +608,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +610,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28223,7 +28225,7 @@ index dd3be8d..ee26201 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +617,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +619,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28231,7 +28233,7 @@ index dd3be8d..ee26201 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +624,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +626,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28239,7 +28241,7 @@ index dd3be8d..ee26201 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +632,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +634,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28257,7 +28259,7 @@ index dd3be8d..ee26201 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +650,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +652,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28271,7 +28273,7 @@ index dd3be8d..ee26201 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +665,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +667,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28285,7 +28287,7 @@ index dd3be8d..ee26201 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +678,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +680,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28293,7 +28295,7 @@ index dd3be8d..ee26201 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +690,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +692,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28301,7 +28303,7 @@ index dd3be8d..ee26201 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +709,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +711,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28325,7 +28327,7 @@ index dd3be8d..ee26201 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +742,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +744,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28333,7 +28335,7 @@ index dd3be8d..ee26201 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +776,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +778,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28344,7 +28346,7 @@ index dd3be8d..ee26201 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +800,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +802,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28353,7 +28355,7 @@ index dd3be8d..ee26201 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +815,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +817,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28361,7 +28363,7 @@ index dd3be8d..ee26201 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +836,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +838,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28369,7 +28371,7 @@ index dd3be8d..ee26201 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +846,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +848,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28414,7 +28416,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -558,14 +891,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +893,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28446,7 +28448,7 @@ index dd3be8d..ee26201 100644
')
')
-@@ -576,6 +926,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +928,39 @@ ifdef(`distro_suse',`
')
')
@@ -28486,7 +28488,7 @@ index dd3be8d..ee26201 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +971,8 @@ optional_policy(`
+@@ -588,6 +973,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28495,7 +28497,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -609,6 +994,7 @@ optional_policy(`
+@@ -609,6 +996,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28503,7 +28505,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -625,6 +1011,17 @@ optional_policy(`
+@@ -625,6 +1013,17 @@ optional_policy(`
')
optional_policy(`
@@ -28521,7 +28523,7 @@ index dd3be8d..ee26201 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1038,13 @@ optional_policy(`
+@@ -641,9 +1040,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28535,7 +28537,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -656,15 +1057,11 @@ optional_policy(`
+@@ -656,15 +1059,11 @@ optional_policy(`
')
optional_policy(`
@@ -28553,7 +28555,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -685,6 +1082,15 @@ optional_policy(`
+@@ -685,6 +1084,15 @@ optional_policy(`
')
optional_policy(`
@@ -28569,7 +28571,7 @@ index dd3be8d..ee26201 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1131,7 @@ optional_policy(`
+@@ -725,6 +1133,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28577,7 +28579,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -742,7 +1149,14 @@ optional_policy(`
+@@ -742,7 +1151,14 @@ optional_policy(`
')
optional_policy(`
@@ -28592,7 +28594,7 @@ index dd3be8d..ee26201 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1179,10 @@ optional_policy(`
+@@ -765,6 +1181,10 @@ optional_policy(`
')
optional_policy(`
@@ -28603,7 +28605,7 @@ index dd3be8d..ee26201 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1192,20 @@ optional_policy(`
+@@ -774,10 +1194,20 @@ optional_policy(`
')
optional_policy(`
@@ -28624,7 +28626,7 @@ index dd3be8d..ee26201 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1214,10 @@ optional_policy(`
+@@ -786,6 +1216,10 @@ optional_policy(`
')
optional_policy(`
@@ -28635,7 +28637,7 @@ index dd3be8d..ee26201 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1239,6 @@ optional_policy(`
+@@ -807,8 +1241,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28644,7 +28646,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -817,6 +1247,10 @@ optional_policy(`
+@@ -817,6 +1249,10 @@ optional_policy(`
')
optional_policy(`
@@ -28655,7 +28657,7 @@ index dd3be8d..ee26201 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1260,12 @@ optional_policy(`
+@@ -826,10 +1262,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28668,7 +28670,7 @@ index dd3be8d..ee26201 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1292,27 @@ optional_policy(`
+@@ -856,12 +1294,27 @@ optional_policy(`
')
optional_policy(`
@@ -28697,7 +28699,7 @@ index dd3be8d..ee26201 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1322,18 @@ optional_policy(`
+@@ -871,6 +1324,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28716,7 +28718,7 @@ index dd3be8d..ee26201 100644
')
optional_policy(`
-@@ -886,6 +1349,10 @@ optional_policy(`
+@@ -886,6 +1351,10 @@ optional_policy(`
')
optional_policy(`
@@ -28727,7 +28729,7 @@ index dd3be8d..ee26201 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1363,196 @@ optional_policy(`
+@@ -896,3 +1365,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28925,20 +28927,21 @@ index dd3be8d..ee26201 100644
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..ef9370d 100644
+index 662e79b..3cbc35d 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,19 @@
+@@ -1,14 +1,21 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
--/etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
-+/etc/(strongswan)?/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
-+/etc/(strongswan)?/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+ /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongswan/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongswan/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
@@ -28951,7 +28954,7 @@ index 662e79b..ef9370d 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,12 +31,15 @@
+@@ -26,12 +33,15 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -28967,17 +28970,17 @@ index 662e79b..ef9370d 100644
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
-@@ -39,3 +47,5 @@
+@@ -39,3 +49,5 @@
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
+/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..f133407 100644
+index 0d4c8d3..e6ffda3 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
-@@ -55,6 +55,63 @@ interface(`ipsec_domtrans_mgmt',`
+@@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',`
domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
')
@@ -29015,6 +29018,7 @@ index 0d4c8d3..f133407 100644
+ ')
+
+ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t)
++ files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets")
+')
+
+########################################
@@ -29041,7 +29045,7 @@ index 0d4c8d3..f133407 100644
########################################
## <summary>
## Connect to racoon using a unix domain stream socket.
-@@ -120,7 +177,6 @@ interface(`ipsec_exec_mgmt',`
+@@ -120,7 +178,6 @@ interface(`ipsec_exec_mgmt',`
## </summary>
## </param>
#
@@ -29049,7 +29053,7 @@ index 0d4c8d3..f133407 100644
interface(`ipsec_signal_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -139,7 +195,6 @@ interface(`ipsec_signal_mgmt',`
+@@ -139,7 +196,6 @@ interface(`ipsec_signal_mgmt',`
## </summary>
## </param>
#
@@ -29057,7 +29061,7 @@ index 0d4c8d3..f133407 100644
interface(`ipsec_signull_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -158,7 +213,6 @@ interface(`ipsec_signull_mgmt',`
+@@ -158,7 +214,6 @@ interface(`ipsec_signull_mgmt',`
## </summary>
## </param>
#
@@ -29065,7 +29069,7 @@ index 0d4c8d3..f133407 100644
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -167,6 +221,60 @@ interface(`ipsec_kill_mgmt',`
+@@ -167,6 +222,60 @@ interface(`ipsec_kill_mgmt',`
allow $1 ipsec_mgmt_t:process sigkill;
')
@@ -29126,7 +29130,7 @@ index 0d4c8d3..f133407 100644
######################################
## <summary>
## Send and receive messages from
-@@ -225,6 +333,7 @@ interface(`ipsec_match_default_spd',`
+@@ -225,6 +334,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
@@ -29134,7 +29138,7 @@ index 0d4c8d3..f133407 100644
')
########################################
-@@ -369,3 +478,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -29162,7 +29166,7 @@ index 0d4c8d3..f133407 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..a19c295 100644
+index 9e54bf9..bb933df 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29419,7 +29423,7 @@ index 9e54bf9..a19c295 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +477,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +477,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -29428,9 +29432,9 @@ index 9e54bf9..a19c295 100644
seutil_read_config(setkey_t)
-userdom_use_user_terminals(setkey_t)
+-
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
-
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 1b93eb7..b2532aa 100644
--- a/policy/modules/system/iptables.fc
@@ -35009,7 +35013,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..ec17624 100644
+index 6944526..1f23aab 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35043,7 +35047,15 @@ index 6944526..ec17624 100644
')
########################################
-@@ -271,6 +290,43 @@ interface(`sysnet_delete_dhcpc_state',`
+@@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',`
+ type dhcpc_state_t;
+ ')
+
++ list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ ')
+
+@@ -271,6 +291,43 @@ interface(`sysnet_delete_dhcpc_state',`
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
@@ -35087,7 +35099,7 @@ index 6944526..ec17624 100644
#######################################
## <summary>
## Set the attributes of network config files.
-@@ -292,6 +348,44 @@ interface(`sysnet_setattr_config',`
+@@ -292,6 +349,44 @@ interface(`sysnet_setattr_config',`
#######################################
## <summary>
@@ -35132,7 +35144,7 @@ index 6944526..ec17624 100644
## Read network config files.
## </summary>
## <desc>
-@@ -331,6 +425,7 @@ interface(`sysnet_read_config',`
+@@ -331,6 +426,7 @@ interface(`sysnet_read_config',`
ifdef(`distro_redhat',`
allow $1 net_conf_t:dir list_dir_perms;
@@ -35140,7 +35152,7 @@ index 6944526..ec17624 100644
read_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -433,6 +528,7 @@ interface(`sysnet_manage_config',`
+@@ -433,6 +529,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
@@ -35148,7 +35160,7 @@ index 6944526..ec17624 100644
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -471,6 +567,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -471,6 +568,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -35156,7 +35168,7 @@ index 6944526..ec17624 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -580,6 +677,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -580,6 +678,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
## <summary>
@@ -35182,7 +35194,7 @@ index 6944526..ec17624 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -596,6 +712,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -596,6 +713,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -35190,7 +35202,7 @@ index 6944526..ec17624 100644
')
########################################
-@@ -681,8 +798,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -681,8 +799,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -35199,7 +35211,7 @@ index 6944526..ec17624 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -692,6 +807,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -692,6 +808,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -35208,7 +35220,7 @@ index 6944526..ec17624 100644
sysnet_read_config($1)
optional_policy(`
-@@ -720,8 +837,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +838,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -35217,7 +35229,7 @@ index 6944526..ec17624 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +848,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +849,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@@ -35227,7 +35239,7 @@ index 6944526..ec17624 100644
')
########################################
-@@ -754,7 +872,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +873,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -35235,7 +35247,7 @@ index 6944526..ec17624 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +883,74 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +884,74 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 735d1d7..9503f2d 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -2017,10 +2017,17 @@ index cda6d20..fbe259e 100644
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.fc b/amanda.fc
-index 7f4dfbc..4d750fa 100644
+index 7f4dfbc..e5c9f45 100644
--- a/amanda.fc
+++ b/amanda.fc
-@@ -13,6 +13,8 @@
+@@ -1,5 +1,6 @@
+ /etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
+ /etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
++/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
+ /etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
+ /etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
+ # empty m4 string so the index macro is not invoked
+@@ -13,6 +14,8 @@
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
@@ -11854,10 +11861,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..a56e579
+index 0000000..1ef78b0
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,296 @@
+@@ -0,0 +1,297 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -12018,6 +12025,7 @@ index 0000000..a56e579
+')
+
+optional_policy(`
++ rpm_domtrans(cloud_init_t)
+ unconfined_domain(cloud_init_t)
+')
+
@@ -72503,7 +72511,7 @@ index 3bd6446..8bde316 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..97bb4a0 100644
+index e5212e6..022f7fc 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -72521,7 +72529,7 @@ index e5212e6..97bb4a0 100644
-## generic user temporary content.
-## </p>
+## <p>
-+## Allow gssd to read temp directory. For access to kerberos tgt.
++## Allow gssd to list tmp directories and read the kerberos credential cache.
+## </p>
## </desc>
-gen_tunable(allow_gssd_read_tmp, false)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1bdd0c2..e90f9c4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.7%{?dist}
+Release: 74.8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Sep 26 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.8
+- Get labeling right on ipsec.secrets
+- Allow systemd to read dhcpc_state
+- Allow amanda to write to /etc/amanda/DailySet1 directory
+- Fix english on gssd_read_tmp boolean descriptions
+- Allow cloud-init to domtrans to rpm
+- Allow abrt daemon to manage abrt-watch tmp files
+- Allow abrt-upload-watcher to search /var/spool directory
+- Fix typo in abrt.te
+
* Wed Sep 25 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.7
- Allow setroubleshoot to look at /proc
- Allow telepathy domains to dbus with systemd logind
More information about the scm-commits
mailing list