[selinux-policy] * Fri Nov 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-99 - Add support for yubikey in homedir -
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Nov 8 20:39:23 UTC 2013
commit 90f92647e02d7cde6eab975f310b2c194e584031
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Nov 8 21:39:31 2013 +0100
* Fri Nov 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-99
- Add support for yubikey in homedir
- Add support for upd/3052 port
- Allow apcupsd to use PowerChute Network Shutdown
- Allow lsmd to execute various lsmplugins
- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too
- Update gluster_export_all_rw boolean to allow relabel all base file types
- Allow x86_energy_perf tool to modify the MSR
- Fix /var/lib/dspam/data labeling
policy-rawhide-base.patch | 46 ++++++++++++++++++++++-------------------
policy-rawhide-contrib.patch | 44 +++++++++++++++++++++++++--------------
selinux-policy.spec | 12 ++++++++++-
3 files changed, 64 insertions(+), 38 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 1f78c01..962d9cc 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5470,7 +5470,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..cc71e95 100644
+index 4edc40d..7070ee2 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5544,19 +5544,20 @@ index 4edc40d..cc71e95 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
-@@ -84,10 +107,9 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
++network_port(apc, tcp,3052,s0, udp,3052,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
-network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-@@ -96,19 +118,19 @@ network_port(boinc, tcp,31416,s0)
+@@ -96,19 +119,19 @@ network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
@@ -5579,7 +5580,7 @@ index 4edc40d..cc71e95 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,19 +141,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,19 +142,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -5608,7 +5609,7 @@ index 4edc40d..cc71e95 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +168,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +169,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5675,7 +5676,7 @@ index 4edc40d..cc71e95 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +221,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +222,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5714,7 +5715,7 @@ index 4edc40d..cc71e95 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +258,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +259,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5767,7 +5768,7 @@ index 4edc40d..cc71e95 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +308,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +309,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -5778,7 +5779,7 @@ index 4edc40d..cc71e95 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
-@@ -268,10 +320,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +321,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -5791,7 +5792,7 @@ index 4edc40d..cc71e95 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +344,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +345,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -5810,7 +5811,7 @@ index 4edc40d..cc71e95 100644
########################################
#
-@@ -330,6 +386,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +387,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5819,7 +5820,7 @@ index 4edc40d..cc71e95 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
-@@ -342,9 +400,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +401,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -24741,12 +24742,14 @@ index c6fdab7..af71c62 100644
sudo_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..ebe81bf 100644
+index 28ad538..003b09a 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -1,14 +1,26 @@
+@@ -1,14 +1,28 @@
++HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
@@ -24775,7 +24778,7 @@ index 28ad538..ebe81bf 100644
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +28,24 @@ ifdef(`distro_suse', `
+@@ -16,13 +30,24 @@ ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -24802,7 +24805,7 @@ index 28ad538..ebe81bf 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,20 +53,24 @@ ifdef(`distro_gentoo', `
+@@ -30,20 +55,24 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -24832,7 +24835,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..f0151a8 100644
+index 3efd5b6..08c3e93 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -25418,7 +25421,7 @@ index 3efd5b6..f0151a8 100644
')
########################################
-@@ -1805,3 +2029,241 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -25597,6 +25600,7 @@ index 3efd5b6..f0151a8 100644
+
+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
++ userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+')
+
+
@@ -25640,6 +25644,7 @@ index 3efd5b6..f0151a8 100644
+
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
++ userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+')
+
+########################################
@@ -25659,9 +25664,8 @@ index 3efd5b6..f0151a8 100644
+
+ allow $1 login_pgm:process sigchld;
+')
-+
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..742b073 100644
+index 104037e..348e8cf 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -25983,7 +25987,7 @@ index 104037e..742b073 100644
+corecmd_getattr_all_executables(login_pgm)
+domain_kill_all_domains(login_pgm)
+
-+# pam_keyring
++allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
+allow login_pgm self:capability ipc_lock;
+allow login_pgm self:process setkeycreate;
+allow login_pgm self:key manage_key_perms;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 7ccb10d..d8e67e1 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -7053,7 +7053,7 @@ index f3c0aba..b6afc90 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..3128e78 100644
+index b236327..7b2142b 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7085,15 +7085,16 @@ index b236327..3128e78 100644
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,6 +67,7 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
corenet_tcp_connect_apcupsd_port(apcupsd_t)
++corenet_udp_bind_apc_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t)
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +75,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -7123,7 +7124,7 @@ index b236327..3128e78 100644
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -112,7 +119,6 @@ optional_policy(`
+@@ -112,7 +120,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -37166,10 +37167,10 @@ index 0000000..da30c5d
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..fc42149
+index 0000000..6611d9f
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,34 @@
+policy_module(lsm, 1.0.0)
+
+########################################
@@ -37201,6 +37202,8 @@ index 0000000..fc42149
+manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+
++corecmd_exec_bin(lsmd_t)
++
+logging_send_syslog_msg(lsmd_t)
diff --git a/mailman.fc b/mailman.fc
index 7fa381b..bbe6b01 100644
@@ -81071,7 +81074,7 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..fcd1610 100644
+index 4a23d84..62df1db 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
@@ -81092,7 +81095,7 @@ index 4a23d84..fcd1610 100644
type sblim_initrc_exec_t;
init_script_file(sblim_initrc_exec_t)
-@@ -21,6 +19,12 @@ init_script_file(sblim_initrc_exec_t)
+@@ -21,6 +19,15 @@ init_script_file(sblim_initrc_exec_t)
type sblim_var_run_t;
files_pid_file(sblim_var_run_t)
@@ -81102,10 +81105,13 @@ index 4a23d84..fcd1610 100644
+type sblim_tmp_t;
+files_tmp_file(sblim_tmp_t)
+
++type sblim_sfcb_tmpfs_t;
++files_tmpfs_file(sblim_sfcb_tmpfs_t)
++
######################################
#
# Common sblim domain local policy
-@@ -32,11 +36,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+@@ -32,11 +39,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
@@ -81127,7 +81133,7 @@ index 4a23d84..fcd1610 100644
corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain)
-@@ -44,19 +55,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
+@@ -44,19 +58,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain)
@@ -81150,7 +81156,7 @@ index 4a23d84..fcd1610 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -84,6 +91,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +94,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@@ -81159,7 +81165,7 @@ index 4a23d84..fcd1610 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +112,9 @@ optional_policy(`
+@@ -103,8 +115,9 @@ optional_policy(`
')
optional_policy(`
@@ -81170,7 +81176,7 @@ index 4a23d84..fcd1610 100644
')
optional_policy(`
-@@ -117,6 +127,25 @@ optional_policy(`
+@@ -117,6 +130,29 @@ optional_policy(`
# Reposd local policy
#
@@ -81189,6 +81195,11 @@ index 4a23d84..fcd1610 100644
+
+allow sblim_sfcbd_t self:capability { sys_ptrace setgid };
+allow sblim_sfcbd_t self:process signal;
++allow sblim_sfcbd_t self:unix_stream_socket connectto;
++
++manage_dirs_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t)
++manage_files_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t)
++fs_tmpfs_filetrans(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, { dir file })
+
+auth_use_nsswitch(sblim_sfcbd_t)
+
@@ -81196,7 +81207,6 @@ index 4a23d84..fcd1610 100644
+
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
-+
diff --git a/screen.fc b/screen.fc
index ac04d27..b73334e 100644
--- a/screen.fc
@@ -96702,10 +96712,12 @@ index 9329eae..824e86f 100644
- seutil_use_newrole_fds(vpnc_t)
-')
diff --git a/watchdog.fc b/watchdog.fc
-index eecd0e0..8d9b2f6 100644
+index eecd0e0..8df2e8c 100644
--- a/watchdog.fc
+++ b/watchdog.fc
-@@ -2,6 +2,10 @@
+@@ -1,7 +1,12 @@
+ /etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
++/etc/watchdog\.d(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0)
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 195b577..3a43ece 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 98%{?dist}
+Release: 99%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -573,6 +573,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Nov 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-99
+- Add support for yubikey in homedir
+- Add support for upd/3052 port
+- Allow apcupsd to use PowerChute Network Shutdown
+- Allow lsmd to execute various lsmplugins
+- Add labeling also for /etc/watchdog\.d where are watchdog scripts located too
+- Update gluster_export_all_rw boolean to allow relabel all base file types
+- Allow x86_energy_perf tool to modify the MSR
+- Fix /var/lib/dspam/data labeling
+
* Wed Nov 6 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-98
- Add files_relabel_base_file_types() interface
- Allow netlabel-config to read passwd
More information about the scm-commits
mailing list