[selinux-policy/f19] * Tue Nov 26 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.14 - Allow apmd to request the kernel
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Nov 26 12:45:33 UTC 2013
commit 76b97483d606ec0b11b31505c83de5b75b1f9f1b
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Nov 26 13:45:01 2013 +0100
* Tue Nov 26 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.14
- Allow apmd to request the kernel load module
- Allow sssd to request the kernel loads modules
- label mate-keyring-daemon with gkeyringd_exec_t
- Allow procmail_t to connect to dovecot stream sockets
- Allow smoltclient to execute ldconfig
- Allow condor domains to read/write condor_master udp_socket
- sendmail can attempt to block suspend, but will complete successfully
- Add support for texlive2013
- Allow passwd_t to connect to gnome keyring to change password
- Should allow domains to lock the terminal device
policy-f19-base.patch | 31 +++++-----
policy-f19-contrib.patch | 143 ++++++++++++++++++++++++++++------------------
selinux-policy.spec | 14 ++++-
3 files changed, 116 insertions(+), 72 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 63c2e65..e6a2495 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -2575,7 +2575,7 @@ index 99e3903..7270808 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..68f6887 100644
+index d555767..3053e39 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2857,7 +2857,7 @@ index d555767..68f6887 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,16 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2866,7 +2866,8 @@ index d555767..68f6887 100644
optional_policy(`
- nscd_run(passwd_t, passwd_roles)
+ gnome_exec_keyringd(passwd_t)
-+ gnome_manage_cache_home_dir(passwd_t)
++ gnome_manage_cache_home_dir(passwd_t)
++ gnome_stream_connect_gkeyringd(passwd_t)
+')
+
+optional_policy(`
@@ -2875,7 +2876,7 @@ index d555767..68f6887 100644
')
########################################
-@@ -398,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -2888,7 +2889,7 @@ index d555767..68f6887 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -2896,7 +2897,7 @@ index d555767..68f6887 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -423,19 +470,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -2918,7 +2919,7 @@ index d555767..68f6887 100644
')
########################################
-@@ -443,7 +488,8 @@ optional_policy(`
+@@ -443,7 +489,8 @@ optional_policy(`
# Useradd local policy
#
@@ -2928,7 +2929,7 @@ index d555767..68f6887 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -458,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -2939,7 +2940,7 @@ index d555767..68f6887 100644
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -465,36 +515,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -2988,7 +2989,7 @@ index d555767..68f6887 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +555,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
logging_send_audit_msgs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -3039,7 +3040,7 @@ index d555767..68f6887 100644
optional_policy(`
apache_manage_all_user_content(useradd_t)
')
-@@ -542,7 +595,12 @@ optional_policy(`
+@@ -542,7 +596,12 @@ optional_policy(`
')
optional_policy(`
@@ -3053,7 +3054,7 @@ index d555767..68f6887 100644
')
optional_policy(`
-@@ -550,6 +608,11 @@ optional_policy(`
+@@ -550,6 +609,11 @@ optional_policy(`
')
optional_policy(`
@@ -3065,7 +3066,7 @@ index d555767..68f6887 100644
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)
')
-@@ -559,3 +622,12 @@ optional_policy(`
+@@ -559,3 +623,12 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
@@ -43876,7 +43877,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..936a91d 100644
+index 6e91317..1dee6c7 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -43973,7 +43974,7 @@ index 6e91317..936a91d 100644
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
-+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
++define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
#
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index dfef892..43a7584 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -7155,7 +7155,7 @@ index 1a7a97e..1d29dce 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 3590e2f..e1494bd 100644
+index 3590e2f..1d8a844 100644
--- a/apm.te
+++ b/apm.te
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -7186,7 +7186,15 @@ index 3590e2f..e1494bd 100644
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
-@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
+ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
++kernel_request_load_module(apmd_t)
+
+ dev_read_input(apmd_t)
+ dev_read_mouse(apmd_t)
+@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
fs_dontaudit_getattr_all_symlinks(apmd_t)
fs_dontaudit_getattr_all_pipes(apmd_t)
fs_dontaudit_getattr_all_sockets(apmd_t)
@@ -7196,7 +7204,7 @@ index 3590e2f..e1494bd 100644
corecmd_exec_all_executables(apmd_t)
-@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
auth_use_nsswitch(apmd_t)
init_domtrans_script(apmd_t)
@@ -7205,7 +7213,7 @@ index 3590e2f..e1494bd 100644
libs_exec_ld_so(apmd_t)
libs_exec_lib_files(apmd_t)
-@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
logging_send_audit_msgs(apmd_t)
logging_send_syslog_msg(apmd_t)
@@ -7225,7 +7233,7 @@ index 3590e2f..e1494bd 100644
optional_policy(`
automount_domtrans(apmd_t)
-@@ -206,11 +209,15 @@ optional_policy(`
+@@ -206,11 +210,15 @@ optional_policy(`
')
optional_policy(`
@@ -13378,7 +13386,7 @@ index 3fe3cb8..5fe84a6 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..ff94f23 100644
+index 3f2b672..8fb887d 100644
--- a/condor.te
+++ b/condor.te
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
@@ -13428,7 +13436,11 @@ index 3f2b672..ff94f23 100644
logging_log_filetrans(condor_domain, condor_log_t, { dir file })
manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+
+ allow condor_domain condor_master_t:process signull;
+ allow condor_domain condor_master_t:tcp_socket getattr;
++allow condor_domain condor_master_t:udp_socket { read write };
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
@@ -13442,7 +13454,7 @@ index 3f2b672..ff94f23 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,9 +115,9 @@ dev_read_rand(condor_domain)
+@@ -106,9 +116,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -13454,7 +13466,7 @@ index 3f2b672..ff94f23 100644
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +134,7 @@ optional_policy(`
+@@ -125,7 +135,7 @@ optional_policy(`
# Master local policy
#
@@ -13463,7 +13475,7 @@ index 3f2b672..ff94f23 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -13474,7 +13486,7 @@ index 3f2b672..ff94f23 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
@@ -13483,7 +13495,7 @@ index 3f2b672..ff94f23 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -13492,7 +13504,7 @@ index 3f2b672..ff94f23 100644
#####################################
#
# Negotiator local policy
-@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -13501,7 +13513,7 @@ index 3f2b672..ff94f23 100644
######################################
#
# Procd local policy
-@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
+@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
@@ -13511,7 +13523,7 @@ index 3f2b672..ff94f23 100644
domain_read_all_domains_state(condor_procd_t)
-@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -13520,7 +13532,7 @@ index 3f2b672..ff94f23 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -13529,7 +13541,7 @@ index 3f2b672..ff94f23 100644
#####################################
#
# Startd local policy
-@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -13542,7 +13554,7 @@ index 3f2b672..ff94f23 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +272,7 @@ optional_policy(`
+@@ -249,3 +273,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -25990,10 +26002,10 @@ index fd02acc..0000000
-
-miscfiles_read_localization(glusterd_t)
diff --git a/gnome.fc b/gnome.fc
-index e39de43..5818f74 100644
+index e39de43..4c8113b 100644
--- a/gnome.fc
+++ b/gnome.fc
-@@ -1,15 +1,58 @@
+@@ -1,15 +1,59 @@
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -26051,14 +26063,15 @@ index e39de43..5818f74 100644
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
+
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
-
--/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
--/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
++/usr/bin/mate-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
++
+# Don't use because toolchain is broken
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-+
+
+-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
@@ -39365,10 +39378,10 @@ index 0000000..b694afc
+')
+
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..d1f0fda 100644
+index 6ffaba2..99a6cf4 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,67 @@
+@@ -1,38 +1,68 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -39410,6 +39423,7 @@ index 6ffaba2..d1f0fda 100644
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -39470,7 +39484,7 @@ index 6ffaba2..d1f0fda 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..2ab36ff 100644
+index 6194b80..99effb5 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -40160,7 +40174,7 @@ index 6194b80..2ab36ff 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -530,45 +498,54 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +498,55 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
## </summary>
## </param>
#
@@ -40230,6 +40244,7 @@ index 6194b80..2ab36ff 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
@@ -62013,7 +62028,7 @@ index 00edeab..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index d447152..a911295 100644
+index d447152..73c437c 100644
--- a/procmail.te
+++ b/procmail.te
@@ -1,4 +1,4 @@
@@ -62048,7 +62063,7 @@ index d447152..a911295 100644
allow procmail_t procmail_log_t:dir setattr_dir_perms;
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,59 +44,76 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -62152,7 +62167,8 @@ index d447152..a911295 100644
')
optional_policy(`
-@@ -100,12 +121,7 @@ optional_policy(`
+- cyrus_stream_connect(procmail_t)
++ dovecot_stream_connect(procmail_t)
')
optional_policy(`
@@ -62162,18 +62178,20 @@ index d447152..a911295 100644
- mta_manage_mail_home_rw_content(procmail_t)
- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
-+ gnome_manage_data(procmail_t)
++ cyrus_stream_connect(procmail_t)
')
optional_policy(`
-@@ -113,16 +129,17 @@ optional_policy(`
+- munin_dontaudit_search_lib(procmail_t)
++ gnome_manage_data(procmail_t)
')
optional_policy(`
- nagios_search_spool(procmail_t)
--')
--
--optional_policy(`
++ munin_dontaudit_search_lib(procmail_t)
+ ')
+
+ optional_policy(`
+ # for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
@@ -62189,7 +62207,7 @@ index d447152..a911295 100644
')
optional_policy(`
-@@ -131,6 +148,8 @@ optional_policy(`
+@@ -131,6 +152,8 @@ optional_policy(`
')
optional_policy(`
@@ -64392,10 +64410,10 @@ index 1148dce..86d25ea 100644
+ allow $2 pwauth_t:process signal;
')
diff --git a/pwauth.te b/pwauth.te
-index 3078e34..8f357cc 100644
+index 3078e34..215df88 100644
--- a/pwauth.te
+++ b/pwauth.te
-@@ -5,38 +5,35 @@ policy_module(pwauth, 1.0.0)
+@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
# Declarations
#
@@ -64426,13 +64444,12 @@ index 3078e34..8f357cc 100644
manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
+@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
- domain_use_interactive_fds(pwauth_t)
-
-+
auth_domtrans_chkpwd(pwauth_t)
auth_use_nsswitch(pwauth_t)
+auth_read_shadow(pwauth_t)
++auth_rw_lastlog(pwauth_t)
init_read_utmp(pwauth_t)
@@ -80155,7 +80172,7 @@ index 88e753f..133d993 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 5f35d78..d4003d0 100644
+index 5f35d78..50651d2 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -1,18 +1,10 @@
@@ -80178,7 +80195,7 @@ index 5f35d78..d4003d0 100644
type sendmail_log_t;
logging_log_file(sendmail_log_t)
-@@ -26,27 +18,26 @@ type sendmail_t;
+@@ -26,27 +18,27 @@ type sendmail_t;
mta_sendmail_mailserver(sendmail_t)
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -80199,6 +80216,7 @@ index 5f35d78..d4003d0 100644
-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+dontaudit sendmail_t self:capability net_admin;
++dontaudit sendmail_t self:capability2 block_suspend;
allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
-allow sendmail_t self:unix_stream_socket { accept listen };
@@ -80217,7 +80235,7 @@ index 5f35d78..d4003d0 100644
logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -58,33 +49,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -58,33 +50,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
kernel_read_network_state(sendmail_t)
kernel_read_kernel_sysctls(sendmail_t)
@@ -80255,7 +80273,7 @@ index 5f35d78..d4003d0 100644
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
-@@ -93,35 +72,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -93,35 +73,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
term_dontaudit_use_console(sendmail_t)
term_dontaudit_use_generic_ptys(sendmail_t)
@@ -80311,7 +80329,7 @@ index 5f35d78..d4003d0 100644
')
optional_policy(`
-@@ -129,8 +122,8 @@ optional_policy(`
+@@ -129,8 +123,8 @@ optional_policy(`
')
optional_policy(`
@@ -80322,7 +80340,7 @@ index 5f35d78..d4003d0 100644
')
optional_policy(`
-@@ -158,6 +151,10 @@ optional_policy(`
+@@ -158,6 +152,10 @@ optional_policy(`
')
optional_policy(`
@@ -80333,7 +80351,7 @@ index 5f35d78..d4003d0 100644
milter_stream_connect_all(sendmail_t)
')
-@@ -166,6 +163,11 @@ optional_policy(`
+@@ -166,6 +164,11 @@ optional_policy(`
')
optional_policy(`
@@ -80345,7 +80363,7 @@ index 5f35d78..d4003d0 100644
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
-@@ -187,21 +189,13 @@ optional_policy(`
+@@ -187,21 +190,13 @@ optional_policy(`
')
optional_policy(`
@@ -81770,7 +81788,7 @@ index a8b1aaf..fc0a2be 100644
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..14f15a4 100644
+index 9c8f9a5..f074b4d 100644
--- a/smoltclient.te
+++ b/smoltclient.te
@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
@@ -81788,6 +81806,17 @@ index 9c8f9a5..14f15a4 100644
optional_policy(`
abrt_stream_connect(smoltclient_t)
+@@ -77,6 +75,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ libs_exec_ldconfig(smoltclient_t)
++')
++
++optional_policy(`
+ rpm_exec(smoltclient_t)
+ rpm_read_db(smoltclient_t)
+ ')
diff --git a/smsd.fc b/smsd.fc
new file mode 100644
index 0000000..4c3fcec
@@ -84711,7 +84740,7 @@ index a240455..54c5c1f 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..3bce4df 100644
+index 8b537aa..92ad8d0 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
@@ -84754,9 +84783,11 @@ index 8b537aa..3bce4df 100644
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +63,11 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
++kernel_request_load_module(sssd_t)
-corenet_all_recvfrom_unlabeled(sssd_t)
-corenet_all_recvfrom_netlabel(sssd_t)
@@ -84772,7 +84803,7 @@ index 8b537aa..3bce4df 100644
corecmd_exec_bin(sssd_t)
-@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,9 +78,7 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
@@ -84782,7 +84813,7 @@ index 8b537aa..3bce4df 100644
files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
-@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t)
+@@ -94,14 +87,15 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -84800,7 +84831,7 @@ index 8b537aa..3bce4df 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +106,32 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 075ff93..c57ac6d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.13%{?dist}
+Release: 74.14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Nov 26 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.14
+- Allow apmd to request the kernel load module
+- Allow sssd to request the kernel loads modules
+- label mate-keyring-daemon with gkeyringd_exec_t
+- Allow procmail_t to connect to dovecot stream sockets
+- Allow smoltclient to execute ldconfig
+- Allow condor domains to read/write condor_master udp_socket
+- sendmail can attempt to block suspend, but will complete successfully
+- Add support for texlive2013
+- Allow passwd_t to connect to gnome keyring to change password
+- Should allow domains to lock the terminal device
+
* Mon Nov 11 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.13
- Update xserver.te to make GDM working
More information about the scm-commits
mailing list