[selinux-policy/f20] - Allow sosreport to send a signal to ABRT - Add proper aliases for pegasus_openlmi_service_exec_t a
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Dec 4 15:32:33 UTC 2013
commit 2d76110cd5fffe42ffa942f3b5ea9c89bbd05bdb
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Dec 4 16:31:22 2013 +0100
- Allow sosreport to send a signal to ABRT
- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t
- Label /usr/sbin/htcacheclean as httpd_exec_t
- Added support for rdisc unit file
- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
- Allow runuser running as logrotate connections to system DBUS
- Label bcache devices as fixed_disk_device_t
- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
policy-f20-base.patch | 45 +++++---
policy-f20-contrib.patch | 262 ++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 13 ++-
3 files changed, 204 insertions(+), 116 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 3e34ed5..e982721 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -15743,10 +15743,18 @@ index 522ab32..cb9c3a2 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f1827..cc2de1a 100644
+index 54f1827..39faa3f 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
-@@ -23,12 +23,15 @@
+@@ -7,6 +7,7 @@
+ /dev/n?tpqic[12].* -c gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/[shmxv]d[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/aztcd -b gen_context(system_u:object_r:removable_device_t,s0)
++/dev/bcache[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/bpcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+ /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -23,12 +24,15 @@
/dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0)
/dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -15763,7 +15771,7 @@ index 54f1827..cc2de1a 100644
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +54,8 @@ ifdef(`distro_redhat', `
+@@ -51,7 +55,8 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
@@ -15773,7 +15781,7 @@ index 54f1827..cc2de1a 100644
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +85,6 @@ ifdef(`distro_redhat', `
+@@ -81,3 +86,6 @@ ifdef(`distro_redhat', `
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
@@ -29446,15 +29454,16 @@ index dd3be8d..0996734 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..a199ffd 100644
+index 662e79b..32fad12 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,22 @@
+@@ -1,14 +1,23 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
@@ -29473,7 +29482,7 @@ index 662e79b..a199ffd 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +34,23 @@
+@@ -26,16 +35,23 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -29687,7 +29696,7 @@ index 0d4c8d3..e6ffda3 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..ceb7f99 100644
+index 9e54bf9..1de81e9 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29882,14 +29891,18 @@ index 9e54bf9..ceb7f99 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +326,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -288,17 +324,22 @@ init_exec_script_files(ipsec_mgmt_t)
+ init_use_fds(ipsec_mgmt_t)
+ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
- logging_send_syslog_msg(ipsec_mgmt_t)
+-logging_send_syslog_msg(ipsec_mgmt_t)
++ipsec_mgmt_systemctl(ipsec_mgmt_t)
-miscfiles_read_localization(ipsec_mgmt_t)
-
-seutil_dontaudit_search_config(ipsec_mgmt_t)
--
++logging_send_syslog_msg(ipsec_mgmt_t)
+
sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -29906,7 +29919,7 @@ index 9e54bf9..ceb7f99 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +361,10 @@ optional_policy(`
+@@ -322,6 +363,10 @@ optional_policy(`
')
optional_policy(`
@@ -29917,7 +29930,7 @@ index 9e54bf9..ceb7f99 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +378,7 @@ optional_policy(`
+@@ -335,7 +380,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -29926,7 +29939,7 @@ index 9e54bf9..ceb7f99 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +413,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +415,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -29946,7 +29959,7 @@ index 9e54bf9..ceb7f99 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +443,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +445,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -29959,7 +29972,7 @@ index 9e54bf9..ceb7f99 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +480,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +482,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index ab6be86..b63cc7f 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -68,7 +68,7 @@ index e4f84de..2ed712d 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..702b716 100644
+index 058d908..ff0f9c2 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -99,16 +99,34 @@ index 058d908..702b716 100644
######################################
## <summary>
-@@ -40,7 +62,7 @@ interface(`abrt_exec',`
+@@ -40,7 +62,25 @@ interface(`abrt_exec',`
########################################
## <summary>
-## Send null signals to abrt.
++## Send a signal to abrt.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_signal',`
++ gen_require(`
++ type abrt_t;
++ ')
++
++ allow $1 abrt_t:process signal;
++')
++
++########################################
++## <summary>
+## Send a null signal to abrt.
## </summary>
## <param name="domain">
## <summary>
-@@ -58,7 +80,7 @@ interface(`abrt_signull',`
+@@ -58,7 +98,7 @@ interface(`abrt_signull',`
########################################
## <summary>
@@ -117,7 +135,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
+@@ -71,12 +111,13 @@ interface(`abrt_read_state',`
type abrt_t;
')
@@ -132,7 +150,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',`
+@@ -116,8 +157,7 @@ interface(`abrt_dbus_chat',`
#####################################
## <summary>
@@ -142,7 +160,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',`
+@@ -130,15 +170,13 @@ interface(`abrt_domtrans_helper',`
type abrt_helper_t, abrt_helper_exec_t;
')
@@ -160,7 +178,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',`
+@@ -154,17 +192,54 @@ interface(`abrt_domtrans_helper',`
#
interface(`abrt_run_helper',`
gen_require(`
@@ -190,60 +208,60 @@ index 058d908..702b716 100644
+
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++## <summary>
++## Append abrt cache
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_append_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## abrt cache files.
-+## Append abrt cache
++## Read/Write inherited abrt cache
## </summary>
## <param name="domain">
## <summary>
-@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
+@@ -172,15 +247,18 @@ interface(`abrt_run_helper',`
## </summary>
## </param>
#
-interface(`abrt_cache_manage',`
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
- abrt_manage_cache($1)
-+interface(`abrt_append_cache',`
++interface(`abrt_rw_inherited_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
-+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
-## abrt cache content.
-+## Read/Write inherited abrt cache
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`abrt_rw_inherited_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+
-+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+## Manage abrt cache
## </summary>
## <param name="domain">
## <summary>
-@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',`
+@@ -193,7 +271,6 @@ interface(`abrt_manage_cache',`
type abrt_var_cache_t;
')
@@ -251,7 +269,7 @@ index 058d908..702b716 100644
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',`
+@@ -201,7 +278,7 @@ interface(`abrt_manage_cache',`
####################################
## <summary>
@@ -260,7 +278,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -220,7 +279,7 @@ interface(`abrt_read_config',`
+@@ -220,7 +297,7 @@ interface(`abrt_read_config',`
######################################
## <summary>
@@ -269,7 +287,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',`
+@@ -258,8 +335,7 @@ interface(`abrt_read_pid_files',`
######################################
## <summary>
@@ -279,7 +297,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',`
+@@ -276,10 +352,51 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -333,7 +351,7 @@ index 058d908..702b716 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +405,172 @@ interface(`abrt_manage_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -453,7 +471,7 @@ index 058d908..702b716 100644
+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+')
+ ')
+
+
+#####################################
@@ -474,7 +492,7 @@ index 058d908..702b716 100644
+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
- ')
++')
+
+########################################
+## <summary>
@@ -2356,7 +2374,7 @@ index 6f1384c..9f23456 100644
rpm_domtrans(anaconda_t)
diff --git a/antivirus.fc b/antivirus.fc
new file mode 100644
-index 0000000..e44bff0
+index 0000000..9d5214b
--- /dev/null
+++ b/antivirus.fc
@@ -0,0 +1,43 @@
@@ -2381,10 +2399,10 @@ index 0000000..e44bff0
+
+/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+
-+
+/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
@@ -3012,10 +3030,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..117a400 100644
+index 550a69e..a7b579a 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,204 @@
+@@ -1,161 +1,205 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3126,6 +3144,7 @@ index 550a69e..117a400 100644
-
-ifdef(`distro_suse',`
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -36716,7 +36735,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain">
## <summary>
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..b88bbf3 100644
+index 7bab8e5..efdfd9d 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,18 @@
@@ -36920,7 +36939,18 @@ index 7bab8e5..b88bbf3 100644
')
optional_policy(`
-@@ -178,7 +198,7 @@ optional_policy(`
+@@ -170,6 +190,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(logrotate_t)
++')
++
++optional_policy(`
+ fail2ban_stream_connect(logrotate_t)
+ ')
+
+@@ -178,7 +202,7 @@ optional_policy(`
')
optional_policy(`
@@ -36929,7 +36959,7 @@ index 7bab8e5..b88bbf3 100644
')
optional_policy(`
-@@ -198,21 +218,26 @@ optional_policy(`
+@@ -198,21 +222,26 @@ optional_policy(`
')
optional_policy(`
@@ -36943,24 +36973,24 @@ index 7bab8e5..b88bbf3 100644
- openvswitch_read_pid_files(logrotate_t)
- openvswitch_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
-+')
-+
-+optional_policy(`
-+ psad_domtrans(logrotate_t)
')
optional_policy(`
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
-+ rabbitmq_domtrans_beam(logrotate_t)
++ psad_domtrans(logrotate_t)
')
optional_policy(`
- psad_domtrans(logrotate_t)
++ rabbitmq_domtrans_beam(logrotate_t)
++')
++
++optional_policy(`
+ raid_domtrans_mdadm(logrotate_t)
')
optional_policy(`
-@@ -228,10 +253,20 @@ optional_policy(`
+@@ -228,10 +257,20 @@ optional_policy(`
')
optional_policy(`
@@ -36981,7 +37011,7 @@ index 7bab8e5..b88bbf3 100644
su_exec(logrotate_t)
')
-@@ -241,13 +276,11 @@ optional_policy(`
+@@ -241,13 +280,11 @@ optional_policy(`
#######################################
#
@@ -37561,10 +37591,10 @@ index 0000000..da30c5d
+')
diff --git a/lsm.te b/lsm.te
new file mode 100644
-index 0000000..9e92442
+index 0000000..a174f4b
--- /dev/null
+++ b/lsm.te
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,65 @@
+policy_module(lsm, 1.0.0)
+
+########################################
@@ -37627,6 +37657,8 @@ index 0000000..9e92442
+
+corecmd_exec_bin(lsmd_plugin_t)
+
++logging_send_syslog_msg(lsmd_plugin_t)
++
+sysnet_read_config(lsmd_plugin_t)
diff --git a/mailman.fc b/mailman.fc
index 7fa381b..bbe6b01 100644
@@ -47864,7 +47896,7 @@ index 0e8508c..ee2e3de 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..b5c140b 100644
+index 0b48a30..e61d367 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -47920,7 +47952,7 @@ index 0b48a30..b5c140b 100644
-allow NetworkManager_t self:unix_dgram_socket sendto;
-allow NetworkManager_t self:unix_stream_socket { accept listen };
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
-+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
++allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto };
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
@@ -56010,7 +56042,7 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..87bda41 100644
+index dfd46e4..6b5b74b 100644
--- a/pegasus.fc
+++ b/pegasus.fc
@@ -1,15 +1,25 @@
@@ -56042,7 +56074,7 @@ index dfd46e4..87bda41 100644
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
+
+
@@ -56148,7 +56180,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..801965a 100644
+index 7bcf327..252377d 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -56172,13 +56204,14 @@ index 7bcf327..801965a 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,277 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,278 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
+# pegasus openlmi providers
+pegasus_openlmi_domain_template(admin)
+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
++typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t;
+
+pegasus_openlmi_domain_template(account)
+domain_obj_id_change_exemption(pegasus_openlmi_account_t)
@@ -56455,7 +56488,7 @@ index 7bcf327..801965a 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +310,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +311,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -56486,7 +56519,7 @@ index 7bcf327..801965a 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +336,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +337,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -56519,7 +56552,7 @@ index 7bcf327..801965a 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +364,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +365,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -56531,7 +56564,7 @@ index 7bcf327..801965a 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +380,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +381,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -56567,7 +56600,7 @@ index 7bcf327..801965a 100644
')
optional_policy(`
-@@ -151,16 +414,24 @@ optional_policy(`
+@@ -151,16 +415,24 @@ optional_policy(`
')
optional_policy(`
@@ -56596,7 +56629,7 @@ index 7bcf327..801965a 100644
')
optional_policy(`
-@@ -168,7 +439,7 @@ optional_policy(`
+@@ -168,7 +440,7 @@ optional_policy(`
')
optional_policy(`
@@ -70775,11 +70808,30 @@ index 5ddedbc..4e15f29 100644
+ milter_manage_spamass_state(razor_t)
+ ')
')
+diff --git a/rdisc.fc b/rdisc.fc
+index e9765c0..ea21331 100644
+--- a/rdisc.fc
++++ b/rdisc.fc
+@@ -1,3 +1,3 @@
+-/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
++/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0)
+
+ /usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/rdisc.te b/rdisc.te
-index 9196c1d..3dac4d9 100644
+index 9196c1d..b775931 100644
--- a/rdisc.te
+++ b/rdisc.te
-@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t)
+@@ -9,6 +9,9 @@ type rdisc_t;
+ type rdisc_exec_t;
+ init_daemon_domain(rdisc_t, rdisc_exec_t)
+
++type rdisc_unit_file_t;
++systemd_unit_file(rdisc_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -25,7 +28,6 @@ kernel_list_proc(rdisc_t)
kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
@@ -70787,7 +70839,7 @@ index 9196c1d..3dac4d9 100644
corenet_all_recvfrom_netlabel(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
-@@ -39,12 +38,9 @@ fs_search_auto_mountpoints(rdisc_t)
+@@ -39,12 +41,9 @@ fs_search_auto_mountpoints(rdisc_t)
domain_use_interactive_fds(rdisc_t)
@@ -76180,10 +76232,10 @@ index c49828c..56cb0c2 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..6392cad 100644
+index ebe91fc..576ca21 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,72 @@
+@@ -1,61 +1,74 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -76213,6 +76265,8 @@ index ebe91fc..6392cad 100644
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
++
++/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -76231,25 +76285,14 @@ index ebe91fc..6392cad 100644
-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--')
-+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
--/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
--/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
--/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
--/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
--/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++
+ifdef(`distro_redhat', `
+/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -76263,31 +76306,41 @@ index ebe91fc..6392cad 100644
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+')
-+
+ ')
+
+-/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
--/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0)
+-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+-/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
++/var/log/up2date.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+
+-/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0)
+
-/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
-/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
-+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
++/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
++/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
++/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
-/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
-+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
-+
+# SuSE
+ifdef(`distro_suse', `
+/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -85653,7 +85706,7 @@ index 634c6b4..e1edfd9 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index 703efa3..0cce7d0 100644
+index 703efa3..fee904f 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -85740,7 +85793,7 @@ index 703efa3..0cce7d0 100644
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
-@@ -79,27 +107,43 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +107,44 @@ files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
@@ -85780,6 +85833,7 @@ index 703efa3..0cce7d0 100644
abrt_manage_pid_files(sosreport_t)
abrt_manage_cache(sosreport_t)
+ abrt_stream_connect(sosreport_t)
++ abrt_signal(sosreport_t)
+')
+
+optional_policy(`
@@ -85787,7 +85841,7 @@ index 703efa3..0cce7d0 100644
')
optional_policy(`
-@@ -111,6 +155,15 @@ optional_policy(`
+@@ -111,6 +156,15 @@ optional_policy(`
')
optional_policy(`
@@ -85803,7 +85857,7 @@ index 703efa3..0cce7d0 100644
fstools_domtrans(sosreport_t)
')
-@@ -120,6 +173,10 @@ optional_policy(`
+@@ -120,6 +174,10 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(sosreport_t)
')
@@ -85814,16 +85868,26 @@ index 703efa3..0cce7d0 100644
')
optional_policy(`
-@@ -141,5 +198,9 @@ optional_policy(`
+@@ -135,9 +193,16 @@ optional_policy(`
')
optional_policy(`
-+ setroubleshoot_signull(sosreport_t)
+- rpm_exec(sosreport_t)
+- rpm_dontaudit_manage_db(sosreport_t)
+- rpm_read_db(sosreport_t)
++ rpm_dontaudit_manage_db(sosreport_t)
++ rpm_manage_cache(sosreport_t)
++ rpm_manage_log(sosreport_t)
++ rpm_manage_pid_files(sosreport_t)
++ rpm_read_db(sosreport_t)
++ rpm_signull(sosreport_t)
+')
+
+optional_policy(`
- xserver_stream_connect(sosreport_t)
++ setroubleshoot_signull(sosreport_t)
')
+
+ optional_policy(`
diff --git a/soundserver.if b/soundserver.if
index a5abc5a..b9eff74 100644
--- a/soundserver.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4e5069b..9979122 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 107%{?dist}
+Release: 108%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -573,6 +573,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Dec 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-108
+- Allow sosreport to send a signal to ABRT
+- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t
+- Label /usr/sbin/htcacheclean as httpd_exec_t
+- Added support for rdisc unit file
+- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
+- Allow runuser running as logrotate connections to system DBUS
+- Label bcache devices as fixed_disk_device_t
+- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
+- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
+
* Mon Dec 2 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-107
- Add back setpgid/setsched for sosreport_t
More information about the scm-commits
mailing list