[selinux-policy/f20] * Tue Jan 21 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-120 - Allow apache to write to the ownclo
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jan 21 20:57:15 UTC 2014
commit ae2eb0c592f4cfc6b04f750fabac022f2620f340
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jan 21 21:57:19 2014 +0100
* Tue Jan 21 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-120
- Allow apache to write to the owncloud data directory in /var/www/html...
- Allow consolekit to create log dir
- Add support for icinga CGI scripts
- Add support for icinga
- Allow kdumpctl_t to create kdump lock file
- Allow kdump to create lnk lock file
- Allow nscd_t block_suspen capability
- Allow unconfined domain types to manage own transient unit file
- Allow systemd domains to handle transient init unit files
- Add interfaces to handle transient
policy-f20-base.patch | 93 ++++++++++++++++++++++++++++++++++++++---
policy-f20-contrib.patch | 104 +++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 19 ++++++--
3 files changed, 166 insertions(+), 50 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 4a3079c..cb0663f 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -8888,7 +8888,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..8f294d2 100644
+index cf04cb5..61b53bc 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -9006,7 +9006,7 @@ index cf04cb5..8f294d2 100644
')
########################################
-@@ -147,12 +207,18 @@ optional_policy(`
+@@ -147,12 +207,21 @@ optional_policy(`
# Use/sendto/connectto sockets created by any domain.
allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
@@ -9017,6 +9017,9 @@ index cf04cb5..8f294d2 100644
+allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+
++# Allow manage transient unit files
++allow unconfined_domain_type self:service manage_service_perms;
++
# Act upon any other process.
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
@@ -9026,7 +9029,7 @@ index cf04cb5..8f294d2 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +232,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +235,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -26925,7 +26928,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..197d939 100644
+index 24e7804..45d0b37 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -27907,7 +27910,7 @@ index 24e7804..197d939 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2338,360 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2338,432 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -28249,6 +28252,78 @@ index 24e7804..197d939 100644
+
+########################################
+## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_start_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service start;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_stop_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service stop;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_reload_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service reload;
++')
++
++########################################
++## <summary>
++## Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_status_transient_unit',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:service status;
++')
++
++########################################
++## <summary>
+## Transition to init named content
+## </summary>
+## <param name="domain">
@@ -38113,10 +38188,10 @@ index 0000000..1d9bdfd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..2109915
+index 0000000..0ad142f
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,653 @@
+@@ -0,0 +1,657 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -38758,6 +38833,10 @@ index 0000000..2109915
+files_read_usr_files(systemd_domain)
+
+init_search_pid_dirs(systemd_domain)
++init_start_transient_unit(systemd_domain)
++init_stop_transient_unit(systemd_domain)
++init_status_transient_unit(systemd_domain)
++init_reload_transient_unit(systemd_domain)
+
+logging_stream_connect_syslog(systemd_domain)
+
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 497806f..fe214bb 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -3067,10 +3067,10 @@ index 0000000..8ba9c95
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..fc53125 100644
+index 550a69e..908ec3b 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,161 +1,206 @@
+@@ -1,161 +1,207 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3391,6 +3391,7 @@ index 550a69e..fc53125 100644
+
+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -14334,7 +14335,7 @@ index 5b830ec..0647a3b 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..d11e25b 100644
+index 5f0c793..62ae9b2 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,12 +19,16 @@ type consolekit_var_run_t;
@@ -14354,6 +14355,15 @@ index 5f0c793..d11e25b 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
+@@ -33,7 +37,7 @@ create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+ append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+ read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+ setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
++logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
+
+ manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+ manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
@@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
@@ -34325,7 +34335,7 @@ index 3a00b3a..21efcc4 100644
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index 70f3007..f8b68bf 100644
+index 70f3007..58bd992 100644
--- a/kdump.te
+++ b/kdump.te
@@ -1,4 +1,4 @@
@@ -34334,7 +34344,7 @@ index 70f3007..f8b68bf 100644
#######################################
#
-@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t)
+@@ -12,35 +12,56 @@ init_system_domain(kdump_t, kdump_exec_t)
type kdump_etc_t;
files_config_file(kdump_etc_t)
@@ -34372,13 +34382,14 @@ index 70f3007..f8b68bf 100644
+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
-+
-+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-allow kdump_t kdump_etc_t:file read_file_perms;
++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
++
+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
-+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file })
++manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
++files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file })
-files_read_etc_files(kdump_t)
files_read_etc_runtime_files(kdump_t)
@@ -34395,7 +34406,7 @@ index 70f3007..f8b68bf 100644
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
-@@ -48,22 +68,32 @@ term_use_console(kdump_t)
+@@ -48,22 +69,35 @@ term_use_console(kdump_t)
#######################################
#
@@ -34409,12 +34420,14 @@ index 70f3007..f8b68bf 100644
+
allow kdumpctl_t self:capability { dac_override sys_chroot };
allow kdumpctl_t self:process setfscreate;
--allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
++
+ allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-allow kdumpctl_t self:unix_stream_socket { accept listen };
++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
-allow kdumpctl_t kdump_etc_t:file read_file_perms;
-+allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
++manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t)
++files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump")
manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
@@ -34433,7 +34446,7 @@ index 70f3007..f8b68bf 100644
kernel_read_system_state(kdumpctl_t)
-@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +105,56 @@ corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
@@ -47959,41 +47972,51 @@ index 0000000..395c2fd
+ mysql_tcp_connect(httpd_mythtv_script_t)
+')
diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..a00cc2d 100644
+index d78dfc3..1c81436 100644
--- a/nagios.fc
+++ b/nagios.fc
-@@ -1,88 +1,97 @@
+@@ -1,88 +1,109 @@
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
++/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/bin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/sbin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/icinga/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
++
++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
++
+ifdef(`distro_debian',`
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+')
@@ -48013,9 +48036,9 @@ index d78dfc3..a00cc2d 100644
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+# mail plugins
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-+
-+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
++
+# system plugins
/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
@@ -48106,10 +48129,11 @@ index d78dfc3..a00cc2d 100644
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
--
--/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
+# eventhandlers
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+
+-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
index 0641e97..d7d9a79 100644
--- a/nagios.if
@@ -51233,7 +51257,7 @@ index 8f2ab09..6ab4ea1 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index df4c10f..8c09c68 100644
+index df4c10f..fb50d4a 100644
--- a/nscd.te
+++ b/nscd.te
@@ -1,36 +1,37 @@
@@ -51285,7 +51309,11 @@ index df4c10f..8c09c68 100644
type nscd_log_t;
logging_log_file(nscd_log_t)
-@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid };
+@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t)
+ #
+
+ allow nscd_t self:capability { kill setgid setuid };
++allow nscd_t self:capability2 block_suspend;
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
@@ -51358,7 +51386,7 @@ index df4c10f..8c09c68 100644
corenet_rw_tun_tap_dev(nscd_t)
selinux_get_fs_mount(nscd_t)
-@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t)
+@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t)
selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
@@ -51383,7 +51411,7 @@ index df4c10f..8c09c68 100644
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
-@@ -121,20 +130,31 @@ optional_policy(`
+@@ -121,20 +131,31 @@ optional_policy(`
')
optional_policy(`
@@ -82793,7 +82821,7 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..e45c73a
+index 0000000..e30b346
--- /dev/null
+++ b/sandboxX.if
@@ -0,0 +1,393 @@
@@ -82841,7 +82869,7 @@ index 0000000..e45c73a
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
-+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
++ dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:process { signal sigkill };
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
@@ -83192,7 +83220,7 @@ index 0000000..e45c73a
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..4566e9b
+index 0000000..0161658
--- /dev/null
+++ b/sandboxX.te
@@ -0,0 +1,498 @@
@@ -83479,6 +83507,10 @@ index 0000000..4566e9b
+ fs_exec_fusefs_files(sandbox_x_domain)
+')
+
++optional_policy(`
++ networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
++')
++
+files_search_home(sandbox_x_t)
+userdom_use_user_ptys(sandbox_x_t)
+
@@ -83635,10 +83667,6 @@ index 0000000..4566e9b
+')
+
+optional_policy(`
-+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
+ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b842728..cd8b928 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 119%{?dist}
+Release: 120%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,9 +579,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Mon Jan 20 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-118
+* Tue Jan 21 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-120
+- Allow apache to write to the owncloud data directory in /var/www/html...
+- Allow consolekit to create log dir
+- Add support for icinga CGI scripts
+- Add support for icinga
+- Allow kdumpctl_t to create kdump lock file
+- Allow kdump to create lnk lock file
+- Allow nscd_t block_suspen capability
+- Allow unconfined domain types to manage own transient unit file
+- Allow systemd domains to handle transient init unit files
+- Add interfaces to handle transient
+
+* Mon Jan 20 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-119
- Add cron unconfined role support for uncofined SELinux user
-- Call kernel_rw_usermodehelper_state() in init.te
- Call corenet_udp_bind_all_ports() in milter.te
- Allow fence_virtd to connect to zented port
- Fix header for mirrormanager_admin()
@@ -594,11 +605,9 @@ SELinux Reference policy mls base module.
- Allow bumblebee to stream connect to xserver
- Allow bumblebee to send a signal to xserver
- gnome-thumbnail to stream connect to bumblebee
-- Fix calling usermodehelper to use _state in interface name
- Allow xkbcomp running as bumblebee_t to execute bin_t
- Allow logrotate to read squid.conf
- Additional rules to get docker and lxc to play well with SELinux
-- Call kernel_read_usermodhelper/kernel_rw_usermodhelper
- Allow bumbleed to connect to xserver port
- Allow pegasus_openlmi_storage_t to read hwdata
More information about the scm-commits
mailing list