[selinux-policy/f19] * Tue Feb 11 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.18 - Allow mailserver_domains to manag

Lukas Vrabec lvrabec at fedoraproject.org
Tue Feb 11 21:06:42 UTC 2014 

commit c277d5a3a3cb20de2d4412bf05dce25dc834e6ae
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Tue Feb 11 22:07:01 2014 +0100

    * Tue Feb 11 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.18
    - Allow mailserver_domains to manage and transition to mailman data
    - Fixed broken interface in milter policy
    - Allow dkim-milter to bind udp ports
    - Allow milter domains to send signull itself
    - Add labeling for /var/log/php_errors.log
    - Allow neutron domtrans to iptables
    - Allow fenced_t to bind on zented udp port

 policy-f19-contrib.patch |  102 +++++++++++++++++++++++++++++-----------------
 selinux-policy.spec      |   11 +++++-
 2 files changed, 74 insertions(+), 39 deletions(-)
---
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 9fdd91f..f12084f 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -2981,10 +2981,10 @@ index 0000000..a2cafbc
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 550a69e..0dfadc0 100644
+index 550a69e..0bbc8f5 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,161 +1,197 @@
+@@ -1,161 +1,198 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3227,6 +3227,7 @@ index 550a69e..0dfadc0 100644
  /var/log/roundcubemail(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/suphp\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
 -/var/log/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/log/php_errors\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/z-push(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +ifdef(`distro_debian', `
 +/var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
@@ -23365,7 +23366,7 @@ index 6041113..ef3b449 100644
  	role_transition $2 exim_initrc_exec_t system_r;
  	allow $2 system_r;
 diff --git a/exim.te b/exim.te
-index 19325ce..b5c157f 100644
+index 19325ce..3e86b12 100644
 --- a/exim.te
 +++ b/exim.te
 @@ -49,7 +49,7 @@ type exim_log_t;
@@ -23422,18 +23423,19 @@ index 19325ce..b5c157f 100644
  ')
  
  optional_policy(`
-@@ -192,8 +190,9 @@ optional_policy(`
+@@ -192,11 +190,6 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	mailman_read_data_files(exim_t)
-+	mailman_manage_data_files(exim_t)
- 	mailman_domtrans(exim_t)
-+	mailman_read_log(exim_t)
+-	mailman_domtrans(exim_t)
+-')
+-
+-optional_policy(`
+ 	nagios_search_spool(exim_t)
  ')
  
- optional_policy(`
-@@ -218,6 +217,7 @@ optional_policy(`
+@@ -218,6 +211,7 @@ optional_policy(`
  
  optional_policy(`
  	procmail_domtrans(exim_t)
@@ -38048,10 +38050,10 @@ index cba62db..562833a 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/milter.te b/milter.te
-index 92508b2..2213a03 100644
+index 92508b2..9c51c34 100644
 --- a/milter.te
 +++ b/milter.te
-@@ -1,77 +1,117 @@
+@@ -1,77 +1,121 @@
 -policy_module(milter, 1.4.2)
 +policy_module(milter, 1.4.0)
  
@@ -38098,6 +38100,8 @@ index 92508b2..2213a03 100644
  allow milter_domains self:fifo_file rw_fifo_file_perms;
 -allow milter_domains self:tcp_socket { accept listen };
 +
++allow milter_domains self:process signull;
++
 +# Allow communication with MTA over a TCP socket
 +allow milter_domains self:tcp_socket create_stream_socket_perms;
  
@@ -38139,6 +38143,8 @@ index 92508b2..2213a03 100644
 +
 +kernel_read_kernel_sysctls(dkim_milter_t)
 +
++corenet_udp_bind_all_ports(dkim_milter_t)
++
 +auth_use_nsswitch(dkim_milter_t)
 +
 +sysnet_dns_name_resolve(dkim_milter_t)
@@ -38197,7 +38203,7 @@ index 92508b2..2213a03 100644
  
  optional_policy(`
  	mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +119,45 @@ optional_policy(`
+@@ -79,30 +123,45 @@ optional_policy(`
  
  ########################################
  #
@@ -42818,7 +42824,7 @@ index ed81cac..566684a 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index afd2fad..4ab8177 100644
+index afd2fad..09ebbbe 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -1,4 +1,4 @@
@@ -43025,11 +43031,11 @@ index afd2fad..4ab8177 100644
 +
 +allow system_mail_t mail_home_t:file manage_file_perms;
 +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
- 
--userdom_use_user_terminals(system_mail_t)
 +
-+logging_append_all_logs(system_mail_t)
 +
++logging_append_all_logs(system_mail_t)
+ 
+-userdom_use_user_terminals(system_mail_t)
 +logging_send_syslog_msg(system_mail_t)
  
  optional_policy(`
@@ -43235,7 +43241,7 @@ index afd2fad..4ab8177 100644
  	files_search_var_lib(mailserver_delivery)
  
  	mailman_domtrans(mailserver_delivery)
-@@ -387,24 +277,165 @@ optional_policy(`
+@@ -387,24 +277,173 @@ optional_policy(`
  
  ########################################
  #
@@ -43408,6 +43414,14 @@ index afd2fad..4ab8177 100644
 +	antivirus_stream_connect(user_mail_domain)
 +	antivirus_stream_connect(mta_user_agent)
 +')
++
++optional_policy(`
++	mailman_manage_data_files(mailserver_domain)
++	mailman_domtrans(mailserver_domain)
++	mailman_append_log(mailserver_domain)
++	mailman_read_log(mailserver_domain)
++')
++
 diff --git a/munin.fc b/munin.fc
 index eb4b72a..4968324 100644
 --- a/munin.fc
@@ -66847,10 +66861,10 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..801835e 100644
+index 769d1fd..0a85601 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -1,96 +1,109 @@
+@@ -1,96 +1,113 @@
 -policy_module(quantum, 1.0.2)
 +policy_module(quantum, 1.0.3)
  
@@ -66988,31 +67002,35 @@ index 769d1fd..801835e 100644
  
  optional_policy(`
 -	brctl_domtrans(quantum_t)
-+	mysql_stream_connect(neutron_t)
-+	mysql_read_config(neutron_t)
-+
-+	mysql_tcp_connect(neutron_t)
++    iptables_domtrans(neutron_t)
  ')
  
  optional_policy(`
 -	mysql_stream_connect(quantum_t)
 -	mysql_read_config(quantum_t)
-+	postgresql_stream_connect(neutron_t)
-+	postgresql_unpriv_client(neutron_t)
++	mysql_stream_connect(neutron_t)
++	mysql_read_config(neutron_t)
  
 -	mysql_tcp_connect(quantum_t)
-+	postgresql_tcp_connect(neutron_t)
++	mysql_tcp_connect(neutron_t)
  ')
  
  optional_policy(`
 -	postgresql_stream_connect(quantum_t)
 -	postgresql_unpriv_client(quantum_t)
-+    openvswitch_domtrans(neutron_t)
-+    openvswitch_stream_connect(neutron_t)
++	postgresql_stream_connect(neutron_t)
++	postgresql_unpriv_client(neutron_t)
++
++	postgresql_tcp_connect(neutron_t)
 +')
  
 -	postgresql_tcp_connect(quantum_t)
 +optional_policy(`
++    openvswitch_domtrans(neutron_t)
++    openvswitch_stream_connect(neutron_t)
++')
++
++optional_policy(`
 +	sudo_exec(neutron_t)
  ')
 diff --git a/quota.fc b/quota.fc
@@ -70569,7 +70587,7 @@ index 56bc01f..b8d154e 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..a499664 100644
+index 2c2de9a..983d2dc 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -70939,7 +70957,15 @@ index 2c2de9a..a499664 100644
  
  corecmd_exec_bin(fenced_t)
  corecmd_exec_shell(fenced_t)
-@@ -148,9 +429,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -140,6 +421,7 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+ 
+ corenet_sendrecv_zented_server_packets(fenced_t)
+ corenet_tcp_bind_zented_port(fenced_t)
++corenet_udp_bind_zented_port(fenced_t)
+ corenet_tcp_sendrecv_zented_port(fenced_t)
+ 
+ corenet_sendrecv_http_client_packets(fenced_t)
+@@ -148,9 +430,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
  
  dev_read_sysfs(fenced_t)
  dev_read_urand(fenced_t)
@@ -70950,7 +70976,7 @@ index 2c2de9a..a499664 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +439,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +440,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
  
@@ -70959,7 +70985,7 @@ index 2c2de9a..a499664 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +461,8 @@ optional_policy(`
+@@ -182,7 +462,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70969,7 +70995,7 @@ index 2c2de9a..a499664 100644
  ')
  
  optional_policy(`
-@@ -190,12 +470,12 @@ optional_policy(`
+@@ -190,12 +471,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70985,7 +71011,7 @@ index 2c2de9a..a499664 100644
  ')
  
  optional_policy(`
-@@ -203,6 +483,13 @@ optional_policy(`
+@@ -203,6 +484,13 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -70999,7 +71025,7 @@ index 2c2de9a..a499664 100644
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +509,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -71020,7 +71046,7 @@ index 2c2de9a..a499664 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +547,8 @@ storage_getattr_removable_dev(gfs_controld_t)
  
  init_rw_script_tmp_files(gfs_controld_t)
  
@@ -71029,7 +71055,7 @@ index 2c2de9a..a499664 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +567,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -71071,7 +71097,7 @@ index 2c2de9a..a499664 100644
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +642,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 31a2015..8d1929d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 74.17%{?dist}
+Release: 74.18%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -542,6 +542,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Feb 11 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.18
+- Allow mailserver_domains to manage and transition to mailman data
+- Fixed broken interface in milter policy
+- Allow dkim-milter to bind udp ports
+- Allow milter domains to send signull itself
+- Add labeling for /var/log/php_errors.log
+- Allow neutron domtrans to iptables
+- Allow fenced_t to bind on zented udp port
+
 * Fri Jan 10 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.17
 - Allow polipo to connect to http_cache_ports
 - Add new access for mythtv

More information about the scm-commits mailing list