[selinux-policy/f20] * Fri Mar 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-138 - Make rtas_errd_t as unconfined doma
Lukas Vrabec
lvrabec at fedoraproject.org
Fri Mar 14 11:53:57 UTC 2014
commit 5c1b9a43d7f49d1b1e514b3ef74f424deaafb58f
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Fri Mar 14 12:53:26 2014 +0100
* Fri Mar 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-138
- Make rtas_errd_t as unconfined domain for F20.It needs additional
fixes. It runs rpm at least.
- Allow net_admin cap for fence_virtd running as fenced_t
- Make abrt-java-connector working
- Make cimtest script 03_defineVS.py of ComputerSystem group working
- Fix git_system_enable_homedirs boolean
- Allow munin mail plugins to read network systcl
policy-f20-contrib.patch | 290 +++++++++++++++++++++++++++-------------------
selinux-policy.spec | 10 ++-
2 files changed, 180 insertions(+), 120 deletions(-)
---
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 6efd3be..ccff28f 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -27330,7 +27330,7 @@ index 1e29af1..6c64f55 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..f719b0a 100644
+index 93b0301..7db7bdd 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -27393,17 +27393,18 @@ index 93b0301..f719b0a 100644
files_search_var_lib(git_system_t)
auth_use_nsswitch(git_system_t)
-@@ -165,6 +162,9 @@ logging_send_syslog_msg(git_system_t)
+@@ -165,6 +162,10 @@ logging_send_syslog_msg(git_system_t)
tunable_policy(`git_system_enable_homedirs',`
userdom_search_user_home_dirs(git_system_t)
+ list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
++ list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
+ read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
+
')
tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -255,12 +255,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -255,12 +256,9 @@ tunable_policy(`git_cgi_use_nfs',`
allow git_daemon self:fifo_file rw_fifo_file_perms;
@@ -43969,7 +43970,7 @@ index 6194b80..03c6414 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..bf0f92d 100644
+index 6a306ee..f238761 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -44415,7 +44416,7 @@ index 6a306ee..bf0f92d 100644
')
optional_policy(`
-@@ -300,259 +326,243 @@ optional_policy(`
+@@ -300,259 +326,247 @@ optional_policy(`
########################################
#
@@ -44678,12 +44679,12 @@ index 6a306ee..bf0f92d 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -44707,26 +44708,28 @@ index 6a306ee..bf0f92d 100644
-ifndef(`enable_mls',`
- fs_list_dos(mozilla_plugin_t)
- fs_read_dos_files(mozilla_plugin_t)
--
-- fs_search_removable(mozilla_plugin_t)
-- fs_read_removable_files(mozilla_plugin_t)
-- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
+userdom_read_home_audio_files(mozilla_plugin_t)
+userdom_exec_user_tmp_files(mozilla_plugin_t)
-- fs_read_iso9660_files(mozilla_plugin_t)
--')
+- fs_search_removable(mozilla_plugin_t)
+- fs_read_removable_files(mozilla_plugin_t)
+- fs_read_removable_symlinks(mozilla_plugin_t)
+userdom_home_manager(mozilla_plugin_t)
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_t self:process execmem;
+- fs_read_iso9660_files(mozilla_plugin_t)
+tunable_policy(`mozilla_plugin_can_network_connect',`
+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
')
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_t self:process execmem;
++optional_policy(`
++ abrt_stream_connect(mozilla_plugin_t)
+ ')
+
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_t self:process { execmem execstack };
+optional_policy(`
@@ -44808,7 +44811,7 @@ index 6a306ee..bf0f92d 100644
')
optional_policy(`
-@@ -560,7 +570,11 @@ optional_policy(`
+@@ -560,7 +574,11 @@ optional_policy(`
')
optional_policy(`
@@ -44821,7 +44824,7 @@ index 6a306ee..bf0f92d 100644
')
optional_policy(`
-@@ -568,108 +582,131 @@ optional_policy(`
+@@ -568,108 +586,131 @@ optional_policy(`
')
optional_policy(`
@@ -47494,7 +47497,7 @@ index b744fe3..4c1b6a8 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index 97370e4..bd217aa 100644
+index 97370e4..e53abbb 100644
--- a/munin.te
+++ b/munin.te
@@ -37,44 +37,47 @@ munin_plugin_template(disk)
@@ -47647,7 +47650,7 @@ index 97370e4..bd217aa 100644
####################################
#
# Mail local policy
-@@ -275,27 +273,36 @@ optional_policy(`
+@@ -275,27 +273,38 @@ optional_policy(`
allow mail_munin_plugin_t self:capability dac_override;
@@ -47656,6 +47659,8 @@ index 97370e4..bd217aa 100644
+
rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
++kernel_read_net_sysctls(mail_munin_plugin_t)
++
dev_read_urand(mail_munin_plugin_t)
logging_read_generic_logs(mail_munin_plugin_t)
@@ -47688,7 +47693,7 @@ index 97370e4..bd217aa 100644
')
optional_policy(`
-@@ -320,6 +327,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -320,6 +329,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -47698,7 +47703,7 @@ index 97370e4..bd217aa 100644
corenet_sendrecv_all_client_packets(services_munin_plugin_t)
corenet_tcp_connect_all_ports(services_munin_plugin_t)
corenet_tcp_connect_http_port(services_munin_plugin_t)
-@@ -331,7 +341,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -331,7 +343,7 @@ dev_read_rand(services_munin_plugin_t)
sysnet_read_config(services_munin_plugin_t)
optional_policy(`
@@ -47707,7 +47712,7 @@ index 97370e4..bd217aa 100644
')
optional_policy(`
-@@ -353,7 +363,11 @@ optional_policy(`
+@@ -353,7 +365,11 @@ optional_policy(`
')
optional_policy(`
@@ -47720,7 +47725,7 @@ index 97370e4..bd217aa 100644
')
optional_policy(`
-@@ -385,6 +399,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +401,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -47728,7 +47733,7 @@ index 97370e4..bd217aa 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +428,31 @@ optional_policy(`
+@@ -413,3 +430,31 @@ optional_policy(`
optional_policy(`
unconfined_domain(unconfined_munin_plugin_t)
')
@@ -59613,7 +59618,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..230c9af 100644
+index 7bcf327..225cd64 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -60110,6 +60115,14 @@ index 7bcf327..230c9af 100644
')
optional_policy(`
+@@ -180,6 +491,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ virt_getattr_images(pegasus_t)
+ virt_domtrans(pegasus_t)
+ virt_stream_connect(pegasus_t)
+ virt_manage_config(pegasus_t)
diff --git a/pesign.fc b/pesign.fc
new file mode 100644
index 0000000..7b54c39
@@ -76856,7 +76869,7 @@ index 56bc01f..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..dc590fc 100644
+index 2c2de9a..881a1a9 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -77215,9 +77228,10 @@ index 2c2de9a..dc590fc 100644
# fenced local policy
#
- allow fenced_t self:capability { sys_rawio sys_resource };
+-allow fenced_t self:capability { sys_rawio sys_resource };
-allow fenced_t self:process { getsched signal_perms };
-allow fenced_t self:tcp_socket { accept listen };
++allow fenced_t self:capability { net_admin sys_rawio sys_resource };
+allow fenced_t self:process { getsched setpgid signal_perms };
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
@@ -82181,10 +82195,10 @@ index 0000000..0ec3302
+')
diff --git a/rtas.te b/rtas.te
new file mode 100644
-index 0000000..52a39f8
+index 0000000..d6d29bd
--- /dev/null
+++ b/rtas.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,65 @@
+policy_module(rtas, 1.0.0)
+
+########################################
@@ -82247,6 +82261,9 @@ index 0000000..52a39f8
+
+logging_read_generic_logs(rtas_errd_t)
+
++optional_policy(`
++ unconfined_domain(rtas_errd_t)
++')
diff --git a/rtkit.if b/rtkit.if
index bd35afe..051addd 100644
--- a/rtkit.if
@@ -86227,7 +86244,7 @@ index 98c9e0a..d4aa009 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..bcf1556 100644
+index 4a23d84..6fa941d 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
@@ -86333,7 +86350,7 @@ index 4a23d84..bcf1556 100644
')
optional_policy(`
-@@ -117,6 +133,32 @@ optional_policy(`
+@@ -117,6 +133,33 @@ optional_policy(`
# Reposd local policy
#
@@ -86361,6 +86378,7 @@ index 4a23d84..bcf1556 100644
+auth_use_nsswitch(sblim_sfcbd_t)
+
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
++corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
+
+dev_read_rand(sblim_sfcbd_t)
+dev_read_urand(sblim_sfcbd_t)
@@ -98346,7 +98364,7 @@ index c30da4c..6351bcb 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..fddb027 100644
+index 9dec06c..f2c0191 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -98797,17 +98815,35 @@ index 9dec06c..fddb027 100644
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +251,7 @@ interface(`virt_manage_config',`
+@@ -414,8 +251,25 @@ interface(`virt_manage_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## virt image files.
+## Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_getattr_content',`
++ gen_require(`
++ type virt_content_t;
++ ')
++
++ allow $1 virt_content_t:file getattr_file_perms;
++')
++
++########################################
++## <summary>
++## Allow domain to manage virt image files
## </summary>
## <param name="domain">
## <summary>
-@@ -450,8 +286,7 @@ interface(`virt_read_content',`
+@@ -450,8 +304,7 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -98817,7 +98853,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,35 +294,17 @@ interface(`virt_read_content',`
+@@ -459,35 +312,17 @@ interface(`virt_read_content',`
## </summary>
## </param>
#
@@ -98856,7 +98892,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +330,37 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
@@ -98920,7 +98956,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +368,21 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
@@ -98963,7 +98999,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +390,36 @@ interface(`virt_manage_svirt_home_content',`
## </summary>
## </param>
#
@@ -99012,7 +99048,7 @@ index 9dec06c..fddb027 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +428,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
@@ -99076,7 +99112,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +465,38 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@@ -99143,7 +99179,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +504,58 @@ interface(`virt_manage_generic_virt_home_content',`
## </summary>
## </param>
#
@@ -99182,14 +99218,31 @@ index 9dec06c..fddb027 100644
-## </summary>
-## </param>
-## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
--## </summary>
--## </param>
+## <rolecap/>
++#
++interface(`virt_read_log',`
++ gen_require(`
++ type virt_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, virt_log_t, virt_log_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to append
++## virt log files.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The name of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
#
-interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_read_log',`
++interface(`virt_append_log',`
gen_require(`
- type virt_home_t;
+ type virt_log_t;
@@ -99197,23 +99250,22 @@ index 9dec06c..fddb027 100644
- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
+ logging_search_logs($1)
-+ read_files_pattern($1, virt_log_t, virt_log_t)
++ append_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
## <summary>
-## Read virt pid files.
-+## Allow the specified domain to append
-+## virt log files.
++## Allow domain to manage virt log files
## </summary>
## <param name="domain">
## <summary>
-@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +563,19 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
-interface(`virt_read_pid_files',`
-+interface(`virt_append_log',`
++interface(`virt_manage_log',`
gen_require(`
- type virt_var_run_t;
+ type virt_log_t;
@@ -99221,34 +99273,34 @@ index 9dec06c..fddb027 100644
- files_search_pids($1)
- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ logging_search_logs($1)
-+ append_files_pattern($1, virt_log_t, virt_log_t)
++ manage_dirs_pattern($1, virt_log_t, virt_log_t)
++ manage_files_pattern($1, virt_log_t, virt_log_t)
++ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
## <summary>
-## Create, read, write, and delete
-## virt pid files.
-+## Allow domain to manage virt log files
++## Allow domain to getattr virt image direcories
## </summary>
## <param name="domain">
## <summary>
-@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +583,18 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
-interface(`virt_manage_pid_files',`
-+interface(`virt_manage_log',`
++interface(`virt_getattr_images',`
gen_require(`
- type virt_var_run_t;
-+ type virt_log_t;
++ attribute virt_image_type;
')
- files_search_pids($1)
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
-+ manage_files_pattern($1, virt_log_t, virt_log_t)
-+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
++ virt_search_lib($1)
++ allow $1 virt_image_type:file getattr_file_perms;
')
########################################
@@ -99258,7 +99310,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +602,18 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
@@ -99282,7 +99334,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -839,20 +584,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +621,73 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
@@ -99361,7 +99413,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +658,265 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -99424,10 +99476,12 @@ index 9dec06c..fddb027 100644
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in virt pid
+-## directories with a private type.
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
@@ -99447,12 +99501,10 @@ index 9dec06c..fddb027 100644
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
- ')
-
- ########################################
- ## <summary>
--## Create objects in virt pid
--## directories with a private type.
++')
++
++########################################
++## <summary>
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
@@ -99472,12 +99524,13 @@ index 9dec06c..fddb027 100644
+#######################################
+## <summary>
+## Execute Sandbox Files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+#
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
@@ -99490,13 +99543,14 @@ index 9dec06c..fddb027 100644
+#######################################
+## <summary>
+## Manage Sandbox Files
- ## </summary>
- ## <param name="domain">
++## </summary>
++## <param name="domain">
## <summary>
- ## Domain allowed access.
+-## The type of the object to be created.
++## Domain allowed access.
## </summary>
## </param>
--## <param name="private type">
+-## <param name="object">
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
@@ -99516,11 +99570,11 @@ index 9dec06c..fddb027 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The type of the object to be created.
+-## The object class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="object">
+-## <param name="name" optional="true">
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
@@ -99536,14 +99590,16 @@ index 9dec06c..fddb027 100644
+## </summary>
+## <param name="domain">
## <summary>
--## The object class of the object being created.
+-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="name" optional="true">
-+#
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`virt_pid_filetrans',`
+interface(`virt_mounton_sandbox_file',`
-+ gen_require(`
+ gen_require(`
+- type virt_var_run_t;
+ type svirt_sandbox_file_t;
+ ')
+
@@ -99555,17 +99611,13 @@ index 9dec06c..fddb027 100644
+## Connect to virt over a unix domain stream socket.
+## </summary>
+## <param name="domain">
- ## <summary>
--## The name of the object being created.
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
--## <infoflow type="write" weight="10"/>
- #
--interface(`virt_pid_filetrans',`
++## </summary>
++## </param>
++#
+interface(`virt_stream_connect_sandbox',`
- gen_require(`
-- type virt_var_run_t;
++ gen_require(`
+ attribute svirt_sandbox_domain;
+ type svirt_sandbox_file_t;
')
@@ -99621,10 +99673,11 @@ index 9dec06c..fddb027 100644
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Append virt log files.
+## Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
@@ -99640,16 +99693,15 @@ index 9dec06c..fddb027 100644
+
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Append virt log files.
++')
++
++########################################
++## <summary>
+## Send a sigkill to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +924,17 @@ interface(`virt_read_log',`
+@@ -935,19 +961,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -99673,7 +99725,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +942,17 @@ interface(`virt_append_log',`
+@@ -955,20 +979,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -99698,7 +99750,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +960,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -99721,7 +99773,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +978,57 @@ interface(`virt_search_images',`
+@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -99798,7 +99850,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1036,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -99834,7 +99886,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +1065,131 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1102,131 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -99980,7 +100032,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1197,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1234,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -100054,7 +100106,7 @@ index 9dec06c..fddb027 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1260,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1297,36 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -100096,8 +100148,7 @@ index 9dec06c..fddb027 100644
-
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
-
@@ -100106,7 +100157,8 @@ index 9dec06c..fddb027 100644
-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 262a9a8..8038549 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 137%{?dist}
+Release: 138%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-138
+- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least.
+- Allow net_admin cap for fence_virtd running as fenced_t
+- Make abrt-java-connector working
+- Make cimtest script 03_defineVS.py of ComputerSystem group working
+- Fix git_system_enable_homedirs boolean
+- Allow munin mail plugins to read network systcl
+
* Thu Mar 13 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-137
- Allow vmtools_helper_t to execute bin_t
- Add support for /usr/share/joomla
More information about the scm-commits
mailing list