[selinux-policy] - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allo
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Mar 17 16:30:10 UTC 2014
commit 8e18cc2081f91b8bd7241ad566470aecc57f8114
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Mar 17 17:29:57 2014 +0100
- Label sddm as xdm_exec_t to make KDE working again
- Allow postgresql to read network state
- Allow java running as pki_tomcat to read network sysctls
- Fix cgroup.te to allow cgred to read cgconfig_etc_t
- Allow beam.smp to use ephemeral ports
- Allow winbind to use the nis to authenticate passwords
policy-rawhide-base.patch | 31 ++++++----
policy-rawhide-contrib.patch | 147 ++++++++++++++++++++++-------------------
selinux-policy.spec | 10 +++-
3 files changed, 107 insertions(+), 81 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 88466e4..0d7ca0b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -21013,7 +21013,7 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 0306134..68598c7 100644
+index 0306134..ae0d841 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -21087,7 +21087,13 @@ index 0306134..68598c7 100644
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
-@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t)
+@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
+ files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(postgresql_t)
++kernel_read_network_state(postgresql_t)
+ kernel_read_system_state(postgresql_t)
+ kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
@@ -21095,7 +21101,7 @@ index 0306134..68598c7 100644
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@@ -21105,7 +21111,7 @@ index 0306134..68598c7 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-@@ -354,20 +361,28 @@ init_read_utmp(postgresql_t)
+@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
@@ -21137,7 +21143,7 @@ index 0306134..68598c7 100644
allow postgresql_t self:process execmem;
')
-@@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@@ -21194,7 +21200,7 @@ index 0306134..68598c7 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -21203,7 +21209,7 @@ index 0306134..68598c7 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -22607,7 +22613,7 @@ index cc877c7..a8b01bf 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..0069d82 100644
+index 8274418..522a2f0 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -22669,7 +22675,7 @@ index 8274418..0069d82 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +76,33 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -22695,7 +22701,8 @@ index 8274418..0069d82 100644
-/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
-+/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -22709,7 +22716,7 @@ index 8274418..0069d82 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,18 +129,31 @@ ifndef(`distro_debian',`
+@@ -92,18 +130,31 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -22745,7 +22752,7 @@ index 8274418..0069d82 100644
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -112,6 +162,16 @@ ifndef(`distro_debian',`
+@@ -112,6 +163,16 @@ ifndef(`distro_debian',`
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5449d47..3f9cc30 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -11226,7 +11226,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 80a88a2..7cebead 100644
+index 80a88a2..ec869f5 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -11279,7 +11279,7 @@ index 80a88a2..7cebead 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-+allow cgred_t cgconfig_t:file read_file_perms;
++allow cgred_t cgconfig_etc_t:file read_file_perms;
allow cgred_t cgrules_etc_t:file read_file_perms;
allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@@ -40690,10 +40690,10 @@ index e08c55d..24b56e9 100644
+ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
+')
diff --git a/mandb.fc b/mandb.fc
-index 8ae78b5..16e55cd 100644
+index 8ae78b5..b365cdd 100644
--- a/mandb.fc
+++ b/mandb.fc
-@@ -1 +1,11 @@
+@@ -1 +1,12 @@
+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
+
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
@@ -40705,6 +40705,7 @@ index 8ae78b5..16e55cd 100644
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
+
++/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
diff --git a/mandb.if b/mandb.if
index 327f3f7..4f61561 100644
--- a/mandb.if
@@ -52430,7 +52431,7 @@ index 8f2ab09..bc2c7fe 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index bcd7d0a..8cc5de9 100644
+index bcd7d0a..0188086 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,33 +4,34 @@ gen_require(`
@@ -52580,44 +52581,45 @@ index bcd7d0a..8cc5de9 100644
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
-@@ -121,20 +131,31 @@ optional_policy(`
+@@ -121,13 +131,11 @@ optional_policy(`
')
optional_policy(`
+- tunable_policy(`samba_domain_controller',`
+- samba_append_log(nscd_t)
+- samba_dontaudit_use_fds(nscd_t)
+- ')
+ kerberos_use(nscd_t)
+')
-+
+
+- samba_read_config(nscd_t)
+- samba_read_var_files(nscd_t)
+optional_policy(`
-+ udev_read_db(nscd_t)
-+')
++ nis_authenticate(nscd_t)
+ ')
+
+ optional_policy(`
+@@ -138,3 +146,20 @@ optional_policy(`
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+ xen_append_log(nscd_t)
+ ')
+
+optional_policy(`
-+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
-+ xen_append_log(nscd_t)
++ tunable_policy(`samba_domain_controller',`
++ samba_append_log(nscd_t)
++ samba_dontaudit_use_fds(nscd_t)
++ ')
+')
+
+optional_policy(`
- tunable_policy(`samba_domain_controller',`
- samba_append_log(nscd_t)
- samba_dontaudit_use_fds(nscd_t)
- ')
--
-- samba_read_config(nscd_t)
-- samba_read_var_files(nscd_t)
- ')
-
- optional_policy(`
-- udev_read_db(nscd_t)
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+ samba_stream_connect_nmbd(nscd_t)
- ')
-
- optional_policy(`
-- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
-- xen_append_log(nscd_t)
++')
++
++optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
- ')
++')
diff --git a/nsd.fc b/nsd.fc
index 4f2b1b6..5348e92 100644
--- a/nsd.fc
@@ -61401,10 +61403,10 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..5c64daf
+index 0000000..e8c6156
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,272 @@
+@@ -0,0 +1,273 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -61516,6 +61518,7 @@ index 0000000..5c64daf
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
++kernel_read_net_sysctls(pki_tomcat_t)
+
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
@@ -72742,7 +72745,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..c77c09c 100644
+index dc3b0ed..e0806a1 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -72785,7 +72788,7 @@ index dc3b0ed..c77c09c 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -55,51 +64,63 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
+@@ -55,51 +64,64 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -72797,6 +72800,7 @@ index dc3b0ed..c77c09c 100644
corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
++corenet_tcp_bind_all_ephemeral_ports(rabbitmq_beam_t)
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
@@ -72865,7 +72869,7 @@ index dc3b0ed..c77c09c 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -107,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+@@ -107,6 +129,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
@@ -72874,7 +72878,7 @@ index dc3b0ed..c77c09c 100644
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-@@ -117,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -117,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -79183,7 +79187,7 @@ index 0bf13c2..d59aef7 100644
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
-index 2da9fca..09e0307 100644
+index 2da9fca..f47a20e 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@@ -79334,35 +79338,38 @@ index 2da9fca..09e0307 100644
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
-@@ -181,19 +180,23 @@ optional_policy(`
+@@ -181,19 +180,27 @@ optional_policy(`
')
optional_policy(`
-- nis_read_ypserv_config(rpcd_t)
+ domain_unconfined_signal(rpcd_t)
++')
++
++optional_policy(`
++ quota_manage_db(rpcd_t)
++')
++
++optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
')
optional_policy(`
- quota_manage_db_files(rpcd_t)
-+ quota_manage_db(rpcd_t)
++ quota_read_db(rpcd_t)
')
optional_policy(`
- rgmanager_manage_tmp_files(rpcd_t)
-+ nis_read_ypserv_config(rpcd_t)
++ rhcs_manage_cluster_tmp_files(rpcd_t)
')
optional_policy(`
- unconfined_signal(rpcd_t)
-+ quota_read_db(rpcd_t)
-+')
-+
-+optional_policy(`
-+ rhcs_manage_cluster_tmp_files(rpcd_t)
++ samba_stream_connect_nmbd(rpcd_t)
')
########################################
-@@ -202,41 +205,56 @@ optional_policy(`
+@@ -202,41 +209,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -79428,7 +79435,7 @@ index 2da9fca..09e0307 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -245,7 +263,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +267,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -79436,7 +79443,7 @@ index 2da9fca..09e0307 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -257,12 +274,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +278,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -79451,7 +79458,7 @@ index 2da9fca..09e0307 100644
')
########################################
-@@ -270,7 +287,7 @@ optional_policy(`
+@@ -270,7 +291,7 @@ optional_policy(`
# GSSD local policy
#
@@ -79460,7 +79467,7 @@ index 2da9fca..09e0307 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
-@@ -280,6 +297,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +301,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -79468,7 +79475,7 @@ index 2da9fca..09e0307 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -288,25 +306,30 @@ kernel_signal(gssd_t)
+@@ -288,25 +310,30 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -79502,7 +79509,7 @@ index 2da9fca..09e0307 100644
')
optional_policy(`
-@@ -314,9 +337,12 @@ optional_policy(`
+@@ -314,9 +341,12 @@ optional_policy(`
')
optional_policy(`
@@ -82870,7 +82877,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441..c80c3f6 100644
+index 2b7c441..127ac9e 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@@ -83591,14 +83598,14 @@ index 2b7c441..c80c3f6 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
+-
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
@@ -83774,13 +83781,13 @@ index 2b7c441..c80c3f6 100644
-allow swat_t { nmbd_t smbd_t }:process { signal signull };
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
-+
-+samba_domtrans_nmbd(swat_t)
-+allow swat_t nmbd_t:process { signal signull };
-+allow nmbd_t swat_t:process signal;
-allow swat_t smbd_var_run_t:file read_file_perms;
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
++samba_domtrans_nmbd(swat_t)
++allow swat_t nmbd_t:process { signal signull };
++allow nmbd_t swat_t:process signal;
++
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
@@ -83994,7 +84001,7 @@ index 2b7c441..c80c3f6 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -924,26 +954,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +954,43 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -84033,10 +84040,14 @@ index 2b7c441..c80c3f6 100644
optional_policy(`
kerberos_use(winbind_t)
+ kerberos_filetrans_named_content(winbind_t)
++')
++
++optional_policy(`
++ nis_authenticate(winbind_t)
')
optional_policy(`
-@@ -959,31 +1002,29 @@ optional_policy(`
+@@ -959,31 +1006,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -84074,7 +84085,7 @@ index 2b7c441..c80c3f6 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -997,25 +1038,38 @@ optional_policy(`
+@@ -997,25 +1042,38 @@ optional_policy(`
########################################
#
@@ -84095,24 +84106,24 @@ index 2b7c441..c80c3f6 100644
+ role system_r types samba_unconfined_net_t;
+
+ unconfined_domain(samba_unconfined_net_t)
-+
+
+- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
-+
+
+type samba_unconfined_script_t;
+type samba_unconfined_script_exec_t;
+domain_type(samba_unconfined_script_t)
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
-
-- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
-- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
-
++
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 29241e9..0dc12db 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 37%{?dist}
+Release: 38%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -580,6 +580,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 17 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-38
+- Label sddm as xdm_exec_t to make KDE working again
+- Allow postgresql to read network state
+- Allow java running as pki_tomcat to read network sysctls
+- Fix cgroup.te to allow cgred to read cgconfig_etc_t
+- Allow beam.smp to use ephemeral ports
+- Allow winbind to use the nis to authenticate passwords
+
* Mon Mar 17 2014 Miroslav Grepl<mgrepl at redhat.com> 3.13.1-37
- Allow collectd to talk to libvirt
- Allow chrome_sandbox to use leaked unix_stream_sockets
More information about the scm-commits
mailing list