[selinux-policy/f20] * Thu Mar 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-143 - Add additional fixes for rtas_errd

Lukas Vrabec lvrabec at fedoraproject.org
Thu Mar 20 15:57:36 UTC 2014 

commit 76ab1053e71c7bb63abb49ff56ddfa1ff71d4751
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Thu Mar 20 16:57:13 2014 +0100

    * Thu Mar 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-143
    - Add additional fixes for rtas_errd
    - Fix transitions for tmp/tmpfs in rtas.te
    - Allow rtas_errd to readl all sysctls

 policy-f20-contrib.patch |   43 +++++++++++++++++++++++++++++++++++++------
 selinux-policy.spec      |    7 ++++++-
 2 files changed, 43 insertions(+), 7 deletions(-)
---
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 7ec52d7..cda26f9 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -12400,14 +12400,15 @@ index 29782b8..685edff 100644
  ')
 diff --git a/cloudform.fc b/cloudform.fc
 new file mode 100644
-index 0000000..51990d0
+index 0000000..6cc6774
 --- /dev/null
 +++ b/cloudform.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,28 @@
 +/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
 +
 +/usr/bin/cloud-init     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
++/usr/libexec/min-metadata-service     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
 +/usr/bin/deltacloudd    --	gen_context(system_u:object_r:deltacloudd_exec_t,s0)
 +/usr/bin/iwhd           --      gen_context(system_u:object_r:iwhd_exec_t,s0)
 +/usr/bin/mongod		    --	gen_context(system_u:object_r:mongod_exec_t,s0)
@@ -82215,10 +82216,10 @@ index 0000000..0ec3302
 +')
 diff --git a/rtas.te b/rtas.te
 new file mode 100644
-index 0000000..d6d29bd
+index 0000000..9a5164c
 --- /dev/null
 +++ b/rtas.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,95 @@
 +policy_module(rtas, 1.0.0)
 +
 +########################################
@@ -82242,13 +82243,19 @@ index 0000000..d6d29bd
 +type rtas_errd_unit_file_t;
 +systemd_unit_file(rtas_errd_unit_file_t)
 +
++type rtas_errd_tmp_t;
++files_tmp_file(rtas_errd_tmp_t)
++
++type rtas_errd_tmpfs_t;
++files_tmpfs_file(rtas_errd_tmpfs_t)
++
 +########################################
 +#
 +# rtas_errd local policy
 +#
 +
-+allow rtas_errd_t self:capability { chown sys_admin };
-+allow rtas_errd_t self:process fork;
++allow rtas_errd_t self:capability { net_admin chown sys_admin };
++allow rtas_errd_t self:process { fork signull };
 +allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
 +allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
 +
@@ -82266,7 +82273,19 @@ index 0000000..d6d29bd
 +manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
 +files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file })
 +
++manage_files_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
++files_tmp_filetrans(rtas_errd_t, rtas_errd_tmp_t, { file dir })
++
++manage_files_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
++fs_tmpfs_filetrans(rtas_errd_t, rtas_errd_tmpfs_t, { file dir })
++
++kernel_read_all_sysctls(rtas_errd_t)
 +kernel_read_system_state(rtas_errd_t)
++kernel_read_network_state(rtas_errd_t)
++
++domain_read_all_domains_state(rtas_errd_t)
 +
 +auth_use_nsswitch(rtas_errd_t)
 +
@@ -82276,12 +82295,24 @@ index 0000000..d6d29bd
 +dev_read_urand(rtas_errd_t)
 +dev_read_raw_memory(rtas_errd_t)
 +dev_write_raw_memory(rtas_errd_t)
++dev_read_sysfs(rtas_errd_t)
++dev_rw_nvram(rtas_errd_t)
 +
 +files_manage_system_db_files(rtas_errd_t)
 +
++logging_send_syslog_msg(rtas_errd_t)
 +logging_read_generic_logs(rtas_errd_t)
 +
 +optional_policy(`
++    hostname_exec(rtas_errd_t)
++')
++
++optional_policy(`
++    rpm_exec(rtas_errd_t)
++    rpm_dontaudit_manage_db(rtas_errd_t)
++')
++
++optional_policy(`
 +    unconfined_domain(rtas_errd_t)
 +')
 diff --git a/rtkit.if b/rtkit.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 154e374..0c0b04a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 142%{?dist}
+Release: 143%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Mar 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-143
+- Add additional fixes for rtas_errd
+- Fix transitions for tmp/tmpfs in rtas.te
+- Allow rtas_errd to readl all sysctls
+
 * Wed Mar 19 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-142
 - Add support for /var/spool/rhsm/debug
 - Make virt_sandbox_use_audit as True by default

More information about the scm-commits mailing list