[selinux-policy/f20] * Thu Mar 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-143 - Add additional fixes for rtas_errd
Lukas Vrabec
lvrabec at fedoraproject.org
Thu Mar 20 15:57:36 UTC 2014
commit 76ab1053e71c7bb63abb49ff56ddfa1ff71d4751
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Thu Mar 20 16:57:13 2014 +0100
* Thu Mar 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-143
- Add additional fixes for rtas_errd
- Fix transitions for tmp/tmpfs in rtas.te
- Allow rtas_errd to readl all sysctls
policy-f20-contrib.patch | 43 +++++++++++++++++++++++++++++++++++++------
selinux-policy.spec | 7 ++++++-
2 files changed, 43 insertions(+), 7 deletions(-)
---
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 7ec52d7..cda26f9 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -12400,14 +12400,15 @@ index 29782b8..685edff 100644
')
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..51990d0
+index 0000000..6cc6774
--- /dev/null
+++ b/cloudform.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,28 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
++/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
@@ -82215,10 +82216,10 @@ index 0000000..0ec3302
+')
diff --git a/rtas.te b/rtas.te
new file mode 100644
-index 0000000..d6d29bd
+index 0000000..9a5164c
--- /dev/null
+++ b/rtas.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,95 @@
+policy_module(rtas, 1.0.0)
+
+########################################
@@ -82242,13 +82243,19 @@ index 0000000..d6d29bd
+type rtas_errd_unit_file_t;
+systemd_unit_file(rtas_errd_unit_file_t)
+
++type rtas_errd_tmp_t;
++files_tmp_file(rtas_errd_tmp_t)
++
++type rtas_errd_tmpfs_t;
++files_tmpfs_file(rtas_errd_tmpfs_t)
++
+########################################
+#
+# rtas_errd local policy
+#
+
-+allow rtas_errd_t self:capability { chown sys_admin };
-+allow rtas_errd_t self:process fork;
++allow rtas_errd_t self:capability { net_admin chown sys_admin };
++allow rtas_errd_t self:process { fork signull };
+allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
+allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -82266,7 +82273,19 @@ index 0000000..d6d29bd
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
+files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file })
+
++manage_files_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
++files_tmp_filetrans(rtas_errd_t, rtas_errd_tmp_t, { file dir })
++
++manage_files_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
++fs_tmpfs_filetrans(rtas_errd_t, rtas_errd_tmpfs_t, { file dir })
++
++kernel_read_all_sysctls(rtas_errd_t)
+kernel_read_system_state(rtas_errd_t)
++kernel_read_network_state(rtas_errd_t)
++
++domain_read_all_domains_state(rtas_errd_t)
+
+auth_use_nsswitch(rtas_errd_t)
+
@@ -82276,12 +82295,24 @@ index 0000000..d6d29bd
+dev_read_urand(rtas_errd_t)
+dev_read_raw_memory(rtas_errd_t)
+dev_write_raw_memory(rtas_errd_t)
++dev_read_sysfs(rtas_errd_t)
++dev_rw_nvram(rtas_errd_t)
+
+files_manage_system_db_files(rtas_errd_t)
+
++logging_send_syslog_msg(rtas_errd_t)
+logging_read_generic_logs(rtas_errd_t)
+
+optional_policy(`
++ hostname_exec(rtas_errd_t)
++')
++
++optional_policy(`
++ rpm_exec(rtas_errd_t)
++ rpm_dontaudit_manage_db(rtas_errd_t)
++')
++
++optional_policy(`
+ unconfined_domain(rtas_errd_t)
+')
diff --git a/rtkit.if b/rtkit.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 154e374..0c0b04a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 142%{?dist}
+Release: 143%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Mar 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-143
+- Add additional fixes for rtas_errd
+- Fix transitions for tmp/tmpfs in rtas.te
+- Allow rtas_errd to readl all sysctls
+
* Wed Mar 19 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-142
- Add support for /var/spool/rhsm/debug
- Make virt_sandbox_use_audit as True by default
More information about the scm-commits
mailing list