[selinux-policy/f20] - allow anaconda to dbus chat with systemd-localed - Add fixes for haproxy based on bperkins at redhat.

Miroslav Grepl mgrepl at fedoraproject.org
Fri Mar 21 10:51:32 UTC 2014 

commit 81ece166fc22042ebe3383cadbd2b2abca42e7ae
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Mar 21 11:51:23 2014 +0100

    - allow anaconda to dbus chat with systemd-localed
    - Add fixes for haproxy based on bperkins at redhat.com
    - Allow cmirrord to make dmsetup working
    - Allow NM to execute arping
    - Allow users to send messages through talk
    - Add userdom_tmp_role for secadm_t

 policy-f20-base.patch    |    7 +++--
 policy-f20-contrib.patch |   60 ++++++++++++++++++++++++++++-----------------
 selinux-policy.spec      |   10 +++++++-
 3 files changed, 50 insertions(+), 27 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index e70b33d..e5e93d4 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -20235,10 +20235,10 @@ index 3a45a3e..7499f24 100644
 +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
  logging_admin(logadm_t, logadm_r)
 diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index da11120..d67bcca 100644
+index da11120..ece2f7f 100644
 --- a/policy/modules/roles/secadm.te
 +++ b/policy/modules/roles/secadm.te
-@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0)
+@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
  
  role secadm_r;
  
@@ -20248,10 +20248,11 @@ index da11120..d67bcca 100644
 +userdom_security_admin(secadm_t, secadm_r)
 +userdom_inherit_append_admin_home_files(secadm_t)
 +userdom_read_admin_home_files(secadm_t)
++userdom_manage_tmp_role(secadm_r, secadm_t)
  
  ########################################
  #
-@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
+@@ -30,8 +33,7 @@ mls_file_upgrade(secadm_t)
  mls_file_downgrade(secadm_t)
  
  auth_role(secadm_r, secadm_t)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index cda26f9..c6a6492 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2459,7 +2459,7 @@ index 14a61b7..21bbf36 100644
 +')
 +
 diff --git a/anaconda.te b/anaconda.te
-index 6f1384c..4d36f22 100644
+index 6f1384c..f226596 100644
 --- a/anaconda.te
 +++ b/anaconda.te
 @@ -4,6 +4,10 @@ gen_require(`
@@ -2499,7 +2499,7 @@ index 6f1384c..4d36f22 100644
  
  optional_policy(`
  	rpm_domtrans(anaconda_t)
-@@ -53,3 +66,32 @@ optional_policy(`
+@@ -53,3 +66,34 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain_noaudit(anaconda_t)
  ')
@@ -2511,6 +2511,8 @@ index 6f1384c..4d36f22 100644
 +
 +allow install_t self:capability2 mac_admin;
 +
++systemd_dbus_chat_localed(install_t)
++
 +tunable_policy(`deny_ptrace',`',`
 +	domain_ptrace_all_domains(install_t)
 +')
@@ -12818,7 +12820,7 @@ index cc4e7cb..f348d27 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cmirrord_initrc_exec_t system_r;
 diff --git a/cmirrord.te b/cmirrord.te
-index d8e9958..d2303a4 100644
+index d8e9958..e4c023c 100644
 --- a/cmirrord.te
 +++ b/cmirrord.te
 @@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
@@ -12830,13 +12832,14 @@ index d8e9958..d2303a4 100644
  dontaudit cmirrord_t self:capability sys_tty_config;
  allow cmirrord_t self:process { setfscreate signal };
  allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
  domain_use_interactive_fds(cmirrord_t)
  domain_obj_id_change_exemption(cmirrord_t)
  
 -files_read_etc_files(cmirrord_t)
 -
  storage_create_fixed_disk_dev(cmirrord_t)
++storage_raw_read_fixed_disk(cmirrord_t)
 +storage_rw_inherited_fixed_disk_dev(cmirrord_t)
  
  seutil_read_file_contexts(cmirrord_t)
@@ -37299,7 +37302,7 @@ index 19777b8..55d1556 100644
 +	')
 +')
 diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..a43a4f6 100644
+index 2cf3815..36e6eb0 100644
 --- a/ktalk.te
 +++ b/ktalk.te
 @@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
@@ -37318,7 +37321,7 @@ index 2cf3815..a43a4f6 100644
  type ktalkd_tmp_t;
  files_tmp_file(ktalkd_tmp_t)
  
-@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -35,11 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t)
  kernel_read_system_state(ktalkd_t)
  kernel_read_network_state(ktalkd_t)
  
@@ -37341,11 +37344,12 @@ index 2cf3815..a43a4f6 100644
  
  auth_use_nsswitch(ktalkd_t)
  
- init_read_utmp(ktalkd_t)
+@@ -47,4 +61,4 @@ init_read_utmp(ktalkd_t)
  
  logging_send_syslog_msg(ktalkd_t)
--
+ 
 -miscfiles_read_localization(ktalkd_t)
++userdom_use_user_ptys(ktalkd_t)
 diff --git a/kudzu.if b/kudzu.if
 index 5297064..6ba8108 100644
 --- a/kudzu.if
@@ -50332,7 +50336,7 @@ index 0e8508c..9a7332c 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..f031bc6 100644
+index 0b48a30..5e5d9e7 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -1,4 +1,4 @@
@@ -50631,7 +50635,7 @@ index 0b48a30..f031bc6 100644
  ')
  
  optional_policy(`
-@@ -257,11 +296,14 @@ optional_policy(`
+@@ -257,15 +296,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50648,7 +50652,12 @@ index 0b48a30..f031bc6 100644
  ')
  
  optional_policy(`
-@@ -274,10 +316,17 @@ optional_policy(`
+ 	netutils_exec_ping(NetworkManager_t)
++    netutils_exec(NetworkManager_t)
+ ')
+ 
+ optional_policy(`
+@@ -274,10 +317,17 @@ optional_policy(`
  	nscd_signull(NetworkManager_t)
  	nscd_kill(NetworkManager_t)
  	nscd_initrc_domtrans(NetworkManager_t)
@@ -50666,7 +50675,7 @@ index 0b48a30..f031bc6 100644
  ')
  
  optional_policy(`
-@@ -289,6 +338,7 @@ optional_policy(`
+@@ -289,6 +339,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50674,7 +50683,7 @@ index 0b48a30..f031bc6 100644
  	policykit_domtrans_auth(NetworkManager_t)
  	policykit_read_lib(NetworkManager_t)
  	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +346,7 @@ optional_policy(`
+@@ -296,7 +347,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50683,7 +50692,7 @@ index 0b48a30..f031bc6 100644
  ')
  
  optional_policy(`
-@@ -307,6 +357,7 @@ optional_policy(`
+@@ -307,6 +358,7 @@ optional_policy(`
  	ppp_signal(NetworkManager_t)
  	ppp_signull(NetworkManager_t)
  	ppp_read_config(NetworkManager_t)
@@ -50691,7 +50700,7 @@ index 0b48a30..f031bc6 100644
  ')
  
  optional_policy(`
-@@ -320,13 +371,19 @@ optional_policy(`
+@@ -320,13 +372,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50715,7 +50724,7 @@ index 0b48a30..f031bc6 100644
  ')
  
  optional_policy(`
-@@ -356,6 +413,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +414,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
  init_dontaudit_use_fds(wpa_cli_t)
  init_use_script_ptys(wpa_cli_t)
  
@@ -76011,10 +76020,10 @@ index b418d1c..1ad9c12 100644
  	xen_domtrans_xm(rgmanager_t)
  ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..a7e8263 100644
+index 47de2d6..5ad36aa 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
-@@ -1,31 +1,86 @@
+@@ -1,31 +1,88 @@
 -/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
 +/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -76073,6 +76082,8 @@ index 47de2d6..a7e8263 100644
 +/var/run/gfs_controld\.pid		--	gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
 +/var/run/groupd\.pid			--	gen_context(system_u:object_r:groupd_var_run_t,s0)
 +/var/run/haproxy\.pid           --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
++/var/run/haproxy\.stat.*        --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
++/var/run/haproxy\.sock.*        --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
 +/var/run/qdiskd\.pid			--	gen_context(system_u:object_r:qdiskd_var_run_t,s0)
 +
 +# cluster administrative domains file spec
@@ -76887,7 +76898,7 @@ index 56bc01f..1337d42 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..881a1a9 100644
+index 2c2de9a..4fd3b77 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -77371,7 +77382,7 @@ index 2c2de9a..881a1a9 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +580,50 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,53 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -77387,13 +77398,14 @@ index 2c2de9a..881a1a9 100644
 +#
 +
 +# bug in haproxy and process vs pid owner
-+allow haproxy_t self:capability dac_override;
++allow haproxy_t self:capability { dac_override kill };
 +
 +allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
 +allow haproxy_t self:process { fork setrlimit signal_perms };
 +allow haproxy_t self:fifo_file rw_fifo_file_perms;
 +allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
-+allow haproxy_t self:tcp_socket { accept listen };
++allow haproxy_t self:tcp_socket create_stream_socket_perms;
++allow haproxy_t self: udp_socket create_socket_perms;
 +
 +manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
 +manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
@@ -77401,6 +77413,8 @@ index 2c2de9a..881a1a9 100644
 +manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
 +files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
 +
++corenet_sendrecv_unlabeled_packets(haproxy_t)
++
 +corenet_tcp_connect_commplex_link_port(haproxy_t)
 +corenet_tcp_connect_commplex_main_port(haproxy_t)
 +corenet_tcp_bind_commplex_main_port(haproxy_t)
@@ -77424,7 +77438,7 @@ index 2c2de9a..881a1a9 100644
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +666,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0c0b04a..67c36ce 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 143%{?dist}
+Release: 144%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,14 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Mar 21 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-144
+- allow anaconda to dbus chat with systemd-localed
+- Add fixes for haproxy based on bperkins at redhat.com
+- Allow cmirrord to make dmsetup working
+- Allow NM to execute arping
+- Allow users to send messages through talk
+- Add userdom_tmp_role for secadm_t
+
 * Thu Mar 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-143
 - Add additional fixes for rtas_errd
 - Fix transitions for tmp/tmpfs in rtas.te

More information about the scm-commits mailing list