[selinux-policy/f20] - allow anaconda to dbus chat with systemd-localed - Add fixes for haproxy based on bperkins at redhat.
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 21 10:51:32 UTC 2014
commit 81ece166fc22042ebe3383cadbd2b2abca42e7ae
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 21 11:51:23 2014 +0100
- allow anaconda to dbus chat with systemd-localed
- Add fixes for haproxy based on bperkins at redhat.com
- Allow cmirrord to make dmsetup working
- Allow NM to execute arping
- Allow users to send messages through talk
- Add userdom_tmp_role for secadm_t
policy-f20-base.patch | 7 +++--
policy-f20-contrib.patch | 60 ++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 10 +++++++-
3 files changed, 50 insertions(+), 27 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index e70b33d..e5e93d4 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -20235,10 +20235,10 @@ index 3a45a3e..7499f24 100644
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index da11120..d67bcca 100644
+index da11120..ece2f7f 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
-@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0)
+@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
role secadm_r;
@@ -20248,10 +20248,11 @@ index da11120..d67bcca 100644
+userdom_security_admin(secadm_t, secadm_r)
+userdom_inherit_append_admin_home_files(secadm_t)
+userdom_read_admin_home_files(secadm_t)
++userdom_manage_tmp_role(secadm_r, secadm_t)
########################################
#
-@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
+@@ -30,8 +33,7 @@ mls_file_upgrade(secadm_t)
mls_file_downgrade(secadm_t)
auth_role(secadm_r, secadm_t)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index cda26f9..c6a6492 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2459,7 +2459,7 @@ index 14a61b7..21bbf36 100644
+')
+
diff --git a/anaconda.te b/anaconda.te
-index 6f1384c..4d36f22 100644
+index 6f1384c..f226596 100644
--- a/anaconda.te
+++ b/anaconda.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -2499,7 +2499,7 @@ index 6f1384c..4d36f22 100644
optional_policy(`
rpm_domtrans(anaconda_t)
-@@ -53,3 +66,32 @@ optional_policy(`
+@@ -53,3 +66,34 @@ optional_policy(`
optional_policy(`
unconfined_domain_noaudit(anaconda_t)
')
@@ -2511,6 +2511,8 @@ index 6f1384c..4d36f22 100644
+
+allow install_t self:capability2 mac_admin;
+
++systemd_dbus_chat_localed(install_t)
++
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(install_t)
+')
@@ -12818,7 +12820,7 @@ index cc4e7cb..f348d27 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
-index d8e9958..d2303a4 100644
+index d8e9958..e4c023c 100644
--- a/cmirrord.te
+++ b/cmirrord.te
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
@@ -12830,13 +12832,14 @@ index d8e9958..d2303a4 100644
dontaudit cmirrord_t self:capability sys_tty_config;
allow cmirrord_t self:process { setfscreate signal };
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
domain_obj_id_change_exemption(cmirrord_t)
-files_read_etc_files(cmirrord_t)
-
storage_create_fixed_disk_dev(cmirrord_t)
++storage_raw_read_fixed_disk(cmirrord_t)
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)
@@ -37299,7 +37302,7 @@ index 19777b8..55d1556 100644
+ ')
+')
diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..a43a4f6 100644
+index 2cf3815..36e6eb0 100644
--- a/ktalk.te
+++ b/ktalk.te
@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
@@ -37318,7 +37321,7 @@ index 2cf3815..a43a4f6 100644
type ktalkd_tmp_t;
files_tmp_file(ktalkd_tmp_t)
-@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -35,11 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
@@ -37341,11 +37344,12 @@ index 2cf3815..a43a4f6 100644
auth_use_nsswitch(ktalkd_t)
- init_read_utmp(ktalkd_t)
+@@ -47,4 +61,4 @@ init_read_utmp(ktalkd_t)
logging_send_syslog_msg(ktalkd_t)
--
+
-miscfiles_read_localization(ktalkd_t)
++userdom_use_user_ptys(ktalkd_t)
diff --git a/kudzu.if b/kudzu.if
index 5297064..6ba8108 100644
--- a/kudzu.if
@@ -50332,7 +50336,7 @@ index 0e8508c..9a7332c 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..f031bc6 100644
+index 0b48a30..5e5d9e7 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -50631,7 +50635,7 @@ index 0b48a30..f031bc6 100644
')
optional_policy(`
-@@ -257,11 +296,14 @@ optional_policy(`
+@@ -257,15 +296,19 @@ optional_policy(`
')
optional_policy(`
@@ -50648,7 +50652,12 @@ index 0b48a30..f031bc6 100644
')
optional_policy(`
-@@ -274,10 +316,17 @@ optional_policy(`
+ netutils_exec_ping(NetworkManager_t)
++ netutils_exec(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -274,10 +317,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -50666,7 +50675,7 @@ index 0b48a30..f031bc6 100644
')
optional_policy(`
-@@ -289,6 +338,7 @@ optional_policy(`
+@@ -289,6 +339,7 @@ optional_policy(`
')
optional_policy(`
@@ -50674,7 +50683,7 @@ index 0b48a30..f031bc6 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +346,7 @@ optional_policy(`
+@@ -296,7 +347,7 @@ optional_policy(`
')
optional_policy(`
@@ -50683,7 +50692,7 @@ index 0b48a30..f031bc6 100644
')
optional_policy(`
-@@ -307,6 +357,7 @@ optional_policy(`
+@@ -307,6 +358,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -50691,7 +50700,7 @@ index 0b48a30..f031bc6 100644
')
optional_policy(`
-@@ -320,13 +371,19 @@ optional_policy(`
+@@ -320,13 +372,19 @@ optional_policy(`
')
optional_policy(`
@@ -50715,7 +50724,7 @@ index 0b48a30..f031bc6 100644
')
optional_policy(`
-@@ -356,6 +413,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +414,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -76011,10 +76020,10 @@ index b418d1c..1ad9c12 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..a7e8263 100644
+index 47de2d6..5ad36aa 100644
--- a/rhcs.fc
+++ b/rhcs.fc
-@@ -1,31 +1,86 @@
+@@ -1,31 +1,88 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -76073,6 +76082,8 @@ index 47de2d6..a7e8263 100644
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
++/var/run/haproxy\.stat.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
++/var/run/haproxy\.sock.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
+
+# cluster administrative domains file spec
@@ -76887,7 +76898,7 @@ index 56bc01f..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..881a1a9 100644
+index 2c2de9a..4fd3b77 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -77371,7 +77382,7 @@ index 2c2de9a..881a1a9 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +580,50 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,53 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -77387,13 +77398,14 @@ index 2c2de9a..881a1a9 100644
+#
+
+# bug in haproxy and process vs pid owner
-+allow haproxy_t self:capability dac_override;
++allow haproxy_t self:capability { dac_override kill };
+
+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
+allow haproxy_t self:process { fork setrlimit signal_perms };
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
-+allow haproxy_t self:tcp_socket { accept listen };
++allow haproxy_t self:tcp_socket create_stream_socket_perms;
++allow haproxy_t self: udp_socket create_socket_perms;
+
+manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
@@ -77401,6 +77413,8 @@ index 2c2de9a..881a1a9 100644
+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
+
++corenet_sendrecv_unlabeled_packets(haproxy_t)
++
+corenet_tcp_connect_commplex_link_port(haproxy_t)
+corenet_tcp_connect_commplex_main_port(haproxy_t)
+corenet_tcp_bind_commplex_main_port(haproxy_t)
@@ -77424,7 +77438,7 @@ index 2c2de9a..881a1a9 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +666,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0c0b04a..67c36ce 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 143%{?dist}
+Release: 144%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 21 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-144
+- allow anaconda to dbus chat with systemd-localed
+- Add fixes for haproxy based on bperkins at redhat.com
+- Allow cmirrord to make dmsetup working
+- Allow NM to execute arping
+- Allow users to send messages through talk
+- Add userdom_tmp_role for secadm_t
+
* Thu Mar 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-143
- Add additional fixes for rtas_errd
- Fix transitions for tmp/tmpfs in rtas.te
More information about the scm-commits
mailing list