[selinux-policy/f20] - back port fixes for pegasus_openlmi_admin_t from rawhide - Add labels for ostree - Add SELinux awa
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Mar 27 07:27:34 UTC 2014
commit 07551adc0a330f32e874bb96354411c705f259f7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Mar 27 08:27:20 2014 +0100
- back port fixes for pegasus_openlmi_admin_t from rawhide
- Add labels for ostree
- Add SELinux awareness for NM
- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
policy-f20-base.patch | 7 ++--
policy-f20-contrib.patch | 73 ++++++++++++++++++++++++++--------------------
selinux-policy.spec | 8 ++++-
3 files changed, 52 insertions(+), 36 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 10e99c5..3ce9971 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -27921,7 +27921,7 @@ index c6fdab7..af71c62 100644
sudo_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..003b09a 100644
+index 28ad538..36fbb93 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,14 +1,28 @@
@@ -27957,7 +27957,7 @@ index 28ad538..003b09a 100644
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +30,24 @@ ifdef(`distro_suse', `
+@@ -16,13 +30,25 @@ ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -27969,6 +27969,7 @@ index 28ad538..003b09a 100644
-/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
++/usr/sbin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -27984,7 +27985,7 @@ index 28ad538..003b09a 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,20 +55,24 @@ ifdef(`distro_gentoo', `
+@@ -30,20 +56,24 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 8573e4b..ea17349 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2391,14 +2391,17 @@ index c960f92..486e9ed 100644
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
diff --git a/anaconda.fc b/anaconda.fc
-index b098089..b2c4d10 100644
+index b098089..258407b 100644
--- a/anaconda.fc
+++ b/anaconda.fc
-@@ -1 +1,4 @@
+@@ -1 +1,7 @@
# No file context specifications.
+
+/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0)
+/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0)
++
++/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0)
++/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0)
diff --git a/anaconda.if b/anaconda.if
index 14a61b7..21bbf36 100644
--- a/anaconda.if
@@ -50374,7 +50377,7 @@ index 0e8508c..9a7332c 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..5e5d9e7 100644
+index 0b48a30..559c66f 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -50405,7 +50408,7 @@ index 0b48a30..5e5d9e7 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,25 +42,47 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,51 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -50421,6 +50424,10 @@ index 0b48a30..5e5d9e7 100644
+ dontaudit NetworkManager_t self:capability sys_module;
+')
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
++
++allow NetworkManager_t self:process setfscreate;
++selinux_validate_context(NetworkManager_t)
++
+tunable_policy(`deny_ptrace',`',`
+ allow NetworkManager_t self:capability sys_ptrace;
+ allow NetworkManager_t self:process ptrace;
@@ -50450,19 +50457,19 @@ index 0b48a30..5e5d9e7 100644
+can_exec(NetworkManager_t, NetworkManager_exec_t)
+#wicd
+can_exec(NetworkManager_t, wpa_cli_exec_t)
-
++
+list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-+
+
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,6 +93,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +97,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -50470,7 +50477,7 @@ index 0b48a30..5e5d9e7 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +107,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +111,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -50489,7 +50496,7 @@ index 0b48a30..5e5d9e7 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +125,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +129,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -50515,7 +50522,7 @@ index 0b48a30..5e5d9e7 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +141,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +145,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -50529,7 +50536,7 @@ index 0b48a30..5e5d9e7 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,18 +149,33 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +153,33 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -50564,7 +50571,7 @@ index 0b48a30..5e5d9e7 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +190,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +194,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -50601,7 +50608,7 @@ index 0b48a30..5e5d9e7 100644
')
optional_policy(`
-@@ -196,10 +231,6 @@ optional_policy(`
+@@ -196,10 +235,6 @@ optional_policy(`
')
optional_policy(`
@@ -50612,7 +50619,7 @@ index 0b48a30..5e5d9e7 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +241,11 @@ optional_policy(`
+@@ -210,16 +245,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -50631,7 +50638,7 @@ index 0b48a30..5e5d9e7 100644
')
')
-@@ -231,18 +257,27 @@ optional_policy(`
+@@ -231,18 +261,27 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -50662,7 +50669,7 @@ index 0b48a30..5e5d9e7 100644
')
optional_policy(`
-@@ -250,6 +285,10 @@ optional_policy(`
+@@ -250,6 +289,10 @@ optional_policy(`
ipsec_kill_mgmt(NetworkManager_t)
ipsec_signal_mgmt(NetworkManager_t)
ipsec_signull_mgmt(NetworkManager_t)
@@ -50673,7 +50680,7 @@ index 0b48a30..5e5d9e7 100644
')
optional_policy(`
-@@ -257,15 +296,19 @@ optional_policy(`
+@@ -257,15 +300,19 @@ optional_policy(`
')
optional_policy(`
@@ -50695,7 +50702,7 @@ index 0b48a30..5e5d9e7 100644
')
optional_policy(`
-@@ -274,10 +317,17 @@ optional_policy(`
+@@ -274,10 +321,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -50713,7 +50720,7 @@ index 0b48a30..5e5d9e7 100644
')
optional_policy(`
-@@ -289,6 +339,7 @@ optional_policy(`
+@@ -289,6 +343,7 @@ optional_policy(`
')
optional_policy(`
@@ -50721,7 +50728,7 @@ index 0b48a30..5e5d9e7 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +347,7 @@ optional_policy(`
+@@ -296,7 +351,7 @@ optional_policy(`
')
optional_policy(`
@@ -50730,7 +50737,7 @@ index 0b48a30..5e5d9e7 100644
')
optional_policy(`
-@@ -307,6 +358,7 @@ optional_policy(`
+@@ -307,6 +362,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -50738,7 +50745,7 @@ index 0b48a30..5e5d9e7 100644
')
optional_policy(`
-@@ -320,13 +372,19 @@ optional_policy(`
+@@ -320,13 +376,19 @@ optional_policy(`
')
optional_policy(`
@@ -50762,7 +50769,7 @@ index 0b48a30..5e5d9e7 100644
')
optional_policy(`
-@@ -356,6 +414,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +418,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -59703,7 +59710,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..225cd64 100644
+index 7bcf327..4461b33 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -59727,7 +59734,7 @@ index 7bcf327..225cd64 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,317 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -59909,6 +59916,8 @@ index 7bcf327..225cd64 100644
+init_disable_services(pegasus_openlmi_admin_t)
+init_enable_services(pegasus_openlmi_admin_t)
+init_reload_services(pegasus_openlmi_admin_t)
++init_status(pegasus_openlmi_admin_t)
++init_reboot(pegasus_openlmi_admin_t)
+init_exec(pegasus_openlmi_admin_t)
+
+systemd_config_all_services(pegasus_openlmi_admin_t)
@@ -60050,7 +60059,7 @@ index 7bcf327..225cd64 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +350,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -60081,7 +60090,7 @@ index 7bcf327..225cd64 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +376,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -60114,7 +60123,7 @@ index 7bcf327..225cd64 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,9 +404,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -60126,7 +60135,7 @@ index 7bcf327..225cd64 100644
files_list_var_lib(pegasus_t)
files_read_var_lib_files(pegasus_t)
-@@ -128,18 +420,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -60162,7 +60171,7 @@ index 7bcf327..225cd64 100644
')
optional_policy(`
-@@ -151,16 +454,24 @@ optional_policy(`
+@@ -151,16 +456,24 @@ optional_policy(`
')
optional_policy(`
@@ -60191,7 +60200,7 @@ index 7bcf327..225cd64 100644
')
optional_policy(`
-@@ -168,7 +479,7 @@ optional_policy(`
+@@ -168,7 +481,7 @@ optional_policy(`
')
optional_policy(`
@@ -60200,7 +60209,7 @@ index 7bcf327..225cd64 100644
')
optional_policy(`
-@@ -180,6 +491,7 @@ optional_policy(`
+@@ -180,6 +493,7 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c902d39..4ed9461 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 146%{?dist}
+Release: 147%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Mar 27 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-147
+- back port fixes for pegasus_openlmi_admin_t from rawhide
+- Add labels for ostree
+- Add SELinux awareness for NM
+- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
+
* Wed Mar 26 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-146
- add gnome_append_home_config()
- Allow thumb to append GNOME config home files
More information about the scm-commits
mailing list