[selinux-policy/f20] * Fri Apr 18 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-156 - Allow init_t to setattr/relabelfrom
Lukas Vrabec
lvrabec at fedoraproject.org
Fri Apr 18 09:48:02 UTC 2014
commit 9855c65aebf051e8351d4b6d2d0a4a885391cc56
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Fri Apr 18 11:47:35 2014 +0200
* Fri Apr 18 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-156
- Allow init_t to setattr/relabelfrom dhcp state files
- Dontaudit antivirus domains read access on all security files by
default
- Add missing alias for old amavis_etc_t type
- Allow block_suspend cap for haproxy
- Additional fixes for instack overcloud
- Allow OpenStack to read mysqld_db links and connect to MySQL
- Remove dup filename rules in gnome.te
- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
- Allow iscsid to handle own unit files
- Add iscsi_systemctl()
- Allow mongod to create also sock_files in /run with correct labeling
policy-f20-base.patch | 132 ++++++++++++++++----------
policy-f20-contrib.patch | 230 ++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 15 +++-
3 files changed, 245 insertions(+), 132 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index f0ed2b3..0e82369 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -31438,7 +31438,7 @@ index 24e7804..2863546 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..c983546 100644
+index dd3be8d..6d72189 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -31700,7 +31700,7 @@ index dd3be8d..c983546 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +300,226 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +300,231 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -31895,6 +31895,11 @@ index dd3be8d..c983546 100644
+ optional_policy(`
+ rpc_manage_nfs_state_data(init_t)
+ ')
++
++ optional_policy(`
++ sysnet_relabelfrom_dhcpc_state(init_t)
++ sysnet_setattr_dhcp_state(init_t)
++ ')
+')
+
+optional_policy(`
@@ -31935,7 +31940,7 @@ index dd3be8d..c983546 100644
')
optional_policy(`
-@@ -216,7 +527,30 @@ optional_policy(`
+@@ -216,7 +532,30 @@ optional_policy(`
')
optional_policy(`
@@ -31966,7 +31971,7 @@ index dd3be8d..c983546 100644
')
########################################
-@@ -225,8 +559,9 @@ optional_policy(`
+@@ -225,8 +564,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -31978,7 +31983,7 @@ index dd3be8d..c983546 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +592,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +597,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -31995,7 +32000,7 @@ index dd3be8d..c983546 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +617,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +622,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -32038,7 +32043,7 @@ index dd3be8d..c983546 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +654,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +659,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -32050,7 +32055,7 @@ index dd3be8d..c983546 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +666,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +671,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -32061,7 +32066,7 @@ index dd3be8d..c983546 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +677,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +682,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -32071,7 +32076,7 @@ index dd3be8d..c983546 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +686,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +691,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -32079,7 +32084,7 @@ index dd3be8d..c983546 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +693,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +698,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -32087,7 +32092,7 @@ index dd3be8d..c983546 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +701,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +706,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -32105,7 +32110,7 @@ index dd3be8d..c983546 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +719,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +724,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -32119,7 +32124,7 @@ index dd3be8d..c983546 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +734,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +739,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -32133,7 +32138,7 @@ index dd3be8d..c983546 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +747,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +752,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -32141,7 +32146,7 @@ index dd3be8d..c983546 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +759,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +764,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -32149,7 +32154,7 @@ index dd3be8d..c983546 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +778,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +783,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -32173,7 +32178,7 @@ index dd3be8d..c983546 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +811,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +816,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -32181,7 +32186,7 @@ index dd3be8d..c983546 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +845,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +850,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -32192,7 +32197,7 @@ index dd3be8d..c983546 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +869,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +874,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -32201,7 +32206,7 @@ index dd3be8d..c983546 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +884,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +889,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -32209,7 +32214,7 @@ index dd3be8d..c983546 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +905,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +910,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -32217,7 +32222,7 @@ index dd3be8d..c983546 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +915,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +920,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -32262,7 +32267,7 @@ index dd3be8d..c983546 100644
')
optional_policy(`
-@@ -558,14 +960,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +965,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -32294,7 +32299,7 @@ index dd3be8d..c983546 100644
')
')
-@@ -576,6 +995,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +1000,39 @@ ifdef(`distro_suse',`
')
')
@@ -32334,7 +32339,7 @@ index dd3be8d..c983546 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1040,8 @@ optional_policy(`
+@@ -588,6 +1045,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -32343,7 +32348,7 @@ index dd3be8d..c983546 100644
')
optional_policy(`
-@@ -609,6 +1063,7 @@ optional_policy(`
+@@ -609,6 +1068,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -32351,7 +32356,7 @@ index dd3be8d..c983546 100644
')
optional_policy(`
-@@ -625,6 +1080,17 @@ optional_policy(`
+@@ -625,6 +1085,17 @@ optional_policy(`
')
optional_policy(`
@@ -32369,7 +32374,7 @@ index dd3be8d..c983546 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1107,13 @@ optional_policy(`
+@@ -641,9 +1112,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -32383,7 +32388,7 @@ index dd3be8d..c983546 100644
')
optional_policy(`
-@@ -656,15 +1126,11 @@ optional_policy(`
+@@ -656,15 +1131,11 @@ optional_policy(`
')
optional_policy(`
@@ -32401,7 +32406,7 @@ index dd3be8d..c983546 100644
')
optional_policy(`
-@@ -685,6 +1151,15 @@ optional_policy(`
+@@ -685,6 +1156,15 @@ optional_policy(`
')
optional_policy(`
@@ -32417,7 +32422,7 @@ index dd3be8d..c983546 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1200,7 @@ optional_policy(`
+@@ -725,6 +1205,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -32425,7 +32430,7 @@ index dd3be8d..c983546 100644
')
optional_policy(`
-@@ -742,7 +1218,13 @@ optional_policy(`
+@@ -742,7 +1223,13 @@ optional_policy(`
')
optional_policy(`
@@ -32440,7 +32445,7 @@ index dd3be8d..c983546 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1247,10 @@ optional_policy(`
+@@ -765,6 +1252,10 @@ optional_policy(`
')
optional_policy(`
@@ -32451,7 +32456,7 @@ index dd3be8d..c983546 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1260,20 @@ optional_policy(`
+@@ -774,10 +1265,20 @@ optional_policy(`
')
optional_policy(`
@@ -32472,7 +32477,7 @@ index dd3be8d..c983546 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1282,10 @@ optional_policy(`
+@@ -786,6 +1287,10 @@ optional_policy(`
')
optional_policy(`
@@ -32483,7 +32488,7 @@ index dd3be8d..c983546 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1307,6 @@ optional_policy(`
+@@ -807,8 +1312,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -32492,7 +32497,7 @@ index dd3be8d..c983546 100644
')
optional_policy(`
-@@ -817,6 +1315,10 @@ optional_policy(`
+@@ -817,6 +1320,10 @@ optional_policy(`
')
optional_policy(`
@@ -32503,7 +32508,7 @@ index dd3be8d..c983546 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1328,12 @@ optional_policy(`
+@@ -826,10 +1333,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -32516,7 +32521,7 @@ index dd3be8d..c983546 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1360,35 @@ optional_policy(`
+@@ -856,12 +1365,35 @@ optional_policy(`
')
optional_policy(`
@@ -32553,7 +32558,7 @@ index dd3be8d..c983546 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1398,18 @@ optional_policy(`
+@@ -871,6 +1403,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -32572,7 +32577,7 @@ index dd3be8d..c983546 100644
')
optional_policy(`
-@@ -886,6 +1425,10 @@ optional_policy(`
+@@ -886,6 +1430,10 @@ optional_policy(`
')
optional_policy(`
@@ -32583,7 +32588,7 @@ index dd3be8d..c983546 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1439,218 @@ optional_policy(`
+@@ -896,3 +1444,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -39242,7 +39247,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..821e74c 100644
+index 6944526..98ac8bf 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39481,7 +39486,34 @@ index 6944526..821e74c 100644
')
########################################
-@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -617,6 +769,26 @@ interface(`sysnet_search_dhcp_state',`
+ allow $1 dhcp_state_t:dir search_dir_perms;
+ ')
+
++#######################################
++## <summary>
++## Set the attributes of network config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_setattr_dhcp_state',`
++ gen_require(`
++ type dhcp_state_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 dhcp_state_t:file setattr_file_perms;
++')
++
++
+ ########################################
+ ## <summary>
+ ## Create DHCP state data.
+@@ -681,8 +853,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -39490,7 +39522,7 @@ index 6944526..821e74c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -690,8 +840,11 @@ interface(`sysnet_dns_name_resolve',`
+@@ -690,8 +860,11 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
@@ -39502,7 +39534,7 @@ index 6944526..821e74c 100644
sysnet_read_config($1)
optional_policy(`
-@@ -720,8 +873,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +893,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -39511,7 +39543,7 @@ index 6944526..821e74c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +884,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +904,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@@ -39521,7 +39553,7 @@ index 6944526..821e74c 100644
')
########################################
-@@ -754,7 +908,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +928,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -39529,7 +39561,7 @@ index 6944526..821e74c 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +919,114 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +939,114 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index a0314fc..e06bda9 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2929,10 +2929,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..8ba9c95
+index 0000000..83590aa
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,274 @@
+@@ -0,0 +1,273 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2972,7 +2972,7 @@ index 0000000..8ba9c95
+systemd_unit_file(antivirus_unit_file_t)
+
+type antivirus_conf_t;
-+typealias antivirus_conf_t alias { clamd_etc_t };
++typealias antivirus_conf_t alias { clamd_etc_t amavis_etc_t };
+files_config_file(antivirus_conf_t)
+
+type antivirus_var_run_t;
@@ -3101,6 +3101,7 @@ index 0000000..8ba9c95
+
+domain_dontaudit_read_all_domains_state(antivirus_domain)
+
++files_dontaudit_read_security_files(antivirus_domain)
+files_read_etc_runtime_files(antivirus_domain)
+files_search_spool(antivirus_domain)
+
@@ -3125,8 +3126,6 @@ index 0000000..8ba9c95
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
-+ #files_dontaudit_read_all_non_security_files(antivirus_domain)
-+ files_dontaudit_read_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
+ dev_getattr_all_blk_files(antivirus_domain)
@@ -4964,7 +4963,7 @@ index 83e899c..64beed7 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..15e3e0b 100644
+index 1a82e29..0dbb289 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,381 @@
@@ -5598,13 +5597,14 @@ index 1a82e29..15e3e0b 100644
+# Apache server local policy
#
- allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
+-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
++allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +484,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +484,37 @@ allow httpd_t self:shm create_shm_perms;
allow httpd_t self:sem create_sem_perms;
allow httpd_t self:msgq create_msgq_perms;
allow httpd_t self:msg { send receive };
@@ -5639,6 +5639,7 @@ index 1a82e29..15e3e0b 100644
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
++setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+# cjp: need to refine create interfaces to
@@ -5646,7 +5647,7 @@ index 1a82e29..15e3e0b 100644
logging_log_filetrans(httpd_t, httpd_log_t, file)
allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,14 +521,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,14 +522,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -5668,7 +5669,7 @@ index 1a82e29..15e3e0b 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +566,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5906,7 +5907,7 @@ index 1a82e29..15e3e0b 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +742,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5966,7 +5967,7 @@ index 1a82e29..15e3e0b 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +794,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6057,7 +6058,7 @@ index 1a82e29..15e3e0b 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +841,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +842,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6138,7 +6139,7 @@ index 1a82e29..15e3e0b 100644
')
optional_policy(`
-@@ -744,24 +894,32 @@ optional_policy(`
+@@ -744,24 +895,32 @@ optional_policy(`
')
optional_policy(`
@@ -6177,7 +6178,7 @@ index 1a82e29..15e3e0b 100644
')
optional_policy(`
-@@ -770,6 +928,10 @@ optional_policy(`
+@@ -770,6 +929,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6188,7 +6189,7 @@ index 1a82e29..15e3e0b 100644
')
optional_policy(`
-@@ -781,34 +943,53 @@ optional_policy(`
+@@ -781,34 +944,53 @@ optional_policy(`
')
optional_policy(`
@@ -6253,7 +6254,7 @@ index 1a82e29..15e3e0b 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +997,18 @@ optional_policy(`
+@@ -816,8 +998,18 @@ optional_policy(`
')
optional_policy(`
@@ -6272,7 +6273,7 @@ index 1a82e29..15e3e0b 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +1017,7 @@ optional_policy(`
+@@ -826,6 +1018,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6280,7 +6281,7 @@ index 1a82e29..15e3e0b 100644
')
optional_policy(`
-@@ -836,20 +1028,39 @@ optional_policy(`
+@@ -836,20 +1029,39 @@ optional_policy(`
')
optional_policy(`
@@ -6326,7 +6327,7 @@ index 1a82e29..15e3e0b 100644
')
optional_policy(`
-@@ -857,19 +1068,35 @@ optional_policy(`
+@@ -857,19 +1069,35 @@ optional_policy(`
')
optional_policy(`
@@ -6362,7 +6363,7 @@ index 1a82e29..15e3e0b 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1104,173 @@ optional_policy(`
+@@ -877,65 +1105,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6558,7 +6559,7 @@ index 1a82e29..15e3e0b 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1279,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1280,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6713,7 +6714,7 @@ index 1a82e29..15e3e0b 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1363,106 @@ optional_policy(`
+@@ -1077,172 +1364,106 @@ optional_policy(`
')
')
@@ -6950,7 +6951,7 @@ index 1a82e29..15e3e0b 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1470,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1471,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7047,7 +7048,7 @@ index 1a82e29..15e3e0b 100644
########################################
#
-@@ -1315,8 +1545,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1546,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7064,7 +7065,7 @@ index 1a82e29..15e3e0b 100644
')
########################################
-@@ -1324,49 +1561,38 @@ optional_policy(`
+@@ -1324,49 +1562,38 @@ optional_policy(`
# User content local policy
#
@@ -7129,7 +7130,7 @@ index 1a82e29..15e3e0b 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1602,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1603,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -12541,10 +12542,10 @@ index 0000000..8ac848b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..786d623
+index 0000000..496ce03
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,300 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -12817,8 +12818,9 @@ index 0000000..786d623
+
+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
++manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
+#needed by dbomatic
-+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
++files_pid_filetrans(mongod_t, mongod_var_run_t, { file sock_file dir })
+
+corecmd_exec_bin(mongod_t)
+corecmd_exec_shell(mongod_t)
@@ -28084,7 +28086,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index e0a4f46..16dcb5b 100644
+index e0a4f46..6838221 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -28118,7 +28120,7 @@ index e0a4f46..16dcb5b 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,29 +58,29 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -28149,8 +28151,14 @@ index e0a4f46..16dcb5b 100644
-
sysnet_dns_name_resolve(glance_domain)
++optional_policy(`
++ mysql_read_db_lnk_files(glance_domain)
++')
++
########################################
-@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+ #
+ # Registry local policy
+@@ -88,8 +90,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -28165,7 +28173,7 @@ index e0a4f46..16dcb5b 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +116,24 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -28184,6 +28192,8 @@ index e0a4f46..16dcb5b 100644
+corenet_tcp_connect_http_port(glance_api_t)
+
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
++corenet_tcp_connect_commplex_main_port(glance_api_t)
++corenet_tcp_connect_http_cache_port(glance_api_t)
+
+corenet_sendrecv_hplip_server_packets(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
@@ -30896,7 +30906,7 @@ index d03fd43..af9415c 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..5314f96 100644
+index 20f726b..ea1115c 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -30940,7 +30950,7 @@ index 20f726b..5314f96 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,227 @@ type gconfd_exec_t;
+@@ -29,107 +47,226 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -31162,7 +31172,6 @@ index 20f726b..5314f96 100644
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
-+filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
@@ -33945,7 +33954,7 @@ index 08b7560..417e630 100644
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
diff --git a/iscsi.if b/iscsi.if
-index 1a35420..2ea1241 100644
+index 1a35420..a7e1562 100644
--- a/iscsi.if
+++ b/iscsi.if
@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
@@ -33976,7 +33985,7 @@ index 1a35420..2ea1241 100644
## iscsid sempaphores.
## </summary>
## <param name="domain">
-@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',`
+@@ -80,17 +101,53 @@ interface(`iscsi_read_lib_files',`
########################################
## <summary>
@@ -34000,6 +34009,28 @@ index 1a35420..2ea1241 100644
+ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
+')
+
++########################################
++## <summary>
++## Execute iscsi server in the iscsi domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`iscsi_systemctl',`
++ gen_require(`
++ type iscsid_t;
++ type iscsi_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 iscsi_unit_file_t:file read_file_perms;
++ allow $1 iscsi_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, iscsid_t)
++')
+
+########################################
+## <summary>
@@ -34013,7 +34044,7 @@ index 1a35420..2ea1241 100644
## </summary>
## </param>
## <rolecap/>
-@@ -99,16 +134,15 @@ interface(`iscsi_admin',`
+@@ -99,16 +156,15 @@ interface(`iscsi_admin',`
gen_require(`
type iscsid_t, iscsi_lock_t, iscsi_log_t;
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -34035,7 +34066,7 @@ index 1a35420..2ea1241 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index 57304e4..56d45ec 100644
+index 57304e4..b25cfd0 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -9,8 +9,8 @@ type iscsid_t;
@@ -34086,7 +34117,7 @@ index 57304e4..56d45ec 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,21 +86,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,21 +86,33 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
corenet_tcp_sendrecv_isns_port(iscsid_t)
@@ -34095,6 +34126,9 @@ index 57304e4..56d45ec 100644
+corenet_tcp_connect_winshadow_port(iscsid_t)
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
+
++corecmd_exec_bin(iscsid_t)
++corecmd_exec_shell(iscsid_t)
++
+dev_read_urand(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -34113,6 +34147,10 @@ index 57304e4..56d45ec 100644
-miscfiles_read_localization(iscsid_t)
+modutils_read_module_config(iscsid_t)
++
++optional_policy(`
++ iscsi_systemctl(iscsid_t)
++')
optional_policy(`
tgtd_manage_semaphores(iscsid_t)
@@ -37622,7 +37660,7 @@ index d3e7fc9..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 3494d9b..a82637c 100644
+index 3494d9b..c21beab 100644
--- a/keystone.te
+++ b/keystone.te
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
@@ -37640,7 +37678,7 @@ index 3494d9b..a82637c 100644
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,29 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -57,20 +61,30 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
@@ -37664,7 +37702,8 @@ index 3494d9b..a82637c 100644
optional_policy(`
mysql_stream_connect(keystone_t)
mysql_tcp_connect(keystone_t)
- ')
++ mysql_read_db_lnk_files(keystone_t)
++')
+
+optional_policy(`
+ postgresql_stream_connect(keystone_t)
@@ -37672,7 +37711,7 @@ index 3494d9b..a82637c 100644
+
+optional_policy(`
+ rpm_exec(keystone_t)
-+')
+ ')
diff --git a/kismet.if b/kismet.if
index aa2a337..7ff229f 100644
--- a/kismet.if
@@ -48519,7 +48558,7 @@ index c48dc17..297f831 100644
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
diff --git a/mysql.if b/mysql.if
-index 687af38..404ed6d 100644
+index 687af38..a77dc09 100644
--- a/mysql.if
+++ b/mysql.if
@@ -1,23 +1,4 @@
@@ -48723,7 +48762,28 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -224,7 +236,7 @@ interface(`mysql_append_db_files',`
+@@ -221,10 +233,28 @@ interface(`mysql_append_db_files',`
+ files_search_var_lib($1)
+ append_files_pattern($1, mysqld_db_t, mysqld_db_t)
+ ')
++#######################################
++## <summary>
++## Read and write to the MySQL database directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_read_db_lnk_files',`
++ gen_require(`
++ type mysqld_db_t;
++ ')
++
++ files_search_var_lib($1)
++ read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t)
++')
#######################################
## <summary>
@@ -48732,7 +48792,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -243,8 +255,7 @@ interface(`mysql_rw_db_files',`
+@@ -243,8 +273,7 @@ interface(`mysql_rw_db_files',`
#######################################
## <summary>
@@ -48742,7 +48802,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -263,7 +274,7 @@ interface(`mysql_manage_db_files',`
+@@ -263,7 +292,7 @@ interface(`mysql_manage_db_files',`
########################################
## <summary>
@@ -48751,7 +48811,7 @@ index 687af38..404ed6d 100644
## named socket.
## </summary>
## <param name="domain">
-@@ -273,13 +284,18 @@ interface(`mysql_manage_db_files',`
+@@ -273,13 +302,18 @@ interface(`mysql_manage_db_files',`
## </param>
#
interface(`mysql_rw_db_sockets',`
@@ -48773,7 +48833,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -287,86 +303,92 @@ interface(`mysql_rw_db_sockets',`
+@@ -287,86 +321,92 @@ interface(`mysql_rw_db_sockets',`
## </summary>
## </param>
#
@@ -48899,7 +48959,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,18 +396,22 @@ interface(`mysql_write_log',`
+@@ -374,18 +414,22 @@ interface(`mysql_write_log',`
## </summary>
## </param>
#
@@ -48928,7 +48988,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -393,39 +419,37 @@ interface(`mysql_domtrans_mysql_safe',`
+@@ -393,39 +437,37 @@ interface(`mysql_domtrans_mysql_safe',`
## </summary>
## </param>
#
@@ -48980,7 +49040,7 @@ index 687af38..404ed6d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -434,41 +458,52 @@ interface(`mysql_search_pid_files',`
+@@ -434,41 +476,52 @@ interface(`mysql_search_pid_files',`
## </param>
## <param name="role">
## <summary>
@@ -52258,10 +52318,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..d5b54e5
+index 0000000..bd2f08f
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,318 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -52310,6 +52370,7 @@ index 0000000..d5b54e5
+# nova general domain local policy
+#
+
++allow nova_domain self:process signal_perms;
+allow nova_domain self:fifo_file rw_fifo_file_perms;
+allow nova_domain self:tcp_socket create_stream_socket_perms;
+allow nova_domain self:unix_stream_socket create_stream_socket_perms;
@@ -52340,6 +52401,11 @@ index 0000000..d5b54e5
+libs_exec_ldconfig(nova_domain)
+
+optional_policy(`
++ mysql_stream_connect(nova_domain)
++ mysql_read_db_lnk_files(nova_domain)
++')
++
++optional_policy(`
+ sysnet_read_config(nova_domain)
+ sysnet_exec_ifconfig(nova_domain)
+')
@@ -52406,10 +52472,6 @@ index 0000000..d5b54e5
+miscfiles_read_certs(nova_cert_t)
+
+optional_policy(`
-+ mysql_stream_connect(nova_cert_t)
-+')
-+
-+optional_policy(`
+ postgresql_stream_connect(nova_cert_t)
+')
+
@@ -52440,10 +52502,6 @@ index 0000000..d5b54e5
+
+auth_use_nsswitch(nova_console_t)
+
-+optional_policy(`
-+ mysql_stream_connect(nova_console_t)
-+')
-+
+#######################################
+#
+# nova direct local policy
@@ -73165,10 +73223,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..52bad99 100644
+index 769d1fd..8c49752 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,132 @@
+@@ -1,96 +1,134 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -73218,8 +73276,9 @@ index 769d1fd..52bad99 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
-+allow neutron_t self:process { setsched setrlimit };
++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin };
++allow neutron_t self:capability2 block_suspend;
++allow neutron_t self:process { setsched setrlimit signal_perms };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
@@ -73252,7 +73311,7 @@ index 769d1fd..52bad99 100644
+can_exec(neutron_t, neutron_tmp_t)
-can_exec(quantum_t, quantum_tmp_t)
-+kernel_read_kernel_sysctls(neutron_t)
++kernel_rw_kernel_sysctl(neutron_t)
+kernel_read_system_state(neutron_t)
+kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
@@ -73281,9 +73340,11 @@ index 769d1fd..52bad99 100644
+corenet_tcp_connect_keystone_port(neutron_t)
+corenet_tcp_connect_amqp_port(neutron_t)
+corenet_tcp_connect_mysqld_port(neutron_t)
++corenet_tcp_connect_osapi_compute_port(neutron_t)
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
++domain_read_all_domains_state(neutron_t)
+domain_named_filetrans(neutron_t)
-files_read_usr_files(quantum_t)
@@ -73335,18 +73396,17 @@ index 769d1fd..52bad99 100644
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
+ mysql_stream_connect(neutron_t)
++ mysql_read_db_lnk_files(neutron_t)
+ mysql_read_config(neutron_t)
++ mysql_tcp_connect(neutron_t)
++')
- postgresql_tcp_connect(quantum_t)
-+ mysql_tcp_connect(neutron_t)
- ')
-+
+optional_policy(`
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
-+
+ postgresql_tcp_connect(neutron_t)
-+')
+ ')
+
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
@@ -77736,7 +77796,7 @@ index 56bc01f..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..4fd3b77 100644
+index 2c2de9a..503838b 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -78220,7 +78280,7 @@ index 2c2de9a..4fd3b77 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +580,53 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -78239,6 +78299,7 @@ index 2c2de9a..4fd3b77 100644
+allow haproxy_t self:capability { dac_override kill };
+
+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
++allow haproxy_t self:capability2 block_suspend;
+allow haproxy_t self:process { fork setrlimit signal_perms };
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
+allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -78276,7 +78337,7 @@ index 2c2de9a..4fd3b77 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -94004,10 +94065,10 @@ index 0000000..df82c36
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..7bef550
+index 0000000..3faae22
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,87 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -94020,7 +94081,10 @@ index 0000000..7bef550
+init_daemon_domain(swift_t, swift_exec_t)
+
+type swift_tmp_t;
-+files_tmpfs_file(swift_tmp_t)
++files_tmp_file(swift_tmp_t)
++
++type swift_tmpfs_t;
++files_tmpfs_file(swift_tmpfs_t)
+
+type swift_var_cache_t;
+files_type(swift_var_cache_t)
@@ -94050,6 +94114,10 @@ index 0000000..7bef550
+manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
+
++manage_dirs_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
++manage_files_pattern(swift_t, swift_tmpfs_t, swift_tmpfs_t)
++fs_tmpfs_filetrans(swift_t, swift_tmpfs_t, { dir file })
++
+manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
+manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d0d2a48..32d10d7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 155%{?dist}
+Release: 156%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 18 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-156
+- Allow init_t to setattr/relabelfrom dhcp state files
+- Dontaudit antivirus domains read access on all security files by default
+- Add missing alias for old amavis_etc_t type
+- Allow block_suspend cap for haproxy
+- Additional fixes for instack overcloud
+- Allow OpenStack to read mysqld_db links and connect to MySQL
+- Remove dup filename rules in gnome.te
+- Allow sys_chroot cap for httpd_t and setattr on httpd_log_t
+- Allow iscsid to handle own unit files
+- Add iscsi_systemctl()
+- Allow mongod to create also sock_files in /run with correct labeling
+
* Mon Apr 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-155
- Allow httpd to send signull to apache script domains and don't audit leaks
- Allow rabbitmq_beam to connect to httpd port
More information about the scm-commits
mailing list