[selinux-policy/f19] * Fri May 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.25 - Add interface sysnet_manage_ifcon
Lukas Vrabec
lvrabec at fedoraproject.org
Fri May 2 13:19:06 UTC 2014
commit 54335bde73af3b2f289458f9f13709f07e3f1231
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Fri May 2 15:19:11 2014 +0200
* Fri May 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.25
- Add interface sysnet_manage_ifconfig_run
- Added sysnet_filetrans_named_content_ifconfig interface
- Added dnsmasq_read_state interface
- Add some rules from F20 branch in quantum policy
- Allow exim to use pam stack to check passwords
policy-f19-base.patch | 42 +++++++++++++++-
policy-f19-contrib.patch | 123 +++++++++++++++++++++++++++-------------------
selinux-policy.spec | 9 +++-
3 files changed, 121 insertions(+), 53 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 9e6f2d3..af4d7ad 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -35253,7 +35253,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..0bd8d93 100644
+index 6944526..a76e22c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35528,7 +35528,7 @@ index 6944526..0bd8d93 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +918,114 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -35581,6 +35581,24 @@ index 6944526..0bd8d93 100644
+
+########################################
+## <summary>
++## Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_filetrans_named_content_ifconfig',`
++ gen_require(`
++ type ifconfig_var_run_t;
++ ')
++
++ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
++')
++
++########################################
++## <summary>
+## Transition to sysnet named content
+## </summary>
+## <param name="domain">
@@ -35605,6 +35623,26 @@ index 6944526..0bd8d93 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+ files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
+')
++
++########################################
++## <summary>
++## Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sysnet_manage_ifconfig_run',`
++ gen_require(`
++ type ifconfig_var_run_t;
++ ')
++
++ manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++ manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++ manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b7686d5..087fe08 100644
--- a/policy/modules/system/sysnetwork.te
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index ef54c62..d1644f4 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -21641,7 +21641,7 @@ index 23ab808..4a801b5 100644
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..1e8b244 100644
+index 19aa0b8..c3fc3f4 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@@ -21785,7 +21785,7 @@ index 19aa0b8..1e8b244 100644
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +292,63 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
## <summary>
@@ -21797,34 +21797,26 @@ index 19aa0b8..1e8b244 100644
## <param name="domain">
## <summary>
-## Domain allowed access.
--## </summary>
--## </param>
--## <param name="file_type">
--## <summary>
--## Directory to transition on.
--## </summary>
--## </param>
--## <param name="object">
--## <summary>
--## The object class of the object being created.
+## Domain allowed access.
## </summary>
## </param>
--## <param name="name" optional="true">
+-## <param name="file_type">
+## <param name="private type">
## <summary>
--## The name of the object being created.
+-## Directory to transition on.
+## The type of the directory for the object to be created.
## </summary>
## </param>
- #
--interface(`dnsmasq_spec_filetrans_pid',`
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
+-## </summary>
++#
+interface(`dnsmasq_filetrans_named_content_fromdir',`
- gen_require(`
- type dnsmasq_var_run_t;
- ')
-
-- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
++ gen_require(`
++ type dnsmasq_var_run_t;
++ ')
++
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
+')
@@ -21837,7 +21829,8 @@ index 19aa0b8..1e8b244 100644
+## <summary>
+## Domain allowed access.
+## </summary>
-+## </param>
+ ## </param>
+-## <param name="name" optional="true">
+#
+interface(`dnsmasq_filetrans_named_content',`
+ gen_require(`
@@ -21847,10 +21840,32 @@ index 19aa0b8..1e8b244 100644
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
++')
++
++########################################
++## <summary>
++## Create dnsmasq pid directories.
++## </summary>
++## <param name="domain">
+ ## <summary>
+-## The name of the object being created.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`dnsmasq_spec_filetrans_pid',`
++interface(`dnsmasq_read_state',`
+ gen_require(`
+- type dnsmasq_var_run_t;
++ type dnsmasq_t;
+ ')
+-
+- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
++ ps_process_pattern($1, dnsmasq_t)
')
########################################
-@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +371,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -21871,7 +21886,7 @@ index 19aa0b8..1e8b244 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +391,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
@@ -67148,10 +67163,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..d7d6b4a 100644
+index 769d1fd..bf904a9 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,122 @@
+@@ -1,96 +1,130 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -67169,7 +67184,7 @@ index 769d1fd..d7d6b4a 100644
-type quantum_initrc_exec_t;
-init_script_file(quantum_initrc_exec_t)
-+type neutron_initrc_exec_t alias qauntum_initrc_exec_t;
++type neutron_initrc_exec_t alias quantum_initrc_exec_t;
+init_script_file(neutron_initrc_exec_t)
-type quantum_log_t;
@@ -67201,13 +67216,13 @@ index 769d1fd..d7d6b4a 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin };
++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
+allow neutron_t self:process { setsched setrlimit };
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
-+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+allow neutron_t self:unix_stream_socket { accept listen };
++allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
@@ -67235,8 +67250,8 @@ index 769d1fd..d7d6b4a 100644
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+kernel_read_kernel_sysctls(neutron_t)
-+kernel_read_network_state(neutron_t)
+kernel_read_system_state(neutron_t)
++kernel_read_network_state(neutron_t)
+kernel_request_load_module(neutron_t)
-can_exec(quantum_t, quantum_tmp_t)
@@ -67269,66 +67284,74 @@ index 769d1fd..d7d6b4a 100644
+dev_read_urand(neutron_t)
+dev_mounton_sysfs(neutron_t)
+dev_mount_sysfs_fs(neutron_t)
++dev_unmount_sysfs_fs(neutron_t)
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
-+auth_use_nsswitch(neutron_t)
++files_mounton_non_security(neutron_t)
-files_read_usr_files(quantum_t)
-+libs_exec_ldconfig(neutron_t)
++auth_use_nsswitch(neutron_t)
-auth_use_nsswitch(quantum_t)
-+logging_send_audit_msgs(neutron_t)
-+logging_send_syslog_msg(neutron_t)
++libs_exec_ldconfig(neutron_t)
-libs_exec_ldconfig(quantum_t)
-+sysnet_domtrans_ifconfig(neutron_t)
++logging_send_audit_msgs(neutron_t)
++logging_send_syslog_msg(neutron_t)
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
-+optional_policy(`
-+ brctl_domtrans(neutron_t)
-+')
++sysnet_exec_ifconfig(neutron_t)
++sysnet_manage_ifconfig_run(neutron_t)
++sysnet_filetrans_named_content_ifconfig(neutron_t)
-miscfiles_read_localization(quantum_t)
+optional_policy(`
-+ dnsmasq_domtrans(neutron_t)
++ brctl_domtrans(neutron_t)
+')
-sysnet_domtrans_ifconfig(quantum_t)
+optional_policy(`
-+ iptables_domtrans(neutron_t)
++ dnsmasq_domtrans(neutron_t)
++ dnsmasq_signal(neutron_t)
++ dnsmasq_kill(neutron_t)
++ dnsmasq_read_state(neutron_t)
+')
optional_policy(`
- brctl_domtrans(quantum_t)
-+ mysql_stream_connect(neutron_t)
-+ mysql_read_config(neutron_t)
-+
-+ mysql_tcp_connect(neutron_t)
++ iptables_domtrans(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ postgresql_stream_connect(neutron_t)
-+ postgresql_unpriv_client(neutron_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_config(neutron_t)
- mysql_tcp_connect(quantum_t)
-+ postgresql_tcp_connect(neutron_t)
++ mysql_tcp_connect(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
-+ openvswitch_domtrans(neutron_t)
-+ openvswitch_stream_connect(neutron_t)
++ postgresql_stream_connect(neutron_t)
++ postgresql_unpriv_client(neutron_t)
++
++ postgresql_tcp_connect(neutron_t)
+')
- postgresql_tcp_connect(quantum_t)
+optional_policy(`
-+ sudo_exec(neutron_t)
++ openvswitch_domtrans(neutron_t)
++ openvswitch_stream_connect(neutron_t)
')
++
++optional_policy(`
++ sudo_exec(neutron_t)
++')
diff --git a/quota.fc b/quota.fc
index cadabe3..0ee2489 100644
--- a/quota.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 31c6914..c8d5ead 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.24%{?dist}
+Release: 74.25%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -542,6 +542,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri May 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.25
+- Add interface sysnet_manage_ifconfig_run
+- Added sysnet_filetrans_named_content_ifconfig interface
+- Added dnsmasq_read_state interface
+- Add some rules from F20 branch in quantum policy
+- Allow exim to use pam stack to check passwords
+
* Mon Apr 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.24
- Add modutils_dontaudit_exec_insmod interface
- Allow rabbitmq to bind to amanda port
More information about the scm-commits
mailing list