[selinux-policy/f20] * Wed May 07 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-161 - Allow keystone to connect to ldap s
Lukas Vrabec
lvrabec at fedoraproject.org
Wed May 7 09:16:42 UTC 2014
commit e00b82643c002aeba663f81e8c7faab06fb72eaf
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed May 7 11:16:44 2014 +0200
* Wed May 07 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-161
- Allow keystone to connect to ldap servers
- Add additional caps for neutron_t
- apcuspd_t can send signull to any domain
- Update sandbox_transition() to call sandbox_dyntrasition(). #885288.
- gear_t execs ip which for some reason is mounting content on sysfs
and /
policy-f20-contrib.patch | 119 ++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 9 +++-
2 files changed, 87 insertions(+), 41 deletions(-)
---
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 3cd488e..7734ed6 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -7359,7 +7359,7 @@ index f3c0aba..cbe3d4a 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..a370cb8 100644
+index b236327..5206035 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7406,11 +7406,13 @@ index b236327..a370cb8 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +82,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +82,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
-files_read_etc_files(apcupsd_t)
++domain_signull_all_domains(apcupsd_t)
++
files_manage_etc_runtime_files(apcupsd_t)
files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
@@ -7434,7 +7436,7 @@ index b236327..a370cb8 100644
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -101,6 +113,11 @@ optional_policy(`
+@@ -101,6 +115,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
@@ -7446,7 +7448,7 @@ index b236327..a370cb8 100644
########################################
#
# CGI local policy
-@@ -112,7 +129,6 @@ optional_policy(`
+@@ -112,7 +131,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -28168,10 +28170,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
-index 0000000..7f1639a
+index 0000000..db1c340
--- /dev/null
+++ b/gear.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,110 @@
+policy_module(gear, 1.0.0)
+
+########################################
@@ -28243,6 +28245,11 @@ index 0000000..7f1639a
+corenet_tcp_sendrecv_generic_port(gear_t)
+corenet_tcp_bind_gear_port(gear_t)
+
++dev_mounton_sysfs(gear_t)
++dev_mount_sysfs_fs(gear_t)
++dev_unmount_sysfs_fs(gear_t)
++
++files_mounton_rootfs(gear_t)
+files_read_etc_files(gear_t)
+
+fs_read_cgroup_files(gear_t)
@@ -38145,7 +38152,7 @@ index d3e7fc9..f20248c 100644
+ ')
')
diff --git a/keystone.te b/keystone.te
-index 3494d9b..c21beab 100644
+index 3494d9b..e1fd252 100644
--- a/keystone.te
+++ b/keystone.te
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
@@ -38163,13 +38170,12 @@ index 3494d9b..c21beab 100644
allow keystone_t self:fifo_file rw_fifo_file_perms;
allow keystone_t self:unix_stream_socket { accept listen };
-@@ -57,20 +61,30 @@ corenet_all_recvfrom_netlabel(keystone_t)
+@@ -57,20 +61,33 @@ corenet_all_recvfrom_netlabel(keystone_t)
corenet_tcp_sendrecv_generic_if(keystone_t)
corenet_tcp_sendrecv_generic_node(keystone_t)
corenet_tcp_bind_generic_node(keystone_t)
+corenet_tcp_connect_mysqld_port(keystone_t)
-+
-+corenet_tcp_connect_mysqld_port(keystone_t)
++corenet_tcp_connect_ldap_port(keystone_t)
corenet_sendrecv_commplex_main_server_packets(keystone_t)
corenet_tcp_bind_commplex_main_port(keystone_t)
@@ -38183,11 +38189,14 @@ index 3494d9b..c21beab 100644
libs_exec_ldconfig(keystone_t)
-miscfiles_read_localization(keystone_t)
--
++optional_policy(`
++ ldap_stream_connect(keystone_t)
++')
+
optional_policy(`
mysql_stream_connect(keystone_t)
mysql_tcp_connect(keystone_t)
-+ mysql_read_db_lnk_files(keystone_t)
++ mysql_read_db_lnk_files(keystone_t)
+')
+
+optional_policy(`
@@ -73737,10 +73746,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..495cac4 100644
+index 769d1fd..375e2e3 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,137 @@
+@@ -1,96 +1,139 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -73790,14 +73799,16 @@ index 769d1fd..495cac4 100644
-allow quantum_t self:key manage_key_perms;
-allow quantum_t self:tcp_socket { accept listen };
-allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
++allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit signal_perms };
++
+allow neutron_t self:fifo_file rw_fifo_file_perms;
+allow neutron_t self:key manage_key_perms;
+allow neutron_t self:tcp_socket { accept listen };
+allow neutron_t self:unix_stream_socket { accept listen };
+allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
++allow neutron_t self:rawip_socket create_socket_perms;
+
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
@@ -73889,42 +73900,42 @@ index 769d1fd..495cac4 100644
+sysnet_exec_ifconfig(neutron_t)
+sysnet_manage_ifconfig_run(neutron_t)
+sysnet_filetrans_named_content_ifconfig(neutron_t)
-+
-+optional_policy(`
-+ brctl_domtrans(neutron_t)
-+')
optional_policy(`
- brctl_domtrans(quantum_t)
-+ dnsmasq_domtrans(neutron_t)
-+ dnsmasq_signal(neutron_t)
-+ dnsmasq_kill(neutron_t)
-+ dnsmasq_read_state(neutron_t)
++ brctl_domtrans(neutron_t)
')
optional_policy(`
- mysql_stream_connect(quantum_t)
- mysql_read_config(quantum_t)
-+ iptables_domtrans(neutron_t)
++ dnsmasq_domtrans(neutron_t)
++ dnsmasq_signal(neutron_t)
++ dnsmasq_kill(neutron_t)
++ dnsmasq_read_state(neutron_t)
+')
- mysql_tcp_connect(quantum_t)
+optional_policy(`
-+ mysql_stream_connect(neutron_t)
-+ mysql_read_db_lnk_files(neutron_t)
-+ mysql_read_config(neutron_t)
-+ mysql_tcp_connect(neutron_t)
++ iptables_domtrans(neutron_t)
')
optional_policy(`
- postgresql_stream_connect(quantum_t)
- postgresql_unpriv_client(quantum_t)
++ mysql_stream_connect(neutron_t)
++ mysql_read_db_lnk_files(neutron_t)
++ mysql_read_config(neutron_t)
++ mysql_tcp_connect(neutron_t)
++')
+
+- postgresql_tcp_connect(quantum_t)
++optional_policy(`
+ postgresql_stream_connect(neutron_t)
+ postgresql_unpriv_client(neutron_t)
+ postgresql_tcp_connect(neutron_t)
+')
-
-- postgresql_tcp_connect(quantum_t)
++
+optional_policy(`
+ openvswitch_domtrans(neutron_t)
+ openvswitch_stream_connect(neutron_t)
@@ -86082,10 +86093,10 @@ index 0000000..b7db254
+# Empty
diff --git a/sandbox.if b/sandbox.if
new file mode 100644
-index 0000000..89bc443
+index 0000000..a2cb772
--- /dev/null
+++ b/sandbox.if
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,85 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -86110,14 +86121,42 @@ index 0000000..89bc443
+ attribute sandbox_domain;
+ ')
+
-+ allow $1 sandbox_domain:process transition;
-+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
-+ role $2 types sandbox_domain;
-+ allow sandbox_domain $1:process { sigchld signull };
-+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
-+ dontaudit sandbox_domain $1:process signal;
-+ dontaudit sandbox_domain $1:key { link read search view };
-+ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
++ sandbox_dyntransition($1) #885288
++ allow $1 sandbox_domain:process transition;
++ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
++
++ role $2 types sandbox_domain;
++
++ allow sandbox_domain $1:process { sigchld signull };
++ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
++
++ dontaudit sandbox_domain $1:process signal;
++ dontaudit sandbox_domain $1:key { link read search view };
++ dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
++')
++
++########################################
++## <summary>
++## Execute sandbox in the sandbox domain, and
++## allow the specified role the sandbox domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the sandbox domain.
++## </summary>
++## </param>
++#
++interface(`sandbox_dyntransition',`
++ gen_require(`
++ attribute sandbox_domain;
++ ')
++
++ allow $1 sandbox_domain:process dyntransition;
+')
+
+########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a7b9e03..5e6222d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 160%{?dist}
+Release: 161%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed May 07 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-161
+- Allow keystone to connect to ldap servers
+- Add additional caps for neutron_t
+- apcuspd_t can send signull to any domain
+- Update sandbox_transition() to call sandbox_dyntrasition(). #885288.
+- gear_t execs ip which for some reason is mounting content on sysfs and /
+
* Mon May 05 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-160
- Dontaudit leaked xserver_misc_device_t into plugins
- Allow all domains to search through all base_file_types, this should be back ported to RHEL7 policy
More information about the scm-commits
mailing list