[selinux-policy/f20] - Add missing dyntransition for sandbox_x_domain
Miroslav Grepl
mgrepl at fedoraproject.org
Tue May 13 12:54:44 UTC 2014
commit f4744de76a9263dc005fc61c6e26617737aa0102
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue May 13 14:54:27 2014 +0200
- Add missing dyntransition for sandbox_x_domain
policy-f20-contrib.patch | 52 ++++++++++++++++++++++++++-------------------
selinux-policy.spec | 5 +++-
2 files changed, 34 insertions(+), 23 deletions(-)
---
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 4380e89..b04126d 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -40158,7 +40158,7 @@ index 7bab8e5..17ea89c 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..7569cd9 100644
+index 4256a4c..aea48db 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
@@ -40245,11 +40245,13 @@ index 4256a4c..7569cd9 100644
########################################
#
# Mail local policy
-@@ -164,6 +186,17 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +186,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
+mta_read_home(logwatch_mail_t)
++mta_filetrans_home_content(logwatch_mail_t)
++mta_filetrans_admin_home_content(logwatch_mail_t)
+
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
@@ -86326,10 +86328,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/sandboxX.if b/sandboxX.if
new file mode 100644
-index 0000000..3258f45
+index 0000000..03bdcef
--- /dev/null
+++ b/sandboxX.if
-@@ -0,0 +1,394 @@
+@@ -0,0 +1,395 @@
+
+## <summary>policy for sandboxX </summary>
+
@@ -86358,6 +86360,7 @@ index 0000000..3258f45
+ ')
+
+ allow $1 sandbox_x_domain:process { signal_perms transition };
++ allow $1 sandbox_x_domain:process dyntransition;
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ allow sandbox_x_domain $1:process { sigchld signull };
+ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
@@ -92214,7 +92217,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..32f670e 100644
+index 4faa7e0..e8531d9 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -1,4 +1,4 @@
@@ -92524,7 +92527,7 @@ index 4faa7e0..32f670e 100644
')
########################################
-@@ -167,72 +248,85 @@ optional_policy(`
+@@ -167,72 +248,90 @@ optional_policy(`
# Client local policy
#
@@ -92564,6 +92567,8 @@ index 4faa7e0..32f670e 100644
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+userdom_append_user_home_content_files(spamc_t)
++spamassassin_filetrans_home_content(spamc_t)
++spamassassin_filetrans_admin_home_content(spamc_t)
+# for /root/.pyzor
+allow spamc_t self:capability dac_override;
@@ -92571,6 +92576,9 @@ index 4faa7e0..32f670e 100644
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
++read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
++list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t)
++
+# Allow connecting to a local spamd
+allow spamc_t spamd_t:unix_stream_socket connectto;
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
@@ -92641,7 +92649,7 @@ index 4faa7e0..32f670e 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,6 +337,7 @@ optional_policy(`
+@@ -243,6 +342,7 @@ optional_policy(`
')
optional_policy(`
@@ -92649,7 +92657,7 @@ index 4faa7e0..32f670e 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,52 +346,55 @@ optional_policy(`
+@@ -251,52 +351,55 @@ optional_policy(`
')
optional_policy(`
@@ -92701,17 +92709,17 @@ index 4faa7e0..32f670e 100644
allow spamd_t self:unix_dgram_socket sendto;
-allow spamd_t self:unix_stream_socket { accept connectto listen };
-allow spamd_t self:tcp_socket { accept listen };
--
++allow spamd_t self:unix_stream_socket connectto;
++allow spamd_t self:tcp_socket create_stream_socket_perms;
++allow spamd_t self:udp_socket create_socket_perms;
+
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
-+allow spamd_t self:unix_stream_socket connectto;
-+allow spamd_t self:tcp_socket create_stream_socket_perms;
-+allow spamd_t self:udp_socket create_socket_perms;
-
+-
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
@@ -92730,7 +92738,7 @@ index 4faa7e0..32f670e 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +406,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +411,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -92740,7 +92748,7 @@ index 4faa7e0..32f670e 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +416,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +421,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -92756,7 +92764,7 @@ index 4faa7e0..32f670e 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +431,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +436,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -92860,7 +92868,7 @@ index 4faa7e0..32f670e 100644
')
optional_policy(`
-@@ -421,21 +502,13 @@ optional_policy(`
+@@ -421,21 +507,13 @@ optional_policy(`
')
optional_policy(`
@@ -92884,7 +92892,7 @@ index 4faa7e0..32f670e 100644
')
optional_policy(`
-@@ -443,8 +516,8 @@ optional_policy(`
+@@ -443,8 +521,8 @@ optional_policy(`
')
optional_policy(`
@@ -92894,7 +92902,7 @@ index 4faa7e0..32f670e 100644
')
optional_policy(`
-@@ -455,7 +528,12 @@ optional_policy(`
+@@ -455,7 +533,12 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -92908,7 +92916,7 @@ index 4faa7e0..32f670e 100644
')
optional_policy(`
-@@ -463,9 +541,9 @@ optional_policy(`
+@@ -463,9 +546,9 @@ optional_policy(`
')
optional_policy(`
@@ -92919,7 +92927,7 @@ index 4faa7e0..32f670e 100644
')
optional_policy(`
-@@ -474,32 +552,32 @@ optional_policy(`
+@@ -474,32 +557,32 @@ optional_policy(`
########################################
#
@@ -92962,7 +92970,7 @@ index 4faa7e0..32f670e 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +591,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4091b31..d69cf88 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 162%{?dist}
+Release: 163%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue May 13 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-163
+- Add missing dyntransition for sandbox_x_domain
+
* Mon May 12 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-162
- More rules needed for openshift/gear in rhel7
- svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files
More information about the scm-commits
mailing list