[selinux-policy/f20] * Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-164 - Add openstack fixes
Miroslav Grepl
mgrepl at fedoraproject.org
Fri May 16 12:10:15 UTC 2014
commit c5fa90b34bdf445335c19528f18c52323212e445
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri May 16 14:09:58 2014 +0200
* Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-164
- Add openstack fixes
policy-f20-base.patch | 178 +++++++++++++++++++++++++---------------------
policy-f20-contrib.patch | 144 ++++++++++++++++++++++++++++++++-----
selinux-policy.spec | 5 +-
3 files changed, 227 insertions(+), 100 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index aea367d..3b13527 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -8968,7 +8968,7 @@ index 6a1e4d1..1b9b0b5 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..974c2ca 100644
+index cf04cb5..97237ca 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9117,7 +9117,7 @@ index cf04cb5..974c2ca 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,339 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,340 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9307,6 +9307,7 @@ index cf04cb5..974c2ca 100644
+
+optional_policy(`
+ sysnet_filetrans_named_content(named_filetrans_domain)
++ sysnet_filetrans_named_content_ifconfig(named_filetrans_domain)
+')
+
+optional_policy(`
@@ -31568,7 +31569,7 @@ index 24e7804..2863546 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..d76c572 100644
+index dd3be8d..98967f5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -31836,9 +31837,10 @@ index dd3be8d..d76c572 100644
ifdef(`distro_redhat',`
+ fs_manage_tmpfs_files(init_t)
+ fs_manage_tmpfs_sockets(init_t)
++ fs_manage_tmpfs_chr_files(init_t)
+ fs_exec_tmpfs_files(init_t)
fs_read_tmpfs_symlinks(init_t)
- fs_rw_tmpfs_chr_files(init_t)
+- fs_rw_tmpfs_chr_files(init_t)
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+ fs_tmpfs_filetrans_named_content(init_t)
+
@@ -35199,7 +35201,7 @@ index 4e94884..b144ffe 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..553ae21 100644
+index 39ea221..93ce51a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -35278,7 +35280,19 @@ index 39ea221..553ae21 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -148,6 +173,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -136,9 +161,10 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;
+ allow auditd_t auditd_etc_t:dir list_dir_perms;
+ allow auditd_t auditd_etc_t:file read_file_perms;
+
++manage_dirs_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+-allow auditd_t var_log_t:dir search_dir_perms;
++logging_log_filetrans(auditd_t, auditd_log_t, dir, "audit")
+
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+@@ -148,6 +174,7 @@ kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
kernel_read_system_state(auditd_t)
@@ -35286,7 +35300,7 @@ index 39ea221..553ae21 100644
dev_read_sysfs(auditd_t)
-@@ -155,9 +181,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +182,6 @@ fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
fs_rw_anon_inodefs_files(auditd_t)
@@ -35296,7 +35310,7 @@ index 39ea221..553ae21 100644
corenet_all_recvfrom_netlabel(auditd_t)
corenet_tcp_sendrecv_generic_if(auditd_t)
corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +206,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +207,17 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -35318,7 +35332,7 @@ index 39ea221..553ae21 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,19 +261,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +262,29 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -35349,7 +35363,7 @@ index 39ea221..553ae21 100644
')
########################################
-@@ -268,7 +302,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +303,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
corecmd_exec_bin(audisp_remote_t)
@@ -35357,7 +35371,7 @@ index 39ea221..553ae21 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +313,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +314,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -35377,7 +35391,7 @@ index 39ea221..553ae21 100644
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -326,7 +367,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +368,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@@ -35385,7 +35399,7 @@ index 39ea221..553ae21 100644
mls_file_read_all_levels(klogd_t)
-@@ -354,12 +394,12 @@ optional_policy(`
+@@ -354,12 +395,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -35401,7 +35415,7 @@ index 39ea221..553ae21 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -367,8 +407,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+@@ -367,8 +408,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -35412,7 +35426,7 @@ index 39ea221..553ae21 100644
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -377,6 +419,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -377,6 +420,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -35420,7 +35434,7 @@ index 39ea221..553ae21 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,28 +429,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,28 +430,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -35465,7 +35479,7 @@ index 39ea221..553ae21 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -417,6 +473,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -417,6 +474,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -35474,7 +35488,7 @@ index 39ea221..553ae21 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -427,9 +485,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +486,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -35502,7 +35516,7 @@ index 39ea221..553ae21 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -442,14 +517,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +518,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -35522,7 +35536,7 @@ index 39ea221..553ae21 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +541,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +542,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -35537,7 +35551,7 @@ index 39ea221..553ae21 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -492,6 +572,8 @@ optional_policy(`
+@@ -492,6 +573,8 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@@ -35546,7 +35560,7 @@ index 39ea221..553ae21 100644
')
optional_policy(`
-@@ -502,15 +584,40 @@ optional_policy(`
+@@ -502,15 +585,40 @@ optional_policy(`
')
optional_policy(`
@@ -35587,7 +35601,7 @@ index 39ea221..553ae21 100644
')
optional_policy(`
-@@ -521,3 +628,26 @@ optional_policy(`
+@@ -521,3 +629,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -39814,7 +39828,7 @@ index 6944526..50b1c3c 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..3c77852 100644
+index b7686d5..f94755e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -40100,7 +40114,7 @@ index b7686d5..3c77852 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,31 +372,50 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,31 +372,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -40123,6 +40137,7 @@ index b7686d5..3c77852 100644
-userdom_use_user_terminals(ifconfig_t)
+sysnet_dns_name_resolve(ifconfig_t)
++sysnet_filetrans_named_content_ifconfig(ifconfig_t)
+
+userdom_use_inherited_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
@@ -40156,7 +40171,7 @@ index b7686d5..3c77852 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -329,8 +426,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +427,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -40170,7 +40185,7 @@ index b7686d5..3c77852 100644
')
optional_policy(`
-@@ -339,7 +439,15 @@ optional_policy(`
+@@ -339,7 +440,15 @@ optional_policy(`
')
optional_policy(`
@@ -40187,7 +40202,7 @@ index b7686d5..3c77852 100644
')
optional_policy(`
-@@ -360,3 +468,13 @@ optional_policy(`
+@@ -360,3 +469,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -43755,7 +43770,7 @@ index db75976..4ca3a28 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..333f640 100644
+index 3c5dba7..a7657fa 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -45215,13 +45230,14 @@ index 3c5dba7..333f640 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1531,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1531,15 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
+ dev_rw_generic_usb_dev($1_t)
+ dev_rw_usbfs($1_t)
+ dev_read_kmsg($1_t)
++ dev_read_cpuid($1_t)
domain_setpriority_all_domains($1_t)
domain_read_all_domains_state($1_t)
@@ -45230,7 +45246,7 @@ index 3c5dba7..333f640 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1549,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1550,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -45273,7 +45289,7 @@ index 3c5dba7..333f640 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1590,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1591,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -45282,7 +45298,7 @@ index 3c5dba7..333f640 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1599,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1600,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -45301,7 +45317,7 @@ index 3c5dba7..333f640 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1243,7 +1645,7 @@ template(`userdom_admin_user_template',`
+@@ -1243,7 +1646,7 @@ template(`userdom_admin_user_template',`
## </summary>
## </param>
#
@@ -45310,7 +45326,7 @@ index 3c5dba7..333f640 100644
allow $1 self:capability { dac_read_search dac_override };
corecmd_exec_shell($1)
-@@ -1253,6 +1655,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1656,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -45319,7 +45335,7 @@ index 3c5dba7..333f640 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1669,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1670,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -45331,7 +45347,7 @@ index 3c5dba7..333f640 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1683,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1684,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -45374,7 +45390,7 @@ index 3c5dba7..333f640 100644
')
optional_policy(`
-@@ -1360,14 +1768,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1769,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -45393,7 +45409,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -1408,6 +1819,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1820,51 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -45445,7 +45461,7 @@ index 3c5dba7..333f640 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1512,11 +1968,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1969,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45477,7 +45493,7 @@ index 3c5dba7..333f640 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1558,6 +2034,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2035,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -45492,7 +45508,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -1573,9 +2057,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2058,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -45504,7 +45520,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -1632,6 +2118,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2119,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -45547,7 +45563,7 @@ index 3c5dba7..333f640 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1711,6 +2233,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2234,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -45556,7 +45572,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -1744,10 +2268,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2269,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45571,7 +45587,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -1772,7 +2298,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2299,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
## <summary>
@@ -45598,7 +45614,7 @@ index 3c5dba7..333f640 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1782,53 +2326,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2327,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -45681,7 +45697,7 @@ index 3c5dba7..333f640 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1848,6 +2409,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2410,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -45707,7 +45723,7 @@ index 3c5dba7..333f640 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1878,14 +2458,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2459,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -45745,7 +45761,7 @@ index 3c5dba7..333f640 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1896,11 +2498,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2499,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -45763,7 +45779,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -1941,7 +2546,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2547,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
## <summary>
@@ -45772,7 +45788,7 @@ index 3c5dba7..333f640 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1949,19 +2554,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1949,19 +2555,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
## </summary>
## </param>
#
@@ -45796,7 +45812,7 @@ index 3c5dba7..333f640 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1969,21 +2572,75 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,21 +2573,75 @@ interface(`userdom_delete_all_user_home_content_files',`
## </summary>
## </param>
#
@@ -45877,7 +45893,7 @@ index 3c5dba7..333f640 100644
## </summary>
## </param>
#
-@@ -2010,8 +2667,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2668,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -45887,7 +45903,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -2027,20 +2683,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2684,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45912,7 +45928,7 @@ index 3c5dba7..333f640 100644
########################################
## <summary>
-@@ -2123,7 +2773,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2774,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
## <summary>
@@ -45921,7 +45937,7 @@ index 3c5dba7..333f640 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2131,19 +2781,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2782,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -45945,7 +45961,7 @@ index 3c5dba7..333f640 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2151,12 +2799,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2800,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
## </summary>
## </param>
#
@@ -45961,7 +45977,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -2393,11 +3041,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3042,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -45976,7 +45992,7 @@ index 3c5dba7..333f640 100644
files_search_tmp($1)
')
-@@ -2417,7 +3065,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3066,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -45985,7 +46001,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -2541,6 +3189,26 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2541,6 +3190,26 @@ interface(`userdom_manage_user_tmp_files',`
########################################
## <summary>
## Create, read, write, and delete user
@@ -46012,7 +46028,7 @@ index 3c5dba7..333f640 100644
## temporary symbolic links.
## </summary>
## <param name="domain">
-@@ -2664,6 +3332,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3333,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -46038,7 +46054,7 @@ index 3c5dba7..333f640 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2680,13 +3367,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3368,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -46054,7 +46070,7 @@ index 3c5dba7..333f640 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2707,7 +3395,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3396,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -46063,7 +46079,7 @@ index 3c5dba7..333f640 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2715,14 +3403,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3404,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -46098,7 +46114,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -2817,6 +3521,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3522,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -46123,7 +46139,7 @@ index 3c5dba7..333f640 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2835,22 +3557,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3558,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -46166,7 +46182,7 @@ index 3c5dba7..333f640 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2859,14 +3593,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3594,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -46204,7 +46220,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -2885,8 +3638,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3639,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -46234,7 +46250,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -2958,69 +3730,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3731,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -46335,7 +46351,7 @@ index 3c5dba7..333f640 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3028,12 +3799,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3800,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -46350,7 +46366,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -3097,7 +3868,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3869,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -46359,7 +46375,7 @@ index 3c5dba7..333f640 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3884,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3885,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -46393,7 +46409,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -3217,7 +3972,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3973,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -46420,7 +46436,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -3272,7 +4045,83 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +4046,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -46505,7 +46521,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -3290,7 +4139,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4140,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -46514,7 +46530,7 @@ index 3c5dba7..333f640 100644
')
########################################
-@@ -3309,6 +4158,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4159,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -46522,7 +46538,7 @@ index 3c5dba7..333f640 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4235,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4236,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -46565,7 +46581,7 @@ index 3c5dba7..333f640 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4291,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4292,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -46590,7 +46606,7 @@ index 3c5dba7..333f640 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3423,6 +4327,24 @@ interface(`userdom_create_all_users_keys',`
+@@ -3423,6 +4328,24 @@ interface(`userdom_create_all_users_keys',`
########################################
## <summary>
@@ -46615,7 +46631,7 @@ index 3c5dba7..333f640 100644
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4360,1661 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4361,1661 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index b04126d..0f090cc 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -59161,10 +59161,10 @@ index 0000000..42ed4ba
+')
diff --git a/openwsman.te b/openwsman.te
new file mode 100644
-index 0000000..79ad541
+index 0000000..3bcd32c
--- /dev/null
+++ b/openwsman.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,74 @@
+policy_module(openwsman, 1.0.0)
+
+########################################
@@ -59179,6 +59179,9 @@ index 0000000..79ad541
+type openwsman_tmp_t;
+files_tmp_file(openwsman_tmp_t)
+
++type openwsman_tmpfs_t;
++files_tmpfs_file(openwsman_tmpfs_t)
++
+type openwsman_log_t;
+logging_log_file(openwsman_log_t)
+
@@ -59204,6 +59207,10 @@ index 0000000..79ad541
+manage_dirs_pattern(openwsman_t, openwsman_tmp_t, openwsman_tmp_t)
+files_tmp_filetrans(openwsman_t, openwsman_tmp_t, { dir file })
+
++manage_files_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
++manage_dirs_pattern(openwsman_t, openwsman_tmpfs_t, openwsman_tmpfs_t)
++fs_tmpfs_filetrans(openwsman_t, openwsman_tmpfs_t, { dir file })
++
+manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
+logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
+
@@ -59215,6 +59222,7 @@ index 0000000..79ad541
+
+corenet_tcp_connect_pegasus_https_port(openwsman_t)
+corenet_tcp_bind_vnc_port(openwsman_t)
++corenet_tcp_bind_http_port(openwsman_t)
+
+dev_read_urand(openwsman_t)
+
@@ -59222,6 +59230,12 @@ index 0000000..79ad541
+logging_send_audit_msgs(openwsman_t)
+
+optional_policy(`
++ sblim_stream_connect_sfcbd(openwsman_t)
++ sblim_rw_semaphores_sfcbd(openwsman_t)
++ sblim_getattr_exec_sfcbd(openwsman_t)
++')
++
++optional_policy(`
+ unconfined_domain(openwsman_t)
+')
+
@@ -73809,10 +73823,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..1dbc6aa 100644
+index 769d1fd..a7b42e6 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,143 @@
+@@ -1,96 +1,144 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -73881,7 +73895,8 @@ index 769d1fd..1dbc6aa 100644
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
+
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
-+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
++manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
++files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
@@ -87727,7 +87742,7 @@ index 68a550d..e976fc6 100644
/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/sblim.if b/sblim.if
-index 98c9e0a..d4aa009 100644
+index 98c9e0a..562666e 100644
--- a/sblim.if
+++ b/sblim.if
@@ -1,8 +1,36 @@
@@ -87778,39 +87793,116 @@ index 98c9e0a..d4aa009 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',`
+@@ -40,34 +68,129 @@ interface(`sblim_read_pid_files',`
########################################
## <summary>
-## All of the rules required to
-## administrate an sblim environment.
+## Transition to sblim named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sblim_filetrans_named_content',`
++ gen_require(`
++ type sblim_var_run_t;
++ ')
++
++ files_pid_filetrans($1, sblim_var_run_t, dir, "gather")
++')
++
++########################################
++## <summary>
++## Connect to sblim_sfcb over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed access.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+#
-+interface(`sblim_filetrans_named_content',`
++interface(`sblim_stream_connect_sfcbd',`
+ gen_require(`
-+ type sblim_var_run_t;
++ type sblim_sfcb_t, sblim_var_lib_t;
++ type sblim_tmp_t;
+ ')
+
-+ files_pid_filetrans($1, sblim_var_run_t, dir, "gather")
++ files_search_pids($1)
++ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
++ stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t)
+')
+
++#######################################
++## <summary>
++## Getattr on sblim executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sblim_getattr_exec_sfcbd',`
++ gen_require(`
++ type sblim_sfcbd_exec_t;
++ ')
++
++ allow $1 sblim_sfcbd_exec_t:file getattr;
++')
++
++
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an gatherd environment
++## Connect to sblim_sfcb over a unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sblim_stream_connect_sfcb',`
++ gen_require(`
++ type sblim_sfcb_t, sblim_var_lib_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t)
++')
++
++#######################################
++## <summary>
++## Allow read and write access to sblim semaphores.
+## </summary>
+## <param name="domain">
## <summary>
-## Role allowed access.
+## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sblim_rw_semaphores_sfcbd',`
++ gen_require(`
++ type sblim_sfcbd_t;
++ ')
++
++ allow $1 sblim_sfcbd_t:sem rw_sem_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an gatherd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -87844,7 +87936,7 @@ index 98c9e0a..d4aa009 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..5a90acf 100644
+index 4a23d84..21c15bb 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
@@ -87950,7 +88042,7 @@ index 4a23d84..5a90acf 100644
')
optional_policy(`
-@@ -117,6 +133,35 @@ optional_policy(`
+@@ -117,6 +133,43 @@ optional_policy(`
# Reposd local policy
#
@@ -87982,11 +88074,19 @@ index 4a23d84..5a90acf 100644
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
+corenet_tcp_connect_pegasus_https_port(sblim_sfcbd_t)
+
++corecmd_exec_shell(sblim_sfcbd_t)
++corecmd_exec_bin(sblim_sfcbd_t)
++
+dev_read_rand(sblim_sfcbd_t)
+dev_read_urand(sblim_sfcbd_t)
+
+domain_read_all_domains_state(sblim_sfcbd_t)
+domain_use_interactive_fds(sblim_sfcbd_t)
++
++optional_policy(`
++ rpm_exec(sblim_sfcbd_t)
++ rpm_dontaudit_manage_db(sblim_sfcbd_t)
++')
diff --git a/screen.fc b/screen.fc
index ac04d27..b73334e 100644
--- a/screen.fc
@@ -94707,10 +94807,10 @@ index 0000000..df82c36
+')
diff --git a/swift.te b/swift.te
new file mode 100644
-index 0000000..159ae72
+index 0000000..9ee77b2
--- /dev/null
+++ b/swift.te
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,97 @@
+policy_module(swift, 1.0.0)
+
+########################################
@@ -94722,6 +94822,9 @@ index 0000000..159ae72
+type swift_exec_t;
+init_daemon_domain(swift_t, swift_exec_t)
+
++type swift_lock_t;
++files_lock_file(swift_lock_t)
++
+type swift_tmp_t;
+files_tmp_file(swift_tmp_t)
+
@@ -94752,6 +94855,10 @@ index 0000000..159ae72
+allow swift_t self:unix_stream_socket create_stream_socket_perms;
+allow swift_t self:unix_dgram_socket create_socket_perms;
+
++manage_dirs_pattern(swift_t, swift_lock_t, swift_lock_t)
++manage_files_pattern(swift_t, swift_lock_t, swift_lock_t)
++files_lock_filetrans(swift_t, swift_lock_t, { dir file })
++
+manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
+files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
@@ -94799,6 +94906,7 @@ index 0000000..159ae72
+
+optional_policy(`
+ rpm_exec(swift_t)
++ rpm_dontaudit_manage_db(swift_t)
+')
diff --git a/swift_alias.fc b/swift_alias.fc
new file mode 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d69cf88..6bf1954 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 163%{?dist}
+Release: 164%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-164
+- Add openstack fixes
+
* Tue May 13 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-163
- Add missing dyntransition for sandbox_x_domain
More information about the scm-commits
mailing list