[selinux-policy/f20] * Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-165 - More fixes for OpenStack

Miroslav Grepl mgrepl at fedoraproject.org
Fri May 16 17:33:23 UTC 2014 

commit 5db50addf3ad21196ee0c1f6c853748b81bb40ea
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri May 16 19:33:08 2014 +0200

    * Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-165
    - More fixes for OpenStack

 policy-f20-base.patch    |   39 +++++++++++++++++------------
 policy-f20-contrib.patch |   60 +++++++++++++++++++++++++++++++++++++++------
 selinux-policy.spec      |    5 +++-
 3 files changed, 79 insertions(+), 25 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 3b13527..cad7ed8 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -23974,10 +23974,10 @@ index fe0c682..e8dcfa7 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..d6519a1 100644
+index 5fc0391..5a9d307 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,62 @@ policy_module(ssh, 2.3.3)
+@@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3)
  #
  
  ## <desc>
@@ -24021,6 +24021,9 @@ index 5fc0391..d6519a1 100644
  init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
 -role system_r types ssh_keygen_t;
 +
++type ssh_keygen_tmp_t;
++files_tmp_file(ssh_keygen_tmp_t)
++
 +type sshd_keygen_t;
 +type sshd_keygen_exec_t;
 +init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t)
@@ -24055,7 +24058,7 @@ index 5fc0391..d6519a1 100644
  
  type ssh_t;
  type ssh_exec_t;
-@@ -73,6 +92,11 @@ type ssh_home_t;
+@@ -73,6 +95,11 @@ type ssh_home_t;
  typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
  typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
  userdom_user_home_content(ssh_home_t)
@@ -24067,7 +24070,7 @@ index 5fc0391..d6519a1 100644
  
  ##############################
  #
-@@ -83,6 +107,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -83,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
  allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow ssh_t self:fd use;
  allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -24075,7 +24078,7 @@ index 5fc0391..d6519a1 100644
  allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
  allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +115,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -90,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
  allow ssh_t self:msgq create_msgq_perms;
  allow ssh_t self:msg { send receive };
  allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -24092,7 +24095,7 @@ index 5fc0391..d6519a1 100644
  manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +128,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
  
  manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
  manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -24140,7 +24143,7 @@ index 5fc0391..d6519a1 100644
  dev_read_urand(ssh_t)
  
  fs_getattr_all_fs(ssh_t)
-@@ -154,40 +184,46 @@ files_read_var_files(ssh_t)
+@@ -154,40 +187,46 @@ files_read_var_files(ssh_t)
  logging_send_syslog_msg(ssh_t)
  logging_read_generic_logs(ssh_t)
  
@@ -24206,7 +24209,7 @@ index 5fc0391..d6519a1 100644
  ')
  
  optional_policy(`
-@@ -195,6 +231,7 @@ optional_policy(`
+@@ -195,6 +234,7 @@ optional_policy(`
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -24214,7 +24217,7 @@ index 5fc0391..d6519a1 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -206,6 +243,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  allow ssh_keysign_t sshd_key_t:file { getattr read };
  
  dev_read_urand(ssh_keysign_t)
@@ -24222,7 +24225,7 @@ index 5fc0391..d6519a1 100644
  
  files_read_etc_files(ssh_keysign_t)
  
-@@ -223,33 +261,55 @@ optional_policy(`
+@@ -223,33 +264,55 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -24287,7 +24290,7 @@ index 5fc0391..d6519a1 100644
  ')
  
  optional_policy(`
-@@ -257,11 +317,28 @@ optional_policy(`
+@@ -257,11 +320,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24317,7 +24320,7 @@ index 5fc0391..d6519a1 100644
  ')
  
  optional_policy(`
-@@ -269,6 +346,10 @@ optional_policy(`
+@@ -269,6 +349,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24328,7 +24331,7 @@ index 5fc0391..d6519a1 100644
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -279,13 +360,93 @@ optional_policy(`
+@@ -279,13 +363,93 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24422,7 +24425,7 @@ index 5fc0391..d6519a1 100644
  ########################################
  #
  # ssh_keygen local policy
-@@ -294,19 +455,29 @@ optional_policy(`
+@@ -294,19 +458,33 @@ optional_policy(`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -24440,6 +24443,10 @@ index 5fc0391..d6519a1 100644
 +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
 +userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
 +
++manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
++manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
++files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir })
++
 +kernel_read_system_state(ssh_keygen_t)
  kernel_read_kernel_sysctls(ssh_keygen_t)
  
@@ -24453,7 +24460,7 @@ index 5fc0391..d6519a1 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +494,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +501,12 @@ auth_use_nsswitch(ssh_keygen_t)
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -24466,7 +24473,7 @@ index 5fc0391..d6519a1 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +508,140 @@ optional_policy(`
+@@ -331,3 +515,140 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 0f090cc..ab1a6a5 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -52843,10 +52843,10 @@ index 0000000..28936b4
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..2d9ab86
+index 0000000..e571f9a
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,324 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@@ -52979,6 +52979,10 @@ index 0000000..2d9ab86
 +	ssh_exec_keygen(nova_api_t)
 +')
 +
++optional_policy(`
++    gnome_dontaudit_search_config(nova_api_t)
++')
++
 +#optional_policy(`
 +#	unconfined_domain(nova_api_t)
 +#')
@@ -83297,7 +83301,7 @@ index f1140ef..8afe362 100644
 +	files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
  ')
 diff --git a/rsync.te b/rsync.te
-index e3e7c96..d7db2d9 100644
+index e3e7c96..7a6ca6c 100644
 --- a/rsync.te
 +++ b/rsync.te
 @@ -1,4 +1,4 @@
@@ -83424,7 +83428,7 @@ index e3e7c96..d7db2d9 100644
  logging_log_filetrans(rsync_t, rsync_log_t, file)
  
  manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
  kernel_read_system_state(rsync_t)
  kernel_read_network_state(rsync_t)
  
@@ -83550,6 +83554,8 @@ index e3e7c96..d7db2d9 100644
  optional_policy(`
 -	inetd_service_domain(rsync_t, rsync_exec_t)
 +	swift_manage_data_files(rsync_t)
++    swift_manage_lock(rsync_t)
++    swift_filetrans_named_lock(rsync_t)
  ')
 diff --git a/rtas.fc b/rtas.fc
 new file mode 100644
@@ -94648,10 +94654,10 @@ index c6aaac7..84cdcac 100644
  sysnet_dns_name_resolve(svnserve_t)
 diff --git a/swift.fc b/swift.fc
 new file mode 100644
-index 0000000..744f0ce
+index 0000000..a4ec18a
 --- /dev/null
 +++ b/swift.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,30 @@
 +/usr/bin/swift-account-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-reaper		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-replicator	--	gen_context(system_u:object_r:swift_exec_t,s0)
@@ -94671,6 +94677,7 @@ index 0000000..744f0ce
 +
 +/usr/lib/systemd/system/openstack-swift.*      --  gen_context(system_u:object_r:swift_unit_file_t,s0)
 +
++/var/lock/swift.*                   gen_context(system_u:object_r:swift_lock_t,s0)
 +/var/cache/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_cache_t,s0)
 +/var/run/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_run_t,s0)
 +
@@ -94683,10 +94690,10 @@ index 0000000..744f0ce
 +')
 diff --git a/swift.if b/swift.if
 new file mode 100644
-index 0000000..df82c36
+index 0000000..6a1f575
 --- /dev/null
 +++ b/swift.if
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,155 @@
 +
 +## <summary>policy for swift</summary>
 +
@@ -94748,6 +94755,43 @@ index 0000000..df82c36
 +	manage_dirs_pattern($1, swift_data_t, swift_data_t)
 +')
 +
++#####################################
++## <summary>
++##	Read and write swift lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`swift_manage_lock',`
++	gen_require(`
++		type swift_lock_t;
++	')
++
++	files_search_locks($1)
++    manage_files_pattern($1, swift_lock_t, swift_lock_t)
++')
++
++#######################################
++## <summary>
++##  Transition content labels to swift named content
++## </summary>
++## <param name="domain">
++##  <summary>
++##      Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`swift_filetrans_named_lock',`
++    gen_require(`
++        type swift_lock_t;
++    ')
++
++    files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
++')
++
 +########################################
 +## <summary>
 +##	Execute swift server in the swift domain.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6bf1954..50adf0c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 164%{?dist}
+Release: 165%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-165
+- More fixes for OpenStack
+
 * Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-164
 - Add openstack fixes

More information about the scm-commits mailing list