[selinux-policy/f20] * Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-165 - More fixes for OpenStack
Miroslav Grepl
mgrepl at fedoraproject.org
Fri May 16 17:33:23 UTC 2014
commit 5db50addf3ad21196ee0c1f6c853748b81bb40ea
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri May 16 19:33:08 2014 +0200
* Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-165
- More fixes for OpenStack
policy-f20-base.patch | 39 +++++++++++++++++------------
policy-f20-contrib.patch | 60 +++++++++++++++++++++++++++++++++++++++------
selinux-policy.spec | 5 +++-
3 files changed, 79 insertions(+), 25 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 3b13527..cad7ed8 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -23974,10 +23974,10 @@ index fe0c682..e8dcfa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..d6519a1 100644
+index 5fc0391..5a9d307 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,62 @@ policy_module(ssh, 2.3.3)
+@@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3)
#
## <desc>
@@ -24021,6 +24021,9 @@ index 5fc0391..d6519a1 100644
init_system_domain(ssh_keygen_t, ssh_keygen_exec_t)
-role system_r types ssh_keygen_t;
+
++type ssh_keygen_tmp_t;
++files_tmp_file(ssh_keygen_tmp_t)
++
+type sshd_keygen_t;
+type sshd_keygen_exec_t;
+init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t)
@@ -24055,7 +24058,7 @@ index 5fc0391..d6519a1 100644
type ssh_t;
type ssh_exec_t;
-@@ -73,6 +92,11 @@ type ssh_home_t;
+@@ -73,6 +95,11 @@ type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
userdom_user_home_content(ssh_home_t)
@@ -24067,7 +24070,7 @@ index 5fc0391..d6519a1 100644
##############################
#
-@@ -83,6 +107,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -83,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -24075,7 +24078,7 @@ index 5fc0391..d6519a1 100644
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +115,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -90,15 +118,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -24092,7 +24095,7 @@ index 5fc0391..d6519a1 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +128,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -24140,7 +24143,7 @@ index 5fc0391..d6519a1 100644
dev_read_urand(ssh_t)
fs_getattr_all_fs(ssh_t)
-@@ -154,40 +184,46 @@ files_read_var_files(ssh_t)
+@@ -154,40 +187,46 @@ files_read_var_files(ssh_t)
logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t)
@@ -24206,7 +24209,7 @@ index 5fc0391..d6519a1 100644
')
optional_policy(`
-@@ -195,6 +231,7 @@ optional_policy(`
+@@ -195,6 +234,7 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -24214,7 +24217,7 @@ index 5fc0391..d6519a1 100644
##############################
#
# ssh_keysign_t local policy
-@@ -206,6 +243,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
allow ssh_keysign_t sshd_key_t:file { getattr read };
dev_read_urand(ssh_keysign_t)
@@ -24222,7 +24225,7 @@ index 5fc0391..d6519a1 100644
files_read_etc_files(ssh_keysign_t)
-@@ -223,33 +261,55 @@ optional_policy(`
+@@ -223,33 +264,55 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -24287,7 +24290,7 @@ index 5fc0391..d6519a1 100644
')
optional_policy(`
-@@ -257,11 +317,28 @@ optional_policy(`
+@@ -257,11 +320,28 @@ optional_policy(`
')
optional_policy(`
@@ -24317,7 +24320,7 @@ index 5fc0391..d6519a1 100644
')
optional_policy(`
-@@ -269,6 +346,10 @@ optional_policy(`
+@@ -269,6 +349,10 @@ optional_policy(`
')
optional_policy(`
@@ -24328,7 +24331,7 @@ index 5fc0391..d6519a1 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +360,93 @@ optional_policy(`
+@@ -279,13 +363,93 @@ optional_policy(`
')
optional_policy(`
@@ -24422,7 +24425,7 @@ index 5fc0391..d6519a1 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +455,29 @@ optional_policy(`
+@@ -294,19 +458,33 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -24440,6 +24443,10 @@ index 5fc0391..d6519a1 100644
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
++manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
++manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t)
++files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir })
++
+kernel_read_system_state(ssh_keygen_t)
kernel_read_kernel_sysctls(ssh_keygen_t)
@@ -24453,7 +24460,7 @@ index 5fc0391..d6519a1 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +494,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +501,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -24466,7 +24473,7 @@ index 5fc0391..d6519a1 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +508,140 @@ optional_policy(`
+@@ -331,3 +515,140 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 0f090cc..ab1a6a5 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -52843,10 +52843,10 @@ index 0000000..28936b4
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..2d9ab86
+index 0000000..e571f9a
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,324 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -52979,6 +52979,10 @@ index 0000000..2d9ab86
+ ssh_exec_keygen(nova_api_t)
+')
+
++optional_policy(`
++ gnome_dontaudit_search_config(nova_api_t)
++')
++
+#optional_policy(`
+# unconfined_domain(nova_api_t)
+#')
@@ -83297,7 +83301,7 @@ index f1140ef..8afe362 100644
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
-index e3e7c96..d7db2d9 100644
+index e3e7c96..7a6ca6c 100644
--- a/rsync.te
+++ b/rsync.te
@@ -1,4 +1,4 @@
@@ -83424,7 +83428,7 @@ index e3e7c96..d7db2d9 100644
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
@@ -83550,6 +83554,8 @@ index e3e7c96..d7db2d9 100644
optional_policy(`
- inetd_service_domain(rsync_t, rsync_exec_t)
+ swift_manage_data_files(rsync_t)
++ swift_manage_lock(rsync_t)
++ swift_filetrans_named_lock(rsync_t)
')
diff --git a/rtas.fc b/rtas.fc
new file mode 100644
@@ -94648,10 +94654,10 @@ index c6aaac7..84cdcac 100644
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
-index 0000000..744f0ce
+index 0000000..a4ec18a
--- /dev/null
+++ b/swift.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,30 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@@ -94671,6 +94677,7 @@ index 0000000..744f0ce
+
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
+
++/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0)
+/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
+/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
+
@@ -94683,10 +94690,10 @@ index 0000000..744f0ce
+')
diff --git a/swift.if b/swift.if
new file mode 100644
-index 0000000..df82c36
+index 0000000..6a1f575
--- /dev/null
+++ b/swift.if
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,155 @@
+
+## <summary>policy for swift</summary>
+
@@ -94748,6 +94755,43 @@ index 0000000..df82c36
+ manage_dirs_pattern($1, swift_data_t, swift_data_t)
+')
+
++#####################################
++## <summary>
++## Read and write swift lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`swift_manage_lock',`
++ gen_require(`
++ type swift_lock_t;
++ ')
++
++ files_search_locks($1)
++ manage_files_pattern($1, swift_lock_t, swift_lock_t)
++')
++
++#######################################
++## <summary>
++## Transition content labels to swift named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`swift_filetrans_named_lock',`
++ gen_require(`
++ type swift_lock_t;
++ ')
++
++ files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock")
++')
++
+########################################
+## <summary>
+## Execute swift server in the swift domain.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6bf1954..50adf0c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 164%{?dist}
+Release: 165%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-165
+- More fixes for OpenStack
+
* Fri May 16 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-164
- Add openstack fixes
More information about the scm-commits
mailing list