[selinux-policy/f20] * Fri Jul 18 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-178 - Add logging_dontaudit_search_audit_

Lukas Vrabec lvrabec at fedoraproject.org
Fri Jul 18 09:02:41 UTC 2014 

commit 3cba7c8893e1a8496a865d85c7f6d65ee422256a
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Fri Jul 18 11:02:46 2014 +0200

    * Fri Jul 18 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-178
    - Add logging_dontaudit_search_audit_logs()
    - Clean up osad policy. Remove additional interfaces/rules
    - Allow mailserver_domain domains to create mail home content with
    right labeling
    - Dontaudit search audit logs for fail2ban
    - Allow mailserver_domain domains to append dead.letter labeled as
    mail_home_t.
    - Allow fprintd to execute usr_t/bin_t
    - Allow zabbix to read system network state
    - Allow ndc to read random and urandom device BZ #1110397

 policy-f20-base.patch    |   84 +++++++++++++++++++----------
 policy-f20-contrib.patch |  133 ++++++++++++++++++++++++++++++++--------------
 selinux-policy.spec      |   12 ++++-
 3 files changed, 159 insertions(+), 70 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index d2395b3..99ed4bf 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -34782,7 +34782,7 @@ index b50c5fe..e55a556 100644
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 +
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..b144ffe 100644
+index 4e94884..8de26ad 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
 @@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -34941,12 +34941,7 @@ index 4e94884..b144ffe 100644
 +    read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 +    list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 +')
- 
--	# the type of socket depends on the syslog daemon
--	allow $1 syslogd_t:unix_dgram_socket sendto;
--	allow $1 syslogd_t:unix_stream_socket connectto;
--	allow $1 self:unix_dgram_socket create_socket_perms;
--	allow $1 self:unix_stream_socket create_socket_perms;
++
 +########################################
 +## <summary>
 +##	Relabel the syslog pid sock_file.
@@ -34961,14 +34956,15 @@ index 4e94884..b144ffe 100644
 +	gen_require(`
 +		type syslogd_var_run_t;
 +	')
- 
--	# If syslog is down, the glibc syslog() function
--	# will write to the console.
--	term_write_console($1)
--	term_dontaudit_read_console($1)
++
 +	allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
 +')
-+
+ 
+-	# the type of socket depends on the syslog daemon
+-	allow $1 syslogd_t:unix_dgram_socket sendto;
+-	allow $1 syslogd_t:unix_stream_socket connectto;
+-	allow $1 self:unix_dgram_socket create_socket_perms;
+-	allow $1 self:unix_stream_socket create_socket_perms;
 +########################################
 +## <summary>
 +##	Connect to the syslog control unix stream socket.
@@ -34983,13 +34979,43 @@ index 4e94884..b144ffe 100644
 +	gen_require(`
 +		type syslogd_t, syslogd_var_run_t;
 +	')
-+
+ 
+-	# If syslog is down, the glibc syslog() function
+-	# will write to the console.
+-	term_write_console($1)
+-	term_dontaudit_read_console($1)
 +	files_search_pids($1)
 +	stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
  ')
  
  ########################################
-@@ -609,6 +753,25 @@ interface(`logging_read_syslog_config',`
+@@ -571,6 +715,25 @@ interface(`logging_read_audit_config',`
+ 
+ ########################################
+ ## <summary>
++##	dontaudit search of auditd log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_dontaudit_search_audit_logs',`
++	gen_require(`
++		type auditd_log_t;
++	')
++
++	dontaudit $1 auditd_log_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	dontaudit search of auditd configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -609,6 +772,25 @@ interface(`logging_read_syslog_config',`
  
  ########################################
  ## <summary>
@@ -35015,7 +35041,7 @@ index 4e94884..b144ffe 100644
  ##	Allows the domain to open a file in the
  ##	log directory, but does not allow the listing
  ##	of the contents of the log directory.
-@@ -722,6 +885,25 @@ interface(`logging_setattr_all_log_dirs',`
+@@ -722,6 +904,25 @@ interface(`logging_setattr_all_log_dirs',`
  	allow $1 logfile:dir setattr;
  ')
  
@@ -35041,7 +35067,7 @@ index 4e94884..b144ffe 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to get the attributes
-@@ -776,7 +958,25 @@ interface(`logging_append_all_logs',`
+@@ -776,7 +977,25 @@ interface(`logging_append_all_logs',`
  	')
  
  	files_search_var($1)
@@ -35068,7 +35094,7 @@ index 4e94884..b144ffe 100644
  ')
  
  ########################################
-@@ -859,7 +1059,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1078,7 @@ interface(`logging_manage_all_logs',`
  
  	files_search_var($1)
  	manage_files_pattern($1, logfile, logfile)
@@ -35077,7 +35103,7 @@ index 4e94884..b144ffe 100644
  ')
  
  ########################################
-@@ -885,6 +1085,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1104,44 @@ interface(`logging_read_generic_logs',`
  
  ########################################
  ## <summary>
@@ -35122,7 +35148,7 @@ index 4e94884..b144ffe 100644
  ##	Write generic log files.
  ## </summary>
  ## <param name="domain">
-@@ -905,6 +1143,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1162,24 @@ interface(`logging_write_generic_logs',`
  
  ########################################
  ## <summary>
@@ -35147,7 +35173,7 @@ index 4e94884..b144ffe 100644
  ##	Dontaudit Write generic log files.
  ## </summary>
  ## <param name="domain">
-@@ -984,11 +1240,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1259,16 @@ interface(`logging_admin_audit',`
  		type auditd_t, auditd_etc_t, auditd_log_t;
  		type auditd_var_run_t;
  		type auditd_initrc_exec_t;
@@ -35165,7 +35191,7 @@ index 4e94884..b144ffe 100644
  	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
  	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
  
-@@ -1004,6 +1265,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1284,33 @@ interface(`logging_admin_audit',`
  	domain_system_change_exemption($1)
  	role_transition $2 auditd_initrc_exec_t system_r;
  	allow $2 system_r;
@@ -35199,7 +35225,7 @@ index 4e94884..b144ffe 100644
  ')
  
  ########################################
-@@ -1032,10 +1320,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1339,15 @@ interface(`logging_admin_syslog',`
  		type syslogd_initrc_exec_t;
  	')
  
@@ -35217,7 +35243,7 @@ index 4e94884..b144ffe 100644
  
  	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
  	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1350,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1369,8 @@ interface(`logging_admin_syslog',`
  	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
  
  	logging_manage_all_logs($1)
@@ -35226,7 +35252,7 @@ index 4e94884..b144ffe 100644
  
  	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1085,3 +1380,54 @@ interface(`logging_admin',`
+@@ -1085,3 +1399,54 @@ interface(`logging_admin',`
  	logging_admin_audit($1, $2)
  	logging_admin_syslog($1, $2)
  ')
@@ -48983,7 +49009,7 @@ index e79d545..101086d 100644
  ')
  
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..018d0a6 100644
+index 6e91317..8fc985f 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -49045,16 +49071,18 @@ index 6e91317..018d0a6 100644
  define(`create_fifo_file_perms',`{ getattr create open }')
  define(`rename_fifo_file_perms',`{ getattr rename }')
  define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
+@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }')
  define(`setattr_sock_file_perms',`{ setattr }')
  define(`read_sock_file_perms',`{ getattr open read }')
  define(`write_sock_file_perms',`{ getattr write open append }')
 -define(`rw_sock_file_perms',`{ getattr open read write append }')
+-define(`create_sock_file_perms',`{ getattr create open }')
 +define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
 +define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')
- define(`create_sock_file_perms',`{ getattr create open }')
++define(`create_sock_file_perms',`{ getattr setattr create open }')
  define(`rename_sock_file_perms',`{ getattr rename }')
  define(`delete_sock_file_perms',`{ getattr unlink }')
+ define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }')
 @@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
  define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
  define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 99dd61b..8b246ba 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -8937,7 +8937,7 @@ index 866a1e2..43b445c 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 076ffee..1672ca4 100644
+index 076ffee..93ffa1d 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -9043,7 +9043,17 @@ index 076ffee..1672ca4 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t)
+@@ -236,6 +248,9 @@ corenet_tcp_bind_generic_node(ndc_t)
+ corenet_tcp_connect_rndc_port(ndc_t)
+ corenet_sendrecv_rndc_client_packets(ndc_t)
+ 
++dev_read_rand(ndc_t)
++dev_read_urand(ndc_t)
++
+ domain_use_interactive_fds(ndc_t)
+ 
+ files_search_pids(ndc_t)
+@@ -251,7 +266,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -26475,7 +26485,7 @@ index 50d0084..6565422 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..cdea6d0 100644
+index 0872e50..0cb0a7b 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
 @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -26503,9 +26513,11 @@ index 0872e50..cdea6d0 100644
  files_list_var(fail2ban_t)
  files_dontaudit_list_tmp(fail2ban_t)
  
-@@ -92,22 +90,33 @@ auth_use_nsswitch(fail2ban_t)
+@@ -91,23 +89,35 @@ auth_use_nsswitch(fail2ban_t)
+ 
  logging_read_all_logs(fail2ban_t)
  logging_send_syslog_msg(fail2ban_t)
++logging_dontaudit_search_audit_logs(fail2ban_t)
  
 -miscfiles_read_localization(fail2ban_t)
 +mta_send_mail(fail2ban_t)
@@ -26541,7 +26553,7 @@ index 0872e50..cdea6d0 100644
  	iptables_domtrans(fail2ban_t)
  ')
  
-@@ -116,6 +125,10 @@ optional_policy(`
+@@ -116,6 +126,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26552,7 +26564,7 @@ index 0872e50..cdea6d0 100644
  	shorewall_domtrans(fail2ban_t)
  ')
  
-@@ -129,22 +142,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -129,22 +143,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
  
  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
  
@@ -26577,9 +26589,10 @@ index 0872e50..cdea6d0 100644
 +
  logging_getattr_all_logs(fail2ban_client_t)
  logging_search_all_logs(fail2ban_client_t)
- 
--miscfiles_read_localization(fail2ban_client_t)
 -
+-miscfiles_read_localization(fail2ban_client_t)
++logging_dontaudit_search_audit_logs(fail2ban_client_t)
+ 
  userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
  userdom_use_user_terminals(fail2ban_client_t)
 +
@@ -27337,10 +27350,10 @@ index c12c067..a415012 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..72b7712 100644
+index c81b6e8..2cbb61f 100644
 --- a/fprintd.te
 +++ b/fprintd.te
-@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
+@@ -20,23 +20,28 @@ files_type(fprintd_var_lib_t)
  allow fprintd_t self:capability sys_nice;
  allow fprintd_t self:process { getsched setsched signal sigkill };
  allow fprintd_t self:fifo_file rw_fifo_file_perms;
@@ -27349,8 +27362,11 @@ index c81b6e8..72b7712 100644
  
  manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
  manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -28,15 +30,16 @@ kernel_read_system_state(fprintd_t)
  
+ kernel_read_system_state(fprintd_t)
+ 
++corecmd_exec_bin(fprintd_t)
++
  dev_list_usbfs(fprintd_t)
  dev_read_sysfs(fprintd_t)
 +dev_read_urand(fprintd_t)
@@ -27368,7 +27384,7 @@ index c81b6e8..72b7712 100644
  
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +57,17 @@ optional_policy(`
+@@ -54,8 +59,17 @@ optional_policy(`
  	')
  ')
  
@@ -29482,10 +29498,10 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..36ff903
+index 0000000..e05cac4
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,201 @@
 +policy_module(glusterfs, 1.0.1)
 +
 +## <desc>
@@ -29627,6 +29643,7 @@ index 0000000..36ff903
 +corenet_sendrecv_all_client_packets(glusterd_t)
 +corenet_tcp_bind_all_unreserved_ports(glusterd_t)
 +corenet_tcp_connect_all_unreserved_ports(glusterd_t)
++corenet_tcp_connect_all_ephemeral_ports(glusterd_t)
 +corenet_tcp_connect_ssh_port(glusterd_t)
 +
 +dev_read_sysfs(glusterd_t)
@@ -47378,7 +47395,7 @@ index f42896c..1e1a679 100644
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/smtpd(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac..8f217ea 100644
+index ed81cac..837a43a 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -47530,11 +47547,13 @@ index ed81cac..8f217ea 100644
  ')
  
 -#######################################
--## <summary>
++######################################
+ ## <summary>
 -##	Read mta mail home files.
--## </summary>
--## <param name="domain">
--##	<summary>
++##  Dontaudit read and write an leaked file descriptors
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
@@ -47621,15 +47640,13 @@ index ed81cac..8f217ea 100644
 -')
 -
 -########################################
-+######################################
- ## <summary>
+-## <summary>
 -##	Create specified objects in user home
 -##	directories with the generic mail
 -##	home rw type.
-+##  Dontaudit read and write an leaked file descriptors
- ## </summary>
- ## <param name="domain">
- ##	<summary>
+-## </summary>
+-## <param name="domain">
+-##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 -## </param>
@@ -48318,7 +48335,7 @@ index ed81cac..8f217ea 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1081,3 +1051,177 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1051,200 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -48349,6 +48366,29 @@ index ed81cac..8f217ea 100644
 +
 +######################################
 +## <summary>
++##	ALlow domain to append mail content in the homedir
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mta_append_home',`
++	gen_require(`
++		type mail_home_t;
++	')
++
++	userdom_search_user_home_dirs($1)
++	append_files_pattern($1, mail_home_t, mail_home_t)
++
++	ifdef(`distro_redhat',`
++		userdom_search_admin_dir($1)
++	')
++')
++
++######################################
++## <summary>
 +##	ALlow domain to read mail content in the homedir
 +## </summary>
 +## <param name="domain">
@@ -48497,7 +48537,7 @@ index ed81cac..8f217ea 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index afd2fad..8ccf7ef 100644
+index afd2fad..2bd8062 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -1,4 +1,4 @@
@@ -48923,10 +48963,17 @@ index afd2fad..8ccf7ef 100644
  	files_search_var_lib(mailserver_delivery)
  
  	mailman_domtrans(mailserver_delivery)
-@@ -378,6 +274,10 @@ optional_policy(`
+@@ -378,6 +274,17 @@ optional_policy(`
  ')
  
  optional_policy(`
++    mta_filetrans_home_content(mailserver_domain)
++    mta_filetrans_admin_home_content(mailserver_domain)
++    mta_read_home(mailserver_domain)
++    mta_append_home(mailserver_domain)
++')
++
++optional_policy(`
 +    pcp_read_lib_files(mailserver_delivery)
 +')
 +
@@ -48934,7 +48981,7 @@ index afd2fad..8ccf7ef 100644
  	postfix_rw_inherited_master_pipes(mailserver_delivery)
  ')
  
-@@ -387,24 +287,177 @@ optional_policy(`
+@@ -387,24 +294,177 @@ optional_policy(`
  
  ########################################
  #
@@ -60075,7 +60122,7 @@ index 0000000..0493b99
 +')
 diff --git a/osad.fc b/osad.fc
 new file mode 100644
-index 0000000..1e1eceb
+index 0000000..cf911d5
 --- /dev/null
 +++ b/osad.fc
 @@ -0,0 +1,7 @@
@@ -60083,7 +60130,7 @@ index 0000000..1e1eceb
 +
 +/usr/sbin/osad		--	gen_context(system_u:object_r:osad_exec_t,s0)
 +
-+/var/log/osad		--	gen_context(system_u:object_r:osad_log_t,s0)
++/var/log/osad.*		--	gen_context(system_u:object_r:osad_log_t,s0)
 +
 +/var/run/osad.*		--	gen_context(system_u:object_r:osad_var_run_t,s0)
 diff --git a/osad.if b/osad.if
@@ -60259,10 +60306,10 @@ index 0000000..05648bd
 +')
 diff --git a/osad.te b/osad.te
 new file mode 100644
-index 0000000..a40fcc3
+index 0000000..310d672
 --- /dev/null
 +++ b/osad.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,48 @@
 +policy_module(osad, 1.0.0)
 +
 +########################################
@@ -60287,20 +60334,23 @@ index 0000000..a40fcc3
 +#
 +# osad local policy
 +#
++
 +allow osad_t self:process setpgid;
 +
 +manage_files_pattern(osad_t, osad_log_t, osad_log_t)
-+logging_log_filetrans(osad_t, osad_log_t, { file })
++logging_log_filetrans(osad_t, osad_log_t, file)
 +
 +manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t)
-+files_pid_filetrans(osad_t, osad_var_run_t, { file})
++files_pid_filetrans(osad_t, osad_var_run_t, file)
 +
 +kernel_read_system_state(osad_t)
 +
-+auth_read_passwd(osad_t)
++corenet_tcp_connect_http_port(osad_t)
 +
 +dev_read_urand(osad_t)
 +
++auth_use_nsswitch(osad_t)
++
 +optional_policy(`
 +    gnome_dontaudit_search_config(osad_t)
 +')
@@ -108162,7 +108212,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..551c4e9 100644
+index 46e4cd3..73ea90f 100644
 --- a/zabbix.te
 +++ b/zabbix.te
 @@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
@@ -108355,15 +108405,16 @@ index 46e4cd3..551c4e9 100644
  
  rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
  fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +161,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
  manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
  
 -kernel_read_all_sysctls(zabbix_agent_t)
  kernel_read_system_state(zabbix_agent_t)
- 
--corecmd_read_all_executables(zabbix_agent_t)
 -
+-corecmd_read_all_executables(zabbix_agent_t)
++kernel_read_network_state(zabbix_agent_t)
+ 
  corenet_all_recvfrom_unlabeled(zabbix_agent_t)
  corenet_all_recvfrom_netlabel(zabbix_agent_t)
 -corenet_tcp_sendrecv_generic_if(zabbix_agent_t)
@@ -108374,7 +108425,7 @@ index 46e4cd3..551c4e9 100644
  
  corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
  corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +184,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
  dev_getattr_all_blk_files(zabbix_agent_t)
  dev_getattr_all_chr_files(zabbix_agent_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 202b049..61fcbb1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 177%{?dist}
+Release: 178%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,16 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jul 18 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-178
+- Add logging_dontaudit_search_audit_logs()
+- Clean up osad policy. Remove additional interfaces/rules
+- Allow mailserver_domain domains to create mail home content with right labeling
+- Dontaudit search audit logs for fail2ban
+- Allow mailserver_domain domains to append dead.letter labeled as mail_home_t.
+- Allow fprintd to execute usr_t/bin_t
+- Allow zabbix to read system network state
+- Allow ndc to read random and urandom device BZ #1110397
+
 * Mon Jul 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-177
 - Allow lircd_t to use tty_device_t for use withmythtv
 - Allow mysqld to bind and connect to tram port BZ #1118052

More information about the scm-commits mailing list