[selinux-policy/f21] - Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t. -
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Aug 4 07:18:16 UTC 2014
commit 28a3a936d940403b0570e96f6de4203cf2170128
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Aug 4 09:17:59 2014 +0200
- Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t.
- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port.
- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t.
- Dontaudit write access on generic cert files. We don't audit also access check.
- Add support for arptables.
- Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager.
policy-rawhide-base.patch | 150 ++++++++++++++++++++++--------------------
policy-rawhide-contrib.patch | 78 ++++++++++++++--------
selinux-policy.spec | 10 +++-
3 files changed, 139 insertions(+), 99 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 53b2a80..a06763e 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -9321,7 +9321,7 @@ index cf04cb5..32d58ca 100644
+ unconfined_server_stream_connect(domain)
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index b876c48..d8cdd96 100644
+index b876c48..b2aed45 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9357,7 +9357,7 @@ index b876c48..d8cdd96 100644
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -52,13 +53,17 @@ ifdef(`distro_suse',`
+@@ -52,13 +53,20 @@ ifdef(`distro_suse',`
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9377,10 +9377,13 @@ index b876c48..d8cdd96 100644
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
++/etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
++
++/ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -70,7 +75,10 @@ ifdef(`distro_suse',`
+@@ -70,7 +78,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9392,7 +9395,7 @@ index b876c48..d8cdd96 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', `
+@@ -78,10 +89,6 @@ ifdef(`distro_gentoo', `
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -9403,7 +9406,7 @@ index b876c48..d8cdd96 100644
ifdef(`distro_suse',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -104,7 +111,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -9412,7 +9415,7 @@ index b876c48..d8cdd96 100644
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-@@ -125,10 +129,12 @@ ifdef(`distro_debian',`
+@@ -125,10 +132,12 @@ ifdef(`distro_debian',`
#
# Mount points; do not relabel subdirectories, since
# we don't want to change any removable media by default.
@@ -9426,7 +9429,7 @@ index b876c48..d8cdd96 100644
#
# /misc
-@@ -138,7 +144,7 @@ ifdef(`distro_debian',`
+@@ -138,7 +147,7 @@ ifdef(`distro_debian',`
#
# /mnt
#
@@ -9435,7 +9438,7 @@ index b876c48..d8cdd96 100644
/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/mnt/[^/]*/.* <<none>>
-@@ -150,10 +156,10 @@ ifdef(`distro_debian',`
+@@ -150,10 +159,10 @@ ifdef(`distro_debian',`
#
# /opt
#
@@ -9448,7 +9451,7 @@ index b876c48..d8cdd96 100644
#
# /proc
-@@ -161,6 +167,12 @@ ifdef(`distro_debian',`
+@@ -161,6 +170,12 @@ ifdef(`distro_debian',`
/proc -d <<none>>
/proc/.* <<none>>
@@ -9461,7 +9464,7 @@ index b876c48..d8cdd96 100644
#
# /run
#
-@@ -169,6 +181,7 @@ ifdef(`distro_debian',`
+@@ -169,6 +184,7 @@ ifdef(`distro_debian',`
/run/.*\.*pid <<none>>
/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
@@ -9469,7 +9472,7 @@ index b876c48..d8cdd96 100644
#
# /selinux
#
-@@ -178,13 +191,14 @@ ifdef(`distro_debian',`
+@@ -178,13 +194,14 @@ ifdef(`distro_debian',`
#
# /srv
#
@@ -9486,7 +9489,7 @@ index b876c48..d8cdd96 100644
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-@@ -194,9 +208,11 @@ ifdef(`distro_debian',`
+@@ -194,9 +211,11 @@ ifdef(`distro_debian',`
#
# /usr
#
@@ -9499,7 +9502,7 @@ index b876c48..d8cdd96 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +220,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +223,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -9516,7 +9519,7 @@ index b876c48..d8cdd96 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +230,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +233,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -9525,7 +9528,7 @@ index b876c48..d8cdd96 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +237,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +240,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -9534,7 +9537,7 @@ index b876c48..d8cdd96 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +245,25 @@ ifndef(`distro_redhat',`
+@@ -237,11 +248,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9561,7 +9564,7 @@ index b876c48..d8cdd96 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +278,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +281,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9576,14 +9579,14 @@ index b876c48..d8cdd96 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -271,3 +295,5 @@ ifdef(`distro_debian',`
+@@ -271,3 +298,5 @@ ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..d12f46e 100644
+index f962f76..47dc71f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -11073,7 +11076,7 @@ index f962f76..d12f46e 100644
')
########################################
-@@ -4217,192 +4975,215 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,192 +4975,218 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11161,7 +11164,7 @@ index f962f76..d12f46e 100644
- ')
+interface(`files_filetrans_system_conf_named_files',`
+ gen_require(`
-+ type etc_t, system_conf_t;
++ type etc_t, system_conf_t, usr_t;
+ ')
- dontaudit $1 tmp_t:dir getattr;
@@ -11182,6 +11185,9 @@ index f962f76..d12f46e 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
++ filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d")
++ filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d")
++ filetrans_pattern($1, usr_t, system_conf_t, dir, "repo")
')
-########################################
@@ -11385,7 +11391,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4410,53 +5191,56 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4410,53 +5194,56 @@ interface(`files_manage_generic_tmp_dirs',`
## </summary>
## </param>
#
@@ -11454,7 +11460,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4464,77 +5248,93 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4464,77 +5251,93 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -11572,7 +11578,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4542,110 +5342,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,110 +5345,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
## </summary>
## </param>
#
@@ -11711,7 +11717,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4653,22 +5441,17 @@ interface(`files_tmp_filetrans',`
+@@ -4653,22 +5444,17 @@ interface(`files_tmp_filetrans',`
## </summary>
## </param>
#
@@ -11738,7 +11744,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4676,17 +5459,17 @@ interface(`files_purge_tmp',`
+@@ -4676,17 +5462,17 @@ interface(`files_purge_tmp',`
## </summary>
## </param>
#
@@ -11760,7 +11766,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4694,18 +5477,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4694,18 +5480,17 @@ interface(`files_setattr_usr_dirs',`
## </summary>
## </param>
#
@@ -11783,7 +11789,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4713,35 +5495,35 @@ interface(`files_search_usr',`
+@@ -4713,35 +5498,35 @@ interface(`files_search_usr',`
## </summary>
## </param>
#
@@ -11828,7 +11834,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4749,36 +5531,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4749,36 +5534,35 @@ interface(`files_dontaudit_write_usr_dirs',`
## </summary>
## </param>
#
@@ -11874,7 +11880,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4786,17 +5567,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4786,17 +5570,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
## </summary>
## </param>
#
@@ -11896,7 +11902,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4804,73 +5585,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4804,73 +5588,59 @@ interface(`files_delete_usr_dirs',`
## </summary>
## </param>
#
@@ -11989,7 +11995,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4878,55 +5645,58 @@ interface(`files_read_usr_files',`
+@@ -4878,55 +5648,58 @@ interface(`files_read_usr_files',`
## </summary>
## </param>
#
@@ -12064,7 +12070,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4934,67 +5704,70 @@ interface(`files_manage_usr_files',`
+@@ -4934,67 +5707,70 @@ interface(`files_manage_usr_files',`
## </summary>
## </param>
#
@@ -12153,7 +12159,7 @@ index f962f76..d12f46e 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -5003,35 +5776,50 @@ interface(`files_read_usr_symlinks',`
+@@ -5003,35 +5779,50 @@ interface(`files_read_usr_symlinks',`
## </summary>
## </param>
#
@@ -12213,7 +12219,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5039,20 +5827,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5039,20 +5830,17 @@ interface(`files_dontaudit_search_src',`
## </summary>
## </param>
#
@@ -12238,7 +12244,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5060,20 +5845,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5060,20 +5848,18 @@ interface(`files_getattr_usr_src_files',`
## </summary>
## </param>
#
@@ -12263,7 +12269,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5081,38 +5864,35 @@ interface(`files_read_usr_src_files',`
+@@ -5081,38 +5867,35 @@ interface(`files_read_usr_src_files',`
## </summary>
## </param>
#
@@ -12311,7 +12317,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5120,37 +5900,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5120,37 +5903,36 @@ interface(`files_create_kernel_symbol_table',`
## </summary>
## </param>
#
@@ -12359,7 +12365,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5158,35 +5937,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5158,35 +5940,35 @@ interface(`files_delete_kernel_symbol_table',`
## </summary>
## </param>
#
@@ -12404,7 +12410,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5194,36 +5973,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5194,36 +5976,55 @@ interface(`files_dontaudit_write_var_dirs',`
## </summary>
## </param>
#
@@ -12470,7 +12476,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5231,36 +6029,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5231,36 +6032,37 @@ interface(`files_dontaudit_search_var',`
## </summary>
## </param>
#
@@ -12518,7 +12524,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5268,17 +6067,17 @@ interface(`files_manage_var_dirs',`
+@@ -5268,17 +6070,17 @@ interface(`files_manage_var_dirs',`
## </summary>
## </param>
#
@@ -12540,7 +12546,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5286,17 +6085,17 @@ interface(`files_read_var_files',`
+@@ -5286,17 +6088,17 @@ interface(`files_read_var_files',`
## </summary>
## </param>
#
@@ -12562,7 +12568,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5304,73 +6103,86 @@ interface(`files_append_var_files',`
+@@ -5304,73 +6106,86 @@ interface(`files_append_var_files',`
## </summary>
## </param>
#
@@ -12669,7 +12675,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5378,50 +6190,41 @@ interface(`files_read_var_symlinks',`
+@@ -5378,50 +6193,41 @@ interface(`files_read_var_symlinks',`
## </summary>
## </param>
#
@@ -12734,7 +12740,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5429,69 +6232,56 @@ interface(`files_var_filetrans',`
+@@ -5429,69 +6235,56 @@ interface(`files_var_filetrans',`
## </summary>
## </param>
#
@@ -12819,7 +12825,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5499,17 +6289,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6292,18 @@ interface(`files_dontaudit_search_var_lib',`
## </summary>
## </param>
#
@@ -12843,7 +12849,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5517,70 +6308,54 @@ interface(`files_list_var_lib',`
+@@ -5517,70 +6311,54 @@ interface(`files_list_var_lib',`
## </summary>
## </param>
#
@@ -12927,7 +12933,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5588,41 +6363,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6366,36 @@ interface(`files_read_var_lib_files',`
## </summary>
## </param>
#
@@ -12979,7 +12985,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5630,36 +6400,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6403,36 @@ interface(`files_manage_urandom_seed',`
## </summary>
## </param>
#
@@ -13026,7 +13032,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5667,38 +6437,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6440,35 @@ interface(`files_setattr_lock_dirs',`
## </summary>
## </param>
#
@@ -13074,7 +13080,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5706,19 +6473,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,19 +6476,17 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -13098,7 +13104,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5726,60 +6491,54 @@ interface(`files_list_locks',`
+@@ -5726,60 +6494,54 @@ interface(`files_list_locks',`
## </summary>
## </param>
#
@@ -13174,7 +13180,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5787,20 +6546,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,20 +6549,18 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -13200,7 +13206,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5808,165 +6565,156 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,165 +6568,156 @@ interface(`files_getattr_generic_locks',`
## </summary>
## </param>
#
@@ -13428,7 +13434,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5974,59 +6722,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,59 +6725,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
## </summary>
## </param>
#
@@ -13519,7 +13525,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6034,18 +6794,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6797,18 @@ interface(`files_dontaudit_search_pids',`
## </summary>
## </param>
#
@@ -13543,7 +13549,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6053,19 +6813,21 @@ interface(`files_list_pids',`
+@@ -6053,19 +6816,21 @@ interface(`files_list_pids',`
## </summary>
## </param>
#
@@ -13571,7 +13577,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6073,58 +6835,1243 @@ interface(`files_read_generic_pids',`
+@@ -6073,58 +6838,1243 @@ interface(`files_read_generic_pids',`
## </summary>
## </param>
#
@@ -14850,7 +14856,7 @@ index f962f76..d12f46e 100644
## </summary>
## </param>
## <param name="name" optional="true">
-@@ -6132,44 +8079,165 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6132,44 +8082,165 @@ interface(`files_write_generic_pid_pipes',`
## The name of the object being created.
## </summary>
## </param>
@@ -15035,7 +15041,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6177,20 +8245,18 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6177,20 +8248,18 @@ interface(`files_pid_filetrans_lock_dir',`
## </summary>
## </param>
#
@@ -15061,7 +15067,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6198,19 +8264,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8267,17 @@ interface(`files_rw_generic_pids',`
## </summary>
## </param>
#
@@ -15085,7 +15091,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6218,18 +8282,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8285,17 @@ interface(`files_dontaudit_getattr_all_pids',`
## </summary>
## </param>
#
@@ -15108,7 +15114,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6237,41 +8300,43 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,41 +8303,43 @@ interface(`files_dontaudit_write_all_pids',`
## </summary>
## </param>
#
@@ -15166,7 +15172,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6280,67 +8345,55 @@ interface(`files_read_all_pids',`
+@@ -6280,67 +8348,55 @@ interface(`files_read_all_pids',`
## </param>
## <rolecap/>
#
@@ -15251,7 +15257,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6348,37 +8401,37 @@ interface(`files_manage_all_pids',`
+@@ -6348,37 +8404,37 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -15300,7 +15306,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6386,132 +8439,207 @@ interface(`files_search_spool',`
+@@ -6386,132 +8442,207 @@ interface(`files_search_spool',`
## </summary>
## </param>
#
@@ -15559,7 +15565,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6519,53 +8647,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8650,17 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -15617,7 +15623,7 @@ index f962f76..d12f46e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6573,10 +8665,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8668,10 @@ interface(`files_polyinstantiate_all',`
## </summary>
## </param>
#
@@ -34272,10 +34278,10 @@ index 312cd04..3c62b4c 100644
+userdom_use_inherited_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 73a1c4e..738e9ff 100644
+index 73a1c4e..ef41ebe 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,22 +1,33 @@
+@@ -1,22 +1,35 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -34289,6 +34295,7 @@ index 73a1c4e..738e9ff 100644
+
+/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
++/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -34309,6 +34316,7 @@ index 73a1c4e..738e9ff 100644
+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b67a506..13a5f51 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..dc1d24c 100644
+index 1a93dc5..f2b26f5 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,31 +1,44 @@
+@@ -1,31 +1,46 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -42,6 +42,8 @@ index 1a93dc5..dc1d24c 100644
+
+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
+
++/var/lib/abrt(/.*)? gen_context(system_u:object_r:abrt_var_lib_t,s0)
++
+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -536,7 +538,7 @@ index 058d908..2f6c3a9 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..cfd3aa9 100644
+index eb50f07..0a78b7e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -555,7 +557,7 @@ index eb50f07..cfd3aa9 100644
## </desc>
gen_tunable(abrt_anon_write, false)
-@@ -37,13 +36,15 @@ attribute abrt_domain;
+@@ -37,87 +36,98 @@ attribute abrt_domain;
attribute_role abrt_helper_roles;
roleattribute system_r abrt_helper_roles;
@@ -573,7 +575,14 @@ index eb50f07..cfd3aa9 100644
type abrt_etc_t;
files_config_file(abrt_etc_t)
-@@ -55,69 +56,75 @@ files_tmp_file(abrt_tmp_t)
+ type abrt_var_log_t;
+ logging_log_file(abrt_var_log_t)
+
++type abrt_var_lib_t;
++files_type(abrt_var_lib_t)
++
+ type abrt_tmp_t;
+ files_tmp_file(abrt_tmp_t)
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
@@ -677,7 +686,7 @@ index eb50f07..cfd3aa9 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -125,41 +132,47 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,41 +135,47 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -731,7 +740,7 @@ index eb50f07..cfd3aa9 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -176,29 +189,42 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +192,43 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -771,13 +780,14 @@ index eb50f07..cfd3aa9 100644
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
+miscfiles_dontaudit_access_check_cert(abrt_t)
++miscfiles_dontaudit_write_generic_cert_files(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -206,15 +232,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +236,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -794,7 +804,7 @@ index eb50f07..cfd3aa9 100644
')
optional_policy(`
-@@ -222,6 +244,20 @@ optional_policy(`
+@@ -222,6 +248,20 @@ optional_policy(`
')
optional_policy(`
@@ -815,7 +825,7 @@ index eb50f07..cfd3aa9 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -234,6 +270,11 @@ optional_policy(`
+@@ -234,6 +274,11 @@ optional_policy(`
')
optional_policy(`
@@ -827,7 +837,7 @@ index eb50f07..cfd3aa9 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -243,6 +284,7 @@ optional_policy(`
+@@ -243,6 +288,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -835,7 +845,7 @@ index eb50f07..cfd3aa9 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +295,17 @@ optional_policy(`
+@@ -253,9 +299,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -854,7 +864,7 @@ index eb50f07..cfd3aa9 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +316,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +320,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -869,7 +879,7 @@ index eb50f07..cfd3aa9 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +335,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +339,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -877,7 +887,7 @@ index eb50f07..cfd3aa9 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +344,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +348,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -898,7 +908,7 @@ index eb50f07..cfd3aa9 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +365,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +369,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -925,7 +935,7 @@ index eb50f07..cfd3aa9 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +401,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +405,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -939,7 +949,7 @@ index eb50f07..cfd3aa9 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +419,11 @@ optional_policy(`
+@@ -343,10 +423,11 @@ optional_policy(`
#######################################
#
@@ -953,7 +963,7 @@ index eb50f07..cfd3aa9 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +442,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +446,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -985,6 +995,9 @@ index eb50f07..cfd3aa9 100644
manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
++
++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
++manage_files_pattern(abrt_dump_oops_t, abrt_var_lib_t, abrt_var_lib_t)
read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
@@ -995,17 +1008,22 @@ index eb50f07..cfd3aa9 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
++dev_read_urand(abrt_dump_oops_t)
++dev_read_rand(abrt_dump_oops_t)
++
domain_use_interactive_fds(abrt_dump_oops_t)
++fs_getattr_all_fs(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
+fs_list_pstorefs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
++logging_read_syslog_pid(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
#######################################
#
-@@ -404,7 +491,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +503,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1014,7 +1032,7 @@ index eb50f07..cfd3aa9 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +500,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +512,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1058,7 +1076,7 @@ index eb50f07..cfd3aa9 100644
')
#######################################
-@@ -430,10 +543,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +555,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -11769,7 +11787,7 @@ index 0000000..aa308eb
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..c8338dc
+index 0000000..f50b201
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,249 @@
@@ -11981,7 +11999,7 @@ index 0000000..c8338dc
+
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
-+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal sigchld share };
+
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
@@ -21809,7 +21827,7 @@ index a7326da..c87b5b7 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/denyhosts.te b/denyhosts.te
-index 583a527..bb77017 100644
+index 583a527..1053281 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@@ -21830,8 +21848,14 @@ index 583a527..bb77017 100644
corenet_all_recvfrom_netlabel(denyhosts_t)
corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
-@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
+@@ -57,13 +59,17 @@ corenet_sendrecv_smtp_client_packets(denyhosts_t)
+ corenet_tcp_connect_smtp_port(denyhosts_t)
+ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
++corenet_sendrecv_sype_transport_client_packets(denyhosts_t)
++corenet_tcp_connect_sype_transport_port(denyhosts_t)
++corenet_tcp_sendrecv_sype_transport_port(denyhosts_t)
++
dev_read_urand(denyhosts_t)
+auth_use_nsswitch(denyhosts_t)
@@ -21844,7 +21868,7 @@ index 583a527..bb77017 100644
sysnet_dns_name_resolve(denyhosts_t)
sysnet_manage_config(denyhosts_t)
sysnet_etc_filetrans_config(denyhosts_t)
-@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
+@@ -71,3 +77,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
optional_policy(`
cron_system_entry(denyhosts_t, denyhosts_exec_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9c345ba..19922e8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 69%{?dist}
+Release: 70%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Aug 4 2014 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-70
+- Add additional fixes for abrt-dump-journal-oops which is now labeled as abrt_dump_oops_exec_t.
+- Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port.
+- Allow nacl_helper_boo running in :chrome_sandbox_t to send SIGCHLD to chrome_sandbox_nacl_t.
+- Dontaudit write access on generic cert files. We don't audit also access check.
+- Add support for arptables.
+- Add labels and filenametrans rules for ostree repo directories which needs to be writable by subscription-manager.
+
* Mon Aug 4 2014 Tom Callaway <spot at fedoraproject.org> 3.13.1-69
- fix license handling
More information about the scm-commits
mailing list