[selinux-policy/f20] * Wed Aug 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-181 - Allow docker lots more access. - Ad
Lukas Vrabec
lvrabec at fedoraproject.org
Wed Aug 20 15:43:06 UTC 2014
commit 93ea6d11ab8ad47f9ef8f70d7c51e03945a55961
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Aug 20 17:42:41 2014 +0200
* Wed Aug 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-181
- Allow docker lots more access.
- Added interface kernel_dontaudit_setsched
- Added interface kernel_signull
- Allow qpid to read passwd files BZ (#1130086)
- Allow sendmail to append dead.letter located in
var/spool/nagios/dead.letter.
- Allow mdadm to seng signull kernel_t which is proces type of mdadm on
early boot.
- geoclue needs to connect to http and http_cache ports
policy-f20-base.patch | 142 ++++++++++++++++++++++++++++++++++-------
policy-f20-contrib.patch | 161 ++++++++++++++++++++++++++++------------------
selinux-policy.spec | 11 +++-
3 files changed, 226 insertions(+), 88 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 4ceed02..fdd54a6 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -17370,10 +17370,60 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..4a102cb 100644
+index 649e458..847133d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
-@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
+@@ -126,6 +126,24 @@ interface(`kernel_setsched',`
+
+ ########################################
+ ## <summary>
++## Dontaudit attempts to set the priority of kernel threads.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_setsched',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ dontaudit $1 kernel_t:process setsched;
++')
++
++########################################
++## <summary>
+ ## Send a SIGCHLD signal to kernel threads.
+ ## </summary>
+ ## <param name="domain">
+@@ -180,6 +198,24 @@ interface(`kernel_signal',`
+
+ ########################################
+ ## <summary>
++## Send signull to kernel threads.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_signull',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:process signull;
++')
++
++########################################
++## <summary>
+ ## Allows the kernel to share state information with
+ ## the caller.
+ ## </summary>
+@@ -286,7 +322,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
type kernel_t;
')
@@ -17382,7 +17432,7 @@ index 649e458..4a102cb 100644
')
########################################
-@@ -762,8 +762,8 @@ interface(`kernel_manage_debugfs',`
+@@ -762,8 +798,8 @@ interface(`kernel_manage_debugfs',`
')
manage_files_pattern($1, debugfs_t, debugfs_t)
@@ -17392,7 +17442,7 @@ index 649e458..4a102cb 100644
')
########################################
-@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
+@@ -786,6 +822,24 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
@@ -17417,7 +17467,7 @@ index 649e458..4a102cb 100644
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
-@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',`
+@@ -804,6 +858,24 @@ interface(`kernel_unmount_proc',`
########################################
## <summary>
@@ -17442,7 +17492,7 @@ index 649e458..4a102cb 100644
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
-@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -991,13 +1063,10 @@ interface(`kernel_read_proc_symlinks',`
#
interface(`kernel_read_system_state',`
gen_require(`
@@ -17458,7 +17508,7 @@ index 649e458..4a102cb 100644
')
########################################
-@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',`
+@@ -1025,6 +1094,25 @@ interface(`kernel_write_proc_files',`
########################################
## <summary>
@@ -17484,7 +17534,7 @@ index 649e458..4a102cb 100644
## Do not audit attempts by caller to
## read system state information in proc.
## </summary>
-@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
+@@ -1208,6 +1296,25 @@ interface(`kernel_read_messages',`
########################################
## <summary>
@@ -17510,7 +17560,32 @@ index 649e458..4a102cb 100644
## Allow caller to get the attributes of kernel message
## interface (/proc/kmsg).
## </summary>
-@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1458,6 +1565,24 @@ interface(`kernel_list_all_proc',`
+
+ ########################################
+ ## <summary>
++## Allow attempts to mounton all proc directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_mounton_all_proc',`
++ gen_require(`
++ attribute proc_type;
++ ')
++
++ allow $1 proc_type:dir mounton;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to list all proc directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -1477,6 +1602,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@@ -17535,7 +17610,7 @@ index 649e458..4a102cb 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
-@@ -1672,7 +1761,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1815,7 @@ interface(`kernel_read_net_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17544,7 +17619,7 @@ index 649e458..4a102cb 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1693,7 +1782,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1836,7 @@ interface(`kernel_rw_net_sysctls',`
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17553,7 +17628,7 @@ index 649e458..4a102cb 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -1715,7 +1804,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1858,6 @@ interface(`kernel_read_unix_sysctls',`
')
read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -17561,16 +17636,37 @@ index 649e458..4a102cb 100644
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
')
-@@ -2085,7 +2173,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2227,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
- dontaudit $1 sysctl_type:file getattr;
+ dontaudit $1 sysctl_type:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Allow attempts to mounton all sysctl directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_mounton_all_sysctls',`
++ gen_require(`
++ attribute sysctl_type;
++ ')
++
++ allow $1 sysctl_type:dir mounton;
')
++
########################################
-@@ -2282,6 +2370,25 @@ interface(`kernel_list_unlabeled',`
+ ## <summary>
+ ## Allow caller to read all sysctls.
+@@ -2282,6 +2443,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@@ -17596,7 +17692,7 @@ index 649e458..4a102cb 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
-@@ -2306,7 +2413,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2486,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -17605,7 +17701,7 @@ index 649e458..4a102cb 100644
## </summary>
## </param>
#
-@@ -2488,6 +2595,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2668,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -17630,7 +17726,7 @@ index 649e458..4a102cb 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2525,6 +2650,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2723,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@@ -17655,7 +17751,7 @@ index 649e458..4a102cb 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
-@@ -2632,7 +2775,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2848,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -17664,7 +17760,7 @@ index 649e458..4a102cb 100644
')
########################################
-@@ -2670,6 +2813,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2886,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -17689,7 +17785,7 @@ index 649e458..4a102cb 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2697,6 +2858,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2931,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -17715,7 +17811,7 @@ index 649e458..4a102cb 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2806,6 +2986,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +3059,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -17749,7 +17845,7 @@ index 649e458..4a102cb 100644
########################################
## <summary>
-@@ -2961,6 +3168,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3241,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -17774,7 +17870,7 @@ index 649e458..4a102cb 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2975,5 +3200,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3273,300 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 3cc1787..c361d6e 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -4988,7 +4988,7 @@ index 83e899c..9426db5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..d2693f8 100644
+index 1a82e29..0cbe4c8 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,381 @@
@@ -5694,7 +5694,7 @@ index 1a82e29..d2693f8 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +567,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5778,6 +5778,7 @@ index 1a82e29..d2693f8 100644
+files_exec_usr_files(httpd_t)
files_list_mnt(httpd_t)
+files_read_mnt_symlinks(httpd_t)
++files_search_all(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
@@ -5932,7 +5933,7 @@ index 1a82e29..d2693f8 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +743,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5992,7 +5993,7 @@ index 1a82e29..d2693f8 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +795,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +796,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6083,7 +6084,7 @@ index 1a82e29..d2693f8 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +842,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +843,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6164,7 +6165,7 @@ index 1a82e29..d2693f8 100644
')
optional_policy(`
-@@ -744,24 +895,32 @@ optional_policy(`
+@@ -744,24 +896,32 @@ optional_policy(`
')
optional_policy(`
@@ -6203,7 +6204,7 @@ index 1a82e29..d2693f8 100644
')
optional_policy(`
-@@ -770,6 +929,10 @@ optional_policy(`
+@@ -770,6 +930,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6214,7 +6215,7 @@ index 1a82e29..d2693f8 100644
')
optional_policy(`
-@@ -781,34 +944,58 @@ optional_policy(`
+@@ -781,34 +945,58 @@ optional_policy(`
')
optional_policy(`
@@ -6284,7 +6285,7 @@ index 1a82e29..d2693f8 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +1003,18 @@ optional_policy(`
+@@ -816,8 +1004,18 @@ optional_policy(`
')
optional_policy(`
@@ -6303,7 +6304,7 @@ index 1a82e29..d2693f8 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +1023,7 @@ optional_policy(`
+@@ -826,6 +1024,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6311,7 +6312,7 @@ index 1a82e29..d2693f8 100644
')
optional_policy(`
-@@ -836,20 +1034,40 @@ optional_policy(`
+@@ -836,20 +1035,40 @@ optional_policy(`
')
optional_policy(`
@@ -6358,7 +6359,7 @@ index 1a82e29..d2693f8 100644
')
optional_policy(`
-@@ -857,19 +1075,35 @@ optional_policy(`
+@@ -857,19 +1076,35 @@ optional_policy(`
')
optional_policy(`
@@ -6394,7 +6395,7 @@ index 1a82e29..d2693f8 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1111,173 @@ optional_policy(`
+@@ -877,65 +1112,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6590,7 +6591,7 @@ index 1a82e29..d2693f8 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1286,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1287,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6745,7 +6746,7 @@ index 1a82e29..d2693f8 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1370,106 @@ optional_policy(`
+@@ -1077,172 +1371,106 @@ optional_policy(`
')
')
@@ -6982,7 +6983,7 @@ index 1a82e29..d2693f8 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1477,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1478,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7079,7 +7080,7 @@ index 1a82e29..d2693f8 100644
########################################
#
-@@ -1315,8 +1552,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1553,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7096,7 +7097,7 @@ index 1a82e29..d2693f8 100644
')
########################################
-@@ -1324,49 +1568,38 @@ optional_policy(`
+@@ -1324,49 +1569,38 @@ optional_policy(`
# User content local policy
#
@@ -7161,7 +7162,7 @@ index 1a82e29..d2693f8 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1609,100 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1610,100 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -24262,10 +24263,10 @@ index 0000000..683dfdc
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..342d8bf
+index 0000000..2f0fa26
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,279 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -24374,7 +24375,7 @@ index 0000000..342d8bf
+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
+
-+allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(docker_t, docker_devpts_t)
+
+kernel_read_system_state(docker_t)
@@ -24457,6 +24458,8 @@ index 0000000..342d8bf
+kernel_get_sysvipc_info(docker_t)
+kernel_request_load_module(docker_t)
+kernel_mounton_messages(docker_t)
++kernel_mounton_all_proc(docker_t)
++kernel_mounton_all_sysctls(docker_t)
+
+dev_getattr_all_blk_files(docker_t)
+dev_getattr_sysfs_fs(docker_t)
@@ -28896,10 +28899,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..d809c15
+index 0000000..b9d0b86
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,55 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -28938,6 +28941,7 @@ index 0000000..d809c15
+auth_read_passwd(geoclue_t)
+
+corenet_tcp_connect_http_port(geoclue_t)
++corenet_tcp_connect_http_cache_port(geoclue_t)
+
+corecmd_exec_bin(geoclue_t)
+
@@ -48639,7 +48643,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..2bd8062 100644
+index afd2fad..00557d0 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -48926,7 +48930,7 @@ index afd2fad..2bd8062 100644
')
optional_policy(`
-@@ -264,10 +161,16 @@ optional_policy(`
+@@ -264,10 +161,17 @@ optional_policy(`
')
optional_policy(`
@@ -48940,10 +48944,11 @@ index afd2fad..2bd8062 100644
+')
+
+optional_policy(`
++ nagios_append_spool(system_mail_t)
nagios_read_tmp_files(system_mail_t)
')
-@@ -278,6 +181,19 @@ optional_policy(`
+@@ -278,6 +182,19 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -48963,7 +48968,7 @@ index afd2fad..2bd8062 100644
')
optional_policy(`
-@@ -293,42 +209,36 @@ optional_policy(`
+@@ -293,42 +210,36 @@ optional_policy(`
')
optional_policy(`
@@ -49016,7 +49021,7 @@ index afd2fad..2bd8062 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +247,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +248,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -49065,7 +49070,7 @@ index afd2fad..2bd8062 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -378,6 +274,17 @@ optional_policy(`
+@@ -378,6 +275,17 @@ optional_policy(`
')
optional_policy(`
@@ -49083,7 +49088,7 @@ index afd2fad..2bd8062 100644
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
-@@ -387,24 +294,177 @@ optional_policy(`
+@@ -387,24 +295,177 @@ optional_policy(`
########################################
#
@@ -51168,7 +51173,7 @@ index d78dfc3..1c81436 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
-index 0641e97..d7d9a79 100644
+index 0641e97..cad402c 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
@@ -51273,13 +51278,32 @@ index 0641e97..d7d9a79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -132,13 +125,14 @@ interface(`nagios_search_spool',`
+@@ -132,13 +125,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t;
')
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
++')
++
++########################################
++## <summary>
++## Append nagios spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nagios_append_spool',`
++ gen_require(`
++ type nagios_spool_t;
++ ')
++
++ allow $1 nagios_spool_t:file append_file_perms;
++ files_search_spool($1)
')
########################################
@@ -51290,17 +51314,18 @@ index 0641e97..d7d9a79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',`
+@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
- files_search_tmp($1)
allow $1 nagios_tmp_t:file read_file_perms;
+ files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Execute nrpe with a domain transition.
+## Allow the specified domain to read
+## nagios temporary files.
+## </summary>
@@ -51317,17 +51342,16 @@ index 0641e97..d7d9a79 100644
+
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
+ files_search_tmp($1)
- ')
-
- ########################################
- ## <summary>
--## Execute nrpe with a domain transition.
++')
++
++########################################
++## <summary>
+## Execute the nagios NRPE with
+## a domain transition.
## </summary>
## <param name="domain">
## <summary>
-@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',`
+@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
@@ -51344,7 +51368,7 @@ index 0641e97..d7d9a79 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',`
+@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',`
## </param>
## <param name="role">
## <summary>
@@ -53614,10 +53638,10 @@ index 0000000..d6de5b6
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
diff --git a/nova.if b/nova.if
new file mode 100644
-index 0000000..28936b4
+index 0000000..ce897e2
--- /dev/null
+++ b/nova.if
-@@ -0,0 +1,57 @@
+@@ -0,0 +1,59 @@
+## <summary>openstack-nova</summary>
+
+######################################
@@ -53667,7 +53691,9 @@ index 0000000..28936b4
+
+ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
+ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
-+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
++ manage_lnk_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
++ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
++ fs_tmpfs_filetrans(nova_$1_t, nova_$1_tmp_t, { lnk_file file dir })
+ can_exec(nova_$1_t, nova_$1_tmp_t)
+
+ kernel_read_system_state(nova_$1_t)
@@ -74248,7 +74274,7 @@ index cd51b96..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
-index 76f5b39..8bb80a2 100644
+index 76f5b39..f7670b2 100644
--- a/qpid.te
+++ b/qpid.te
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -74261,7 +74287,7 @@ index 76f5b39..8bb80a2 100644
type qpidd_tmpfs_t;
files_tmpfs_file(qpidd_tmpfs_t)
-@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms;
+@@ -33,41 +36,54 @@ allow qpidd_t self:shm create_shm_perms;
allow qpidd_t self:tcp_socket { accept listen };
allow qpidd_t self:unix_stream_socket { accept listen };
@@ -74288,6 +74314,8 @@ index 76f5b39..8bb80a2 100644
kernel_read_system_state(qpidd_t)
-corenet_all_recvfrom_unlabeled(qpidd_t)
++auth_read_passwd(qpidd_t)
++
corenet_all_recvfrom_netlabel(qpidd_t)
+corenet_tcp_bind_generic_node(qpidd_t)
corenet_tcp_sendrecv_generic_if(qpidd_t)
@@ -75953,7 +75981,7 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index 2c1730b..aa0ff54 100644
+index 2c1730b..fe05f23 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t;
@@ -75975,7 +76003,7 @@ index 2c1730b..aa0ff54 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
-@@ -25,43 +37,68 @@ dev_associate(mdadm_var_run_t)
+@@ -25,43 +37,72 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -76015,6 +76043,10 @@ index 2c1730b..aa0ff54 100644
kernel_request_load_module(mdadm_t)
kernel_rw_software_raid_state(mdadm_t)
+kernel_setsched(mdadm_t)
++kernel_dontaudit_setsched(mdadm_t)
++kernel_signal(mdadm_t)
++kernel_signull(mdadm_t)
++kernel_stream_connect(mdadm_t)
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
@@ -76053,7 +76085,7 @@ index 2c1730b..aa0ff54 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +107,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +111,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@@ -76075,7 +76107,7 @@ index 2c1730b..aa0ff54 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -89,17 +131,38 @@ optional_policy(`
+@@ -89,17 +135,38 @@ optional_policy(`
')
optional_policy(`
@@ -101169,7 +101201,7 @@ index c30da4c..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..d179539 100644
+index 9dec06c..c43ef2e 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -102218,7 +102250,7 @@ index 9dec06c..d179539 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +695,266 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@@ -102367,6 +102399,7 @@ index 9dec06c..d179539 100644
+ manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+ manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++ allow $1 svirt_sandbox_file_t:dir_file_class_set { relabelfrom relabelto };
+')
+
+#######################################
@@ -102506,7 +102539,7 @@ index 9dec06c..d179539 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -935,19 +961,17 @@ interface(`virt_read_log',`
+@@ -935,19 +962,17 @@ interface(`virt_read_log',`
## </summary>
## </param>
#
@@ -102530,7 +102563,7 @@ index 9dec06c..d179539 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -955,20 +979,17 @@ interface(`virt_append_log',`
+@@ -955,20 +980,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@@ -102555,7 +102588,7 @@ index 9dec06c..d179539 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +998,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@@ -102578,7 +102611,7 @@ index 9dec06c..d179539 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
+@@ -995,36 +1016,57 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@@ -102655,7 +102688,7 @@ index 9dec06c..d179539 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
+@@ -1032,20 +1074,28 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -102691,7 +102724,7 @@ index 9dec06c..d179539 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1053,37 +1103,133 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@@ -102839,7 +102872,7 @@ index 9dec06c..d179539 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1237,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -102913,7 +102946,7 @@ index 9dec06c..d179539 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1299,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1300,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c83599c..b196087 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 180%{?dist}
+Release: 181%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Aug 20 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-181
+- Allow docker lots more access.
+- Added interface kernel_dontaudit_setsched
+- Added interface kernel_signull
+- Allow qpid to read passwd files BZ (#1130086)
+- Allow sendmail to append dead.letter located in var/spool/nagios/dead.letter.
+- Allow mdadm to seng signull kernel_t which is proces type of mdadm on early boot.
+- geoclue needs to connect to http and http_cache ports
+
* Tue Aug 12 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-180
- label /usr/libexec/cockpit-agent as shell_exec_t
- sysadm_t should be allowed to communicate with networkmanager
More information about the scm-commits
mailing list