[selinux-policy/f20] * Thu Sep 25 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-187 - Allow all domains to read fonts - A

Thu Sep 25 15:23:23 UTC 2014

commit 8fa97e617d652f64421d35b5e13fef18bcc5b1b2
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Thu Sep 25 17:23:08 2014 +0200

    * Thu Sep 25 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-187
    - Allow all domains to read fonts
    - Add fixes for pki-tomcat scriptlet handling.
    - setfscreate in pki.te is not capability class.

 policy-f20-base.patch    |   29 +++++++++++++++++------------
 policy-f20-contrib.patch |   22 ++++++++++++----------
 selinux-policy.spec      |    7 ++++++-
 3 files changed, 35 insertions(+), 23 deletions(-)
---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 21f9083..44de1f4 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -9024,7 +9024,7 @@ index 6a1e4d1..1b9b0b5 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..97237ca 100644
+index cf04cb5..a290c56 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9124,7 +9124,7 @@ index cf04cb5..97237ca 100644
  
  ifdef(`hide_broken_symptoms',`
  	# This check is in the general socket
-@@ -121,8 +174,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +174,19 @@ tunable_policy(`global_ssp',`
  ')
  
  optional_policy(`
@@ -9140,10 +9140,11 @@ index cf04cb5..97237ca 100644
 +optional_policy(`
 +	miscfiles_read_localization(domain)
 +	miscfiles_read_man_pages(domain)
++	miscfiles_read_fonts(domain)
  ')
  
  optional_policy(`
-@@ -133,6 +196,9 @@ optional_policy(`
+@@ -133,6 +197,9 @@ optional_policy(`
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -9153,7 +9154,7 @@ index cf04cb5..97237ca 100644
  ')
  
  ########################################
-@@ -147,12 +213,18 @@ optional_policy(`
+@@ -147,12 +214,18 @@ optional_policy(`
  # Use/sendto/connectto sockets created by any domain.
  allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
  
@@ -9173,7 +9174,7 @@ index cf04cb5..97237ca 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,340 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +239,340 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -22977,15 +22978,16 @@ index 5fc0391..980e658 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..b79dbb4 100644
+index d1f64a0..696dd0e 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,35 @@
+@@ -2,13 +2,36 @@
  # HOME_DIR
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
 +HOME_DIR/\.fonts\.d(/.*)?	gen_context(system_u:object_r:user_fonts_config_t,s0)
  HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
++HOME_DIR/\.local/share/fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
 +HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
  HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
  HOME_DIR/\.fonts\.cache-.* --	gen_context(system_u:object_r:user_fonts_cache_t,s0)
@@ -23016,7 +23018,7 @@ index d1f64a0..b79dbb4 100644
  
  #
  # /dev
-@@ -22,13 +44,21 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -22,13 +45,21 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  /etc/gdm(3)?/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
  
@@ -23039,7 +23041,7 @@ index d1f64a0..b79dbb4 100644
  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +77,34 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  # /tmp
  #
  
@@ -23083,7 +23085,7 @@ index d1f64a0..b79dbb4 100644
  
  /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
  
-@@ -92,25 +130,51 @@ ifndef(`distro_debian',`
+@@ -92,25 +131,51 @@ ifndef(`distro_debian',`
  
  /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -23141,7 +23143,7 @@ index d1f64a0..b79dbb4 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..0d55916 100644
+index 6bf0ecc..30ca475 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -18,100 +18,37 @@
@@ -24125,7 +24127,7 @@ index 6bf0ecc..0d55916 100644
  ')
  
  ########################################
-@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,646 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -24644,6 +24646,9 @@ index 6bf0ecc..0d55916 100644
 +	userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
 +	userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
 +	userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
++	optional_policy(`
++		gnome_data_filetrans($1, user_fonts_t, dir, "fonts")
++	')
 +	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
 +	filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto")
 +	files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix")
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index bd19ccb..35aa4a1 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -41017,7 +41017,7 @@ index 7bab8e5..36ced41 100644
  logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..aea48db 100644
+index 4256a4c..9125f9f 100644
 --- a/logwatch.te
 +++ b/logwatch.te
 @@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
@@ -41062,12 +41062,13 @@ index 4256a4c..aea48db 100644
  fs_dontaudit_list_auto_mountpoints(logwatch_t)
  fs_list_inotifyfs(logwatch_t)
  
-@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +102,14 @@ libs_read_lib_files(logwatch_t)
  logging_read_all_logs(logwatch_t)
  logging_send_syslog_msg(logwatch_t) 
  
 -miscfiles_read_localization(logwatch_t)
--
++miscfiles_read_hwdata(logwatch_t)
+ 
  selinux_dontaudit_getattr_dir(logwatch_t)
  
  sysnet_exec_ifconfig(logwatch_t)
@@ -41077,7 +41078,7 @@ index 4256a4c..aea48db 100644
  
  mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
  mta_getattr_spool(logwatch_t)
-@@ -137,6 +146,12 @@ optional_policy(`
+@@ -137,6 +148,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41090,7 +41091,7 @@ index 4256a4c..aea48db 100644
  	rpc_search_nfs_state_data(logwatch_t)
  ')
  
-@@ -145,6 +160,13 @@ optional_policy(`
+@@ -145,6 +162,13 @@ optional_policy(`
  	samba_read_share_files(logwatch_t)
  ')
  
@@ -41104,7 +41105,7 @@ index 4256a4c..aea48db 100644
  ########################################
  #
  # Mail local policy
-@@ -164,6 +186,19 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +188,19 @@ dev_read_sysfs(logwatch_mail_t)
  
  logging_read_all_logs(logwatch_mail_t)
  
@@ -64127,10 +64128,10 @@ index 0000000..b975b85
 +')
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..47fb375
+index 0000000..393d4be
 --- /dev/null
 +++ b/pki.te
-@@ -0,0 +1,292 @@
+@@ -0,0 +1,293 @@
 +policy_module(pki,10.0.11)
 +
 +########################################
@@ -64205,9 +64206,9 @@ index 0000000..47fb375
 +# pki-tomcat local policy
 +#
 +
-+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid };
 +dontaudit  pki_tomcat_t self:capability net_admin;
-+allow pki_tomcat_t self:process { signal setsched signull execmem };
++allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
 +
 +allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
 +allow pki_tomcat_t self:tcp_socket { accept listen };
@@ -64218,6 +64219,7 @@ index 0000000..47fb375
 +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
 +manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
 +manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
++allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabelfrom_file_perms;
 +
 +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
 +manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8fdf541..46ab30e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 186%{?dist}
+Release: 187%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Sep 25 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-187
+- Allow all domains to read fonts
+- Add fixes for pki-tomcat scriptlet handling.
+- setfscreate in pki.te is not capability class.
+
 * Mon Sep 22 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-186
 - Allow locate to look at files/directories without labels, and chr_file and blk_file on non dev file systems
 - Allow sensord read in /proc BZ(#1143799)
