[selinux-policy/f20] * Tue Sep 30 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-188 - Allow collectd sys_ptrace and dac_o
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Sep 30 07:17:11 UTC 2014
commit 67e89c0c9d4c71b5db29080cfcb34c72d384d388
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Sep 30 09:16:55 2014 +0200
* Tue Sep 30 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-188
- Allow collectd sys_ptrace and dac_override caps because of reading of /proc/%i/io for several processes.
- Allow pppd to connect to /run/sstpc/sstpc-nm-sstp-service-28025 over unix stream socket.
- ALlow user mail domains to create dead.letter.
- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028)
- Allow pki-tomcat to change SELinux object identity.
- Allow programs to use pam to search through xdm_tmp_t dires. BZ (#1122013)
policy-f20-base.patch | 50 ++++++++++++++++++++++++---------------------
policy-f20-contrib.patch | 25 ++++++++++++-----------
selinux-policy.spec | 10 ++++++++-
3 files changed, 49 insertions(+), 36 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 44de1f4..073f600 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -26503,7 +26503,7 @@ index 28ad538..ed25543 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..c6007d1 100644
+index 3efd5b6..3accfe3 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -26545,7 +26545,7 @@ index 3efd5b6..c6007d1 100644
optional_policy(`
dbus_system_bus_client($1)
-@@ -78,8 +89,19 @@ interface(`auth_use_pam',`
+@@ -78,8 +89,23 @@ interface(`auth_use_pam',`
')
optional_policy(`
@@ -26562,10 +26562,14 @@ index 3efd5b6..c6007d1 100644
+ systemd_write_inherited_logind_sessions_pipes($1)
+ systemd_read_logind_sessions_files($1)
+ ')
++
++ optional_policy(`
++ xserver_search_xdm_tmp_dirs($1)
++ ')
')
########################################
-@@ -95,48 +117,20 @@ interface(`auth_use_pam',`
+@@ -95,48 +121,20 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -26619,7 +26623,7 @@ index 3efd5b6..c6007d1 100644
mls_file_read_all_levels($1)
mls_file_write_all_levels($1)
-@@ -146,18 +140,43 @@ interface(`auth_login_pgm_domain',`
+@@ -146,18 +144,43 @@ interface(`auth_login_pgm_domain',`
mls_fd_share_all_levels($1)
auth_use_pam($1)
@@ -26671,7 +26675,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -231,6 +250,25 @@ interface(`auth_domtrans_login_program',`
+@@ -231,6 +254,25 @@ interface(`auth_domtrans_login_program',`
########################################
## <summary>
@@ -26697,7 +26701,7 @@ index 3efd5b6..c6007d1 100644
## Execute a login_program in the target domain,
## with a range transition.
## </summary>
-@@ -322,6 +360,24 @@ interface(`auth_rw_cache',`
+@@ -322,6 +364,24 @@ interface(`auth_rw_cache',`
########################################
## <summary>
@@ -26722,7 +26726,7 @@ index 3efd5b6..c6007d1 100644
## Manage authentication cache
## </summary>
## <param name="domain">
-@@ -402,6 +458,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -402,6 +462,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -26731,7 +26735,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -428,6 +486,24 @@ interface(`auth_domtrans_chkpwd',`
+@@ -428,6 +490,24 @@ interface(`auth_domtrans_chkpwd',`
########################################
## <summary>
@@ -26756,7 +26760,7 @@ index 3efd5b6..c6007d1 100644
## Execute chkpwd programs in the chkpwd domain.
## </summary>
## <param name="domain">
-@@ -448,6 +524,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +528,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -26782,7 +26786,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -467,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +566,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -26790,7 +26794,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -664,6 +758,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +762,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -26801,7 +26805,7 @@ index 3efd5b6..c6007d1 100644
')
#######################################
-@@ -763,7 +861,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +865,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -26853,7 +26857,7 @@ index 3efd5b6..c6007d1 100644
')
#######################################
-@@ -824,9 +965,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +969,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -26884,7 +26888,7 @@ index 3efd5b6..c6007d1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -834,12 +995,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +999,27 @@ interface(`auth_rw_lastlog',`
## </summary>
## </param>
#
@@ -26915,7 +26919,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -854,15 +1030,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1034,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -26934,7 +26938,7 @@ index 3efd5b6..c6007d1 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -875,13 +1051,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1055,33 @@ interface(`auth_signal_pam',`
## </summary>
## </param>
#
@@ -26972,7 +26976,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -959,9 +1155,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1159,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -27006,7 +27010,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -1040,6 +1257,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1261,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -27017,7 +27021,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -1176,6 +1397,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1401,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -27025,7 +27029,7 @@ index 3efd5b6..c6007d1 100644
')
#######################################
-@@ -1576,6 +1798,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1802,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -27051,7 +27055,7 @@ index 3efd5b6..c6007d1 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1726,24 +1967,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1971,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -27077,7 +27081,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -1767,11 +1991,17 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1995,17 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
@@ -27098,7 +27102,7 @@ index 3efd5b6..c6007d1 100644
')
########################################
-@@ -1805,3 +2035,262 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2039,262 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 35aa4a1..0a36fae 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -14008,7 +14008,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..6ade0ea 100644
+index 6471fa8..f8b4a5b 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,18 +26,27 @@ files_type(collectd_var_lib_t)
@@ -14029,7 +14029,7 @@ index 6471fa8..6ade0ea 100644
#
-allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_admin sys_nice };
++allow collectd_t self:capability { ipc_lock net_admin sys_nice sys_ptrace dac_override };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
@@ -48783,7 +48783,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..459c46a 100644
+index afd2fad..21904e5 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -49239,7 +49239,7 @@ index afd2fad..459c46a 100644
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
-@@ -387,24 +299,177 @@ optional_policy(`
+@@ -387,24 +299,176 @@ optional_policy(`
########################################
#
@@ -49306,8 +49306,7 @@ index afd2fad..459c46a 100644
+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+allow user_mail_domain mta_exec_type:file entrypoint;
+
-+append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
-+read_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
++manage_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
+
+manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
@@ -64128,10 +64127,10 @@ index 0000000..b975b85
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..393d4be
+index 0000000..8c56062
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,293 @@
+@@ -0,0 +1,294 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -64164,6 +64163,7 @@ index 0000000..393d4be
+miscfiles_cert_type(pki_tomcat_cert_t)
+
+tomcat_domain_template(pki_tomcat)
++domain_obj_id_change_exemption(pki_tomcat_t)
+
+type pki_tomcat_unit_file_t;
+systemd_unit_file(pki_tomcat_unit_file_t)
@@ -68841,7 +68841,7 @@ index cd8b8b9..6c73980 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..e71e924 100644
+index b2b5dba..96d835a 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -68940,7 +68940,7 @@ index b2b5dba..e71e924 100644
-allow pppd_t self:netlink_route_socket nlmsg_write;
-allow pppd_t self:tcp_socket { accept listen };
+allow pppd_t self:unix_dgram_socket create_socket_perms;
-+allow pppd_t self:unix_stream_socket create_socket_perms;
++allow pppd_t self:unix_stream_socket { connectto create_socket_perms };
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
+allow pppd_t self:tcp_socket create_stream_socket_perms;
+allow pppd_t self:udp_socket { connect connected_socket_perms };
@@ -75655,7 +75655,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..a0f44a4 100644
+index 3698b51..a904ad9 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.0)
@@ -75689,7 +75689,7 @@ index 3698b51..a0f44a4 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,80 +31,81 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,80 +31,82 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -75721,6 +75721,7 @@ index 3698b51..a0f44a4 100644
-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
++manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
-kernel_read_system_state(rabbitmq_beam_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2f242bf..58e5b35 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 187%{?dist}
+Release: 188%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 30 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-188
+- Allow collectd sys_ptrace and dac_override caps because of reading of /proc/%i/io for several processes.
+- Allow pppd to connect to /run/sstpc/sstpc-nm-sstp-service-28025 over unix stream socket.
+- ALlow user mail domains to create dead.letter.
+- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028)
+- Allow pki-tomcat to change SELinux object identity.
+- Allow programs to use pam to search through xdm_tmp_t dires. BZ (#1122013)
+
* Thu Sep 25 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-187
- Allow all domains to read fonts
- Add fixes for pki-tomcat scriptlet handling.
More information about the scm-commits
mailing list