[selinux-policy/f20] * Tue Oct 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-190 - Add support for /etc/.updated and /
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Oct 14 09:59:44 UTC 2014
commit 8f0d7175774c41221294c51e80c8e3931c9b306f
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Oct 14 11:59:24 2014 +0200
* Tue Oct 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-190
- Add support for /etc/.updated and /var/.updated
- Allow dnssec_trigger_t to execute unbound-control in own domain.
- Allow neutron connections to system dbus.
- Add support for /var/lib/swiftdirectory.
- Allow nova-scheduler to read certs.
- Allow openvpn to access /sys/fs/cgroup dir.
- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd
- ALlow sanlock to send a signal to virtd_t.
- Allow read antivirus domain all kernel sysctls.
- Allow mandb to getattr on file systems
- Add support for /etc/.updated and /var/.updated
- Allow iptables read fail2ban logs. BZ (1147709)
policy-f20-base.patch | 46 +++++-----
policy-f20-contrib.patch | 223 ++++++++++++++++++++++++++--------------------
selinux-policy.spec | 16 +++-
3 files changed, 168 insertions(+), 117 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 2716abe..caa9692 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -9516,7 +9516,7 @@ index cf04cb5..a290c56 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..7996499 100644
+index c2c6e05..1a210d2 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9536,7 +9536,7 @@ index c2c6e05..7996499 100644
/boot/.* gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <<none>>
/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
-@@ -38,13 +39,13 @@ ifdef(`distro_suse',`
+@@ -38,27 +39,32 @@ ifdef(`distro_suse',`
#
# /emul
#
@@ -9551,8 +9551,9 @@ index c2c6e05..7996499 100644
+/etc gen_context(system_u:object_r:etc_t,s0)
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -52,13 +53,17 @@ ifdef(`distro_suse',`
+ /etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9575,7 +9576,7 @@ index c2c6e05..7996499 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -70,7 +75,10 @@ ifdef(`distro_suse',`
+@@ -70,7 +76,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9587,7 +9588,7 @@ index c2c6e05..7996499 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', `
+@@ -78,10 +87,6 @@ ifdef(`distro_gentoo', `
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -9598,7 +9599,7 @@ index c2c6e05..7996499 100644
ifdef(`distro_suse',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -104,7 +109,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -9607,16 +9608,17 @@ index c2c6e05..7996499 100644
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-@@ -129,6 +133,8 @@ ifdef(`distro_debian',`
+@@ -129,6 +134,9 @@ ifdef(`distro_debian',`
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/media/[^/]*/.* <<none>>
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
+/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
+/var/run/media/.* <<none>>
++/var/\.updated -- gen_context(system_u:object_r:etc_runtime_t,s0)
#
# /misc
-@@ -150,10 +156,10 @@ ifdef(`distro_debian',`
+@@ -150,10 +158,10 @@ ifdef(`distro_debian',`
#
# /opt
#
@@ -9629,7 +9631,7 @@ index c2c6e05..7996499 100644
#
# /proc
-@@ -161,6 +167,12 @@ ifdef(`distro_debian',`
+@@ -161,6 +169,12 @@ ifdef(`distro_debian',`
/proc -d <<none>>
/proc/.* <<none>>
@@ -9642,7 +9644,7 @@ index c2c6e05..7996499 100644
#
# /run
#
-@@ -169,6 +181,7 @@ ifdef(`distro_debian',`
+@@ -169,6 +183,7 @@ ifdef(`distro_debian',`
/run/.*\.*pid <<none>>
/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
@@ -9650,7 +9652,7 @@ index c2c6e05..7996499 100644
#
# /selinux
#
-@@ -178,13 +191,14 @@ ifdef(`distro_debian',`
+@@ -178,13 +193,14 @@ ifdef(`distro_debian',`
#
# /srv
#
@@ -9667,7 +9669,7 @@ index c2c6e05..7996499 100644
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-@@ -194,9 +208,10 @@ ifdef(`distro_debian',`
+@@ -194,9 +210,10 @@ ifdef(`distro_debian',`
#
# /usr
#
@@ -9679,7 +9681,7 @@ index c2c6e05..7996499 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +219,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +221,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -9696,7 +9698,7 @@ index c2c6e05..7996499 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +229,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +231,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -9705,7 +9707,7 @@ index c2c6e05..7996499 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +236,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +238,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -9714,7 +9716,7 @@ index c2c6e05..7996499 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +244,25 @@ ifndef(`distro_redhat',`
+@@ -237,11 +246,25 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9741,7 +9743,7 @@ index c2c6e05..7996499 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +279,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9756,14 +9758,14 @@ index c2c6e05..7996499 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -270,3 +293,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +295,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..51cce06 100644
+index 64ff4d7..1e53061 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -12833,7 +12835,7 @@ index 64ff4d7..51cce06 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6501,64 +7857,887 @@ interface(`files_spool_filetrans',`
+@@ -6501,64 +7857,889 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -13623,6 +13625,7 @@ index 64ff4d7..51cce06 100644
+ files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac")
+ files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac")
+ files_etc_filetrans($1, etc_t, file, "hwdb.bin")
++ files_etc_filetrans_etc_runtime($1, file, ".updated")
+ files_etc_filetrans_etc_runtime($1, file, "runtime")
+ files_etc_filetrans_etc_runtime($1, dir, "blkid")
+ files_etc_filetrans_etc_runtime($1, dir, "cmtab")
@@ -13636,7 +13639,8 @@ index 64ff4d7..51cce06 100644
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
-+ files_var_filetrans($1, var_run_t, dir, "run")
++ files_var_filetrans($1, var_run_t, dir, "run")
++ files_var_filetrans($1, etc_runtime_t, file, ".updated")
+')
+
+########################################
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 62645bb..993e74a 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -2973,10 +2973,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..8cc6120
+index 0000000..6d1de2c
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,271 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -3082,11 +3082,9 @@ index 0000000..8cc6120
+
+can_exec(antivirus_domain, antivirus_exec_t)
+
-+kernel_read_network_state(antivirus_t)
-+kernel_read_net_sysctls(antivirus_t)
-+kernel_read_kernel_sysctls(antivirus_domain)
-+kernel_read_sysctl(antivirus_domain)
-+kernel_read_system_state(antivirus_t)
++kernel_read_network_state(antivirus_domain)
++kernel_read_system_state(antivirus_domain)
++kernel_read_all_sysctls(antivirus_domain)
+
+corecmd_exec_bin(antivirus_domain)
+corecmd_exec_shell(antivirus_domain)
@@ -23887,10 +23885,10 @@ index 0000000..a952041
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..c1ab586
+index 0000000..7f0943f
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,59 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -23944,6 +23942,7 @@ index 0000000..c1ab586
+sysnet_manage_config(dnssec_trigger_t)
+
+optional_policy(`
++ bind_domtrans(dnssec_trigger_t)
+ bind_read_config(dnssec_trigger_t)
+ bind_read_dnssec_keys(dnssec_trigger_t)
+')
@@ -42658,10 +42657,10 @@ index 327f3f7..4f61561 100644
+ ')
')
diff --git a/mandb.te b/mandb.te
-index 5a414e0..24f45a8 100644
+index 5a414e0..8fc7de0 100644
--- a/mandb.te
+++ b/mandb.te
-@@ -10,28 +10,52 @@ roleattribute system_r mandb_roles;
+@@ -10,28 +10,54 @@ roleattribute system_r mandb_roles;
type mandb_t;
type mandb_exec_t;
@@ -42709,6 +42708,8 @@ index 5a414e0..24f45a8 100644
-files_read_etc_files(mandb_t)
+files_search_locks(mandb_t)
+files_dontaudit_search_all_mountpoints(mandb_t)
++
++fs_getattr_all_fs(mandb_t)
miscfiles_manage_man_cache(mandb_t)
+miscfiles_setattr_man_pages(mandb_t)
@@ -53871,10 +53872,10 @@ index 0000000..ce897e2
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..e583610
+index 0000000..564b2db
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,338 @@
+@@ -0,0 +1,340 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -54169,6 +54170,8 @@ index 0000000..e583610
+# unconfined_domain(nova_scheduler_t)
+#')
+
++miscfiles_read_certs(nova_scheduler_t)
++
+#######################################
+#
+# nova vncproxy local policy
@@ -59537,7 +59540,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..fcda1bc 100644
+index 3270ff9..272a34c 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -59640,7 +59643,11 @@ index 3270ff9..fcda1bc 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -121,18 +147,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -118,21 +144,30 @@ files_read_etc_runtime_files(openvpn_t)
+
+ fs_getattr_all_fs(openvpn_t)
+ fs_search_auto_mountpoints(openvpn_t)
++fs_list_cgroup_dirs(openvpn_t)
auth_use_pam(openvpn_t)
@@ -59656,6 +59663,8 @@ index 3270ff9..fcda1bc 100644
sysnet_use_ldap(openvpn_t)
-userdom_use_user_terminals(openvpn_t)
++systemd_passwd_agent_domtrans(openvpn_t)
++
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
@@ -59668,7 +59677,7 @@ index 3270ff9..fcda1bc 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -143,6 +175,14 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+@@ -143,6 +178,14 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(openvpn_t)
')
@@ -59683,7 +59692,7 @@ index 3270ff9..fcda1bc 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
-@@ -155,3 +195,27 @@ optional_policy(`
+@@ -155,3 +198,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -74961,10 +74970,10 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 769d1fd..de82e12 100644
+index 769d1fd..7cc3063 100644
--- a/quantum.te
+++ b/quantum.te
-@@ -1,96 +1,176 @@
+@@ -1,96 +1,180 @@
-policy_module(quantum, 1.0.2)
+policy_module(quantum, 1.0.3)
@@ -75060,8 +75069,6 @@ index 769d1fd..de82e12 100644
-files_read_usr_files(quantum_t)
-
-auth_use_nsswitch(quantum_t)
--
--libs_exec_ldconfig(quantum_t)
+allow neutron_t self:capability { dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
@@ -75152,6 +75159,11 @@ index 769d1fd..de82e12 100644
+ corenet_tcp_sendrecv_all_ports(neutron_t)
+')
+-libs_exec_ldconfig(quantum_t)
++optional_policy(`
++ dbus_system_bus_client(neutron_t)
++')
+
-logging_send_audit_msgs(quantum_t)
-logging_send_syslog_msg(quantum_t)
+optional_policy(`
@@ -88667,7 +88679,7 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index a34eac4..b144d40 100644
+index a34eac4..c60eacd 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -88801,13 +88813,14 @@ index a34eac4..b144d40 100644
')
optional_policy(`
-@@ -100,7 +117,8 @@ optional_policy(`
+@@ -100,7 +117,9 @@ optional_policy(`
')
optional_policy(`
- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
+ virt_kill(sanlock_t)
++ virt_signal(sanlock_t)
virt_manage_lib_files(sanlock_t)
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
@@ -95943,10 +95956,10 @@ index c6aaac7..84cdcac 100644
sysnet_dns_name_resolve(svnserve_t)
diff --git a/swift.fc b/swift.fc
new file mode 100644
-index 0000000..7e59e7e
+index 0000000..79e43aa
--- /dev/null
+++ b/swift.fc
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,35 @@
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
@@ -95973,6 +95986,8 @@ index 0000000..7e59e7e
+/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
+/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
+
++/var/lib/swift(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
++
+# This seems to be a de-facto standard when using swift.
+/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
+
@@ -101529,7 +101544,7 @@ index c30da4c..9ccc90c 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..c43ef2e 100644
+index 9dec06c..c7a2d97 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -102912,7 +102927,7 @@ index 9dec06c..c43ef2e 100644
########################################
## <summary>
-## Search virt image directories.
-+## Send a signal to virtual machines
++## Send a signal to virtd daemon.
## </summary>
## <param name="domain">
## <summary>
@@ -102921,34 +102936,34 @@ index 9dec06c..c43ef2e 100644
## </param>
#
-interface(`virt_search_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_signal',`
gen_require(`
- attribute virt_image_type;
-+ attribute virt_domain;
++ type virtd_t;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-+ allow $1 virt_domain:process signal;
++ allow $1 virtd_t:process signal;
')
########################################
## <summary>
-## Read virt image files.
-+## Manage virt home files.
++## Send a signal to virtual machines
## </summary>
## <param name="domain">
## <summary>
-@@ -995,36 +1016,57 @@ interface(`virt_search_images',`
+@@ -995,57 +1016,75 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
-interface(`virt_read_images',`
-+interface(`virt_manage_home_files',`
++interface(`virt_signal_svirt',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-+ type virt_home_t;
++ attribute virt_domain;
')
- virt_search_lib($1)
@@ -102957,8 +102972,7 @@ index 9dec06c..c43ef2e 100644
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, virt_home_t, virt_home_t)
++ allow $1 virt_domain:process signal;
+')
- tunable_policy(`virt_use_nfs',`
@@ -102967,30 +102981,30 @@ index 9dec06c..c43ef2e 100644
- fs_read_nfs_symlinks($1)
+########################################
+## <summary>
-+## allow domain to read
-+## virt tmpfs files
++## Manage virt home files.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`virt_read_tmpfs_files',`
++interface(`virt_manage_home_files',`
+ gen_require(`
-+ attribute virt_tmpfs_type;
++ type virt_home_t;
')
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
-+ allow $1 virt_tmpfs_type:file read_file_perms;
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
+
+########################################
+## <summary>
-+## allow domain to manage
++## allow domain to read
+## virt tmpfs files
+## </summary>
+## <param name="domain">
@@ -102999,38 +103013,63 @@ index 9dec06c..c43ef2e 100644
+## </summary>
+## </param>
+#
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_read_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
')
+
-+ allow $1 virt_tmpfs_type:file manage_file_perms;
++ allow $1 virt_tmpfs_type:file read_file_perms;
')
########################################
## <summary>
-## Read and write all virt image
-## character files.
-+## Create .virt directory in the user home directory
-+## with an correct label.
++## allow domain to manage
++## virt tmpfs files
## </summary>
## <param name="domain">
## <summary>
-@@ -1032,20 +1074,28 @@ interface(`virt_read_images',`
+-## Domain allowed access.
++## Domain allowed access
## </summary>
## </param>
#
-interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_filetrans_home_content',`
++interface(`virt_manage_tmpfs_files',`
gen_require(`
- attribute virt_image_type;
-+ type virt_home_t;
-+ type svirt_home_t;
++ attribute virt_tmpfs_type;
')
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
++ allow $1 virt_tmpfs_type:file manage_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## svirt cache files.
++## Create .virt directory in the user home directory
++## with an correct label.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1053,15 +1092,28 @@ interface(`virt_rw_all_image_chr_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`virt_manage_svirt_cache',`
+- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+- virt_manage_virt_cache($1)
++interface(`virt_filetrans_home_content',`
++ gen_require(`
++ type virt_home_t;
++ type svirt_home_t;
++ ')
++
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -103047,34 +103086,36 @@ index 9dec06c..c43ef2e 100644
########################################
## <summary>
-## Create, read, write, and delete
--## svirt cache files.
+-## virt cache content.
+## Dontaudit attempts to Read virt_image_type devices.
## </summary>
## <param name="domain">
## <summary>
-@@ -1053,37 +1103,133 @@ interface(`virt_rw_all_image_chr_files',`
+@@ -1069,21 +1121,133 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
--interface(`virt_manage_svirt_cache',`
-- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
-- virt_manage_virt_cache($1)
+-interface(`virt_manage_virt_cache',`
+interface(`virt_dontaudit_read_chr_dev',`
-+ gen_require(`
+ gen_require(`
+- type virt_cache_t;
+ attribute virt_image_type;
-+ ')
-+
+ ')
+
+- files_search_var($1)
+- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+- manage_files_pattern($1, virt_cache_t, virt_cache_t)
+- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
########################################
## <summary>
-## Create, read, write, and delete
--## virt cache content.
+-## virt image files.
+## Creates types and rules for a basic
+## virt_lxc process domain.
- ## </summary>
--## <param name="domain">
++## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
@@ -103103,7 +103144,7 @@ index 9dec06c..c43ef2e 100644
+## Make the specified type usable as a lxc domain
+## </summary>
+## <param name="type">
- ## <summary>
++## <summary>
+## Type to be used as a lxc domain
+## </summary>
+## </param>
@@ -103122,7 +103163,7 @@ index 9dec06c..c43ef2e 100644
+## </summary>
+## <param name="domain">
+## <summary>
- ## Domain allowed access.
++## Domain allowed access.
+## </summary>
+## </param>
+#
@@ -103141,30 +103182,22 @@ index 9dec06c..c43ef2e 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`virt_manage_virt_cache',`
++## </summary>
++## </param>
++#
+interface(`virt_filetrans_named_content',`
- gen_require(`
-- type virt_cache_t;
++ gen_require(`
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
- ')
-
-- files_search_var($1)
-- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
-- manage_files_pattern($1, virt_cache_t, virt_cache_t)
-- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
++ ')
++
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete
--## virt image files.
++')
++
++########################################
++## <summary>
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
@@ -103200,7 +103233,7 @@ index 9dec06c..c43ef2e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1091,36 +1237,54 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1255,54 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@@ -103274,7 +103307,7 @@ index 9dec06c..c43ef2e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1136,50 +1300,53 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1318,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
@@ -103313,30 +103346,30 @@ index 9dec06c..c43ef2e 100644
- fs_search_tmpfs($1)
- admin_pattern($1, virt_tmpfs_type)
-+ allow $1 virt_domain:process signal_perms;
-
+-
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ admin_pattern($1, virt_file_type)
-+ admin_pattern($1, svirt_file_type)
-
+-
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
-+ virt_systemctl($1)
-+ allow $1 virtd_unit_file_t:service all_service_perms;
-
+-
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++ allow $1 virt_domain:process signal_perms;
+
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
--
++ admin_pattern($1, virt_file_type)
++ admin_pattern($1, svirt_file_type)
+
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
--
++ virt_systemctl($1)
++ allow $1 virtd_unit_file_t:service all_service_perms;
+
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
+ virt_stream_connect_sandbox($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2fc86eb..add9635 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 189%{?dist}
+Release: 190%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-190
+- Add support for /etc/.updated and /var/.updated
+- Allow dnssec_trigger_t to execute unbound-control in own domain.
+- Allow neutron connections to system dbus.
+- Add support for /var/lib/swiftdirectory.
+- Allow nova-scheduler to read certs.
+- Allow openvpn to access /sys/fs/cgroup dir.
+- Allow openvpn to execute systemd-passwd-agent in systemd_passwd_agent_t to make openvpn working with systemd
+- ALlow sanlock to send a signal to virtd_t.
+- Allow read antivirus domain all kernel sysctls.
+- Allow mandb to getattr on file systems
+- Add support for /etc/.updated and /var/.updated
+- Allow iptables read fail2ban logs. BZ (1147709)
+
* Tue Oct 07 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-189
- Mysql can execute scripts when run in a cluster to see if someone is listening on a socket, basically runs lsof.
- Allow nova domains to getattr on all filesystems.
More information about the scm-commits
mailing list