[selinux-policy/f20] * Tue Oct 14 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-191 - Call auth_use_nsswitch to apache t
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 14 14:31:27 UTC 2014
commit fbe116e2ac25f2cf24354903a21e7852528b1f9a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 14 16:31:11 2014 +0200
* Tue Oct 14 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-191
- Call auth_use_nsswitch to apache to read/write cloud-init keys.
- Allow cloud-init to dbus chat with certmonger.
- Allow sanlock to read sysfs
- Dontaudit redirection from rpm cloud-init scriplet.
policy-f20-base.patch | 22 +++++++++++++---------
policy-f20-contrib.patch | 41 +++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 8 +++++++-
3 files changed, 53 insertions(+), 18 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index caa9692..aad50ae 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -36966,7 +36966,7 @@ index 3822072..270bde3 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..ececda2 100644
+index ec01d0b..8dae06f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -37397,16 +37397,16 @@ index ec01d0b..ececda2 100644
+can_exec(semanage_t, semanage_exec_t)
-term_use_all_terms(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
+-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -37494,7 +37494,7 @@ index ec01d0b..ececda2 100644
')
########################################
-@@ -522,108 +598,192 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,196 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -37568,6 +37568,11 @@ index ec01d0b..ececda2 100644
-miscfiles_read_localization(setfiles_t)
+optional_policy(`
++ cloudform_dontaudit_write_cloud_log(setfiles_t)
++')
+
+-seutil_libselinux_linked(setfiles_t)
++optional_policy(`
+ devicekit_dontaudit_read_pid_files(setfiles_t)
+ devicekit_dontaudit_rw_log(setfiles_t)
+')
@@ -37583,7 +37588,7 @@ index ec01d0b..ececda2 100644
+
+ifdef(`hide_broken_symptoms',`
--seutil_libselinux_linked(setfiles_t)
+-userdom_use_all_users_fds(setfiles_t)
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
@@ -37595,8 +37600,7 @@ index ec01d0b..ececda2 100644
+ unconfined_domain(setfiles_t)
+ ')
+')
-
--userdom_use_all_users_fds(setfiles_t)
++
+########################################
+#
+# Setfiles common policy
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 8579276..1585855 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -12909,10 +12909,10 @@ index 0000000..6cc6774
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
-index 0000000..8ac848b
+index 0000000..a06f04b
--- /dev/null
+++ b/cloudform.if
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,60 @@
+## <summary>cloudform policy</summary>
+
+#######################################
@@ -12955,12 +12955,30 @@ index 0000000..8ac848b
+
+ can_exec($1, mongod_exec_t)
+')
++
++######################################
++## <summary>
++## Execute mongod in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cloudform_dontaudit_write_cloud_log',`
++ gen_require(`
++ type cloud_log_t;
++ ')
++
++ dontaudit $1 cloud_log_t:file write_inherited_file_perms;
++')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..2b47a40
+index 0000000..e2041a6
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,301 @@
+@@ -0,0 +1,307 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -13071,6 +13089,8 @@ index 0000000..2b47a40
+
+storage_raw_read_fixed_disk(cloud_init_t)
+
++auth_use_nsswitch(cloud_init_t)
++
+libs_exec_ldconfig(cloud_init_t)
+
+logging_send_syslog_msg(cloud_init_t)
@@ -13086,6 +13106,10 @@ index 0000000..2b47a40
+usermanage_domtrans_passwd(cloud_init_t)
+
+optional_policy(`
++ certmonger_dbus_chat(cloud_init_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(cloud_init_t)
+')
+
@@ -88680,7 +88704,7 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index a34eac4..c60eacd 100644
+index a34eac4..735ebd1 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -88756,7 +88780,7 @@ index a34eac4..c60eacd 100644
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
-@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+@@ -65,13 +71,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
kernel_read_kernel_sysctls(sanlock_t)
@@ -88771,11 +88795,12 @@ index a34eac4..c60eacd 100644
+dev_read_rand(sanlock_t)
+dev_read_urand(sanlock_t)
++dev_read_sysfs(sanlock_t)
+
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
-@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +88,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
@@ -88814,7 +88839,7 @@ index a34eac4..c60eacd 100644
')
optional_policy(`
-@@ -100,7 +117,9 @@ optional_policy(`
+@@ -100,7 +118,9 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index add9635..3abe7d5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 190%{?dist}
+Release: 191%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 14 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-191
+- Call auth_use_nsswitch to apache to read/write cloud-init keys.
+- Allow cloud-init to dbus chat with certmonger.
+- Allow sanlock to read sysfs
+- Dontaudit redirection from rpm cloud-init scriplet.
+
* Tue Oct 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-190
- Add support for /etc/.updated and /var/.updated
- Allow dnssec_trigger_t to execute unbound-control in own domain.
More information about the scm-commits
mailing list