[selinux-policy/f20] * Tue Oct 14 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-191 - Call auth_use_nsswitch to apache t

Miroslav Grepl mgrepl at fedoraproject.org
Tue Oct 14 14:31:27 UTC 2014 

commit fbe116e2ac25f2cf24354903a21e7852528b1f9a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Oct 14 16:31:11 2014 +0200

    * Tue Oct 14 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-191
    - Call auth_use_nsswitch to apache to read/write cloud-init keys.
    - Allow cloud-init to dbus chat with certmonger.
    - Allow sanlock to read sysfs
    - Dontaudit redirection from rpm cloud-init scriplet.

 policy-f20-base.patch    |   22 +++++++++++++---------
 policy-f20-contrib.patch |   41 +++++++++++++++++++++++++++++++++--------
 selinux-policy.spec      |    8 +++++++-
 3 files changed, 53 insertions(+), 18 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index caa9692..aad50ae 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -36966,7 +36966,7 @@ index 3822072..270bde3 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..ececda2 100644
+index ec01d0b..8dae06f 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,16 @@ gen_require(`
@@ -37397,16 +37397,16 @@ index ec01d0b..ececda2 100644
 +can_exec(semanage_t, semanage_exec_t)
  
 -term_use_all_terms(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+ 
 -# Running genhomedircon requires this for finding all users
 -auth_use_nsswitch(semanage_t)
 -
 -locallogin_use_fds(semanage_t)
 -
 -logging_send_syslog_msg(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
- 
+-
 -miscfiles_read_localization(semanage_t)
 -
 -seutil_libselinux_linked(semanage_t)
@@ -37494,7 +37494,7 @@ index ec01d0b..ececda2 100644
  ')
  
  ########################################
-@@ -522,108 +598,192 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,196 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -37568,6 +37568,11 @@ index ec01d0b..ececda2 100644
  
 -miscfiles_read_localization(setfiles_t)
 +optional_policy(`
++    cloudform_dontaudit_write_cloud_log(setfiles_t)
++')
+ 
+-seutil_libselinux_linked(setfiles_t)
++optional_policy(`
 +	devicekit_dontaudit_read_pid_files(setfiles_t)
 +	devicekit_dontaudit_rw_log(setfiles_t)
 +')
@@ -37583,7 +37588,7 @@ index ec01d0b..ececda2 100644
 +
 +ifdef(`hide_broken_symptoms',`
  
--seutil_libselinux_linked(setfiles_t)
+-userdom_use_all_users_fds(setfiles_t)
 +	optional_policy(`
 +		setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
 +		setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
@@ -37595,8 +37600,7 @@ index ec01d0b..ececda2 100644
 +		unconfined_domain(setfiles_t)
 +	')
 +')
- 
--userdom_use_all_users_fds(setfiles_t)
++
 +########################################
 +#
 +# Setfiles common policy
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 8579276..1585855 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -12909,10 +12909,10 @@ index 0000000..6cc6774
 +/var/run/iwhd\.pid               --      gen_context(system_u:object_r:iwhd_var_run_t,s0)
 diff --git a/cloudform.if b/cloudform.if
 new file mode 100644
-index 0000000..8ac848b
+index 0000000..a06f04b
 --- /dev/null
 +++ b/cloudform.if
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,60 @@
 +## <summary>cloudform policy</summary>
 +
 +#######################################
@@ -12955,12 +12955,30 @@ index 0000000..8ac848b
 +
 +    can_exec($1, mongod_exec_t)
 +')
++
++######################################
++## <summary>
++##	Execute mongod in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cloudform_dontaudit_write_cloud_log',`
++    gen_require(`
++	type cloud_log_t;
++    ')
++
++    dontaudit $1 cloud_log_t:file write_inherited_file_perms;
++')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..2b47a40
+index 0000000..e2041a6
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,301 @@
+@@ -0,0 +1,307 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -13071,6 +13089,8 @@ index 0000000..2b47a40
 +
 +storage_raw_read_fixed_disk(cloud_init_t)
 +
++auth_use_nsswitch(cloud_init_t)
++
 +libs_exec_ldconfig(cloud_init_t)
 +
 +logging_send_syslog_msg(cloud_init_t)
@@ -13086,6 +13106,10 @@ index 0000000..2b47a40
 +usermanage_domtrans_passwd(cloud_init_t)
 +
 +optional_policy(`
++    certmonger_dbus_chat(cloud_init_t)
++')
++
++optional_policy(`
 +    dbus_system_bus_client(cloud_init_t)
 +')
 +
@@ -88680,7 +88704,7 @@ index cd6c213..34b861a 100644
 +	allow $1 sanlock_unit_file_t:service all_service_perms;
  ')
 diff --git a/sanlock.te b/sanlock.te
-index a34eac4..c60eacd 100644
+index a34eac4..735ebd1 100644
 --- a/sanlock.te
 +++ b/sanlock.te
 @@ -1,4 +1,4 @@
@@ -88756,7 +88780,7 @@ index a34eac4..c60eacd 100644
  logging_log_filetrans(sanlock_t, sanlock_log_t, file)
  
  manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
-@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+@@ -65,13 +71,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
  kernel_read_system_state(sanlock_t)
  kernel_read_kernel_sysctls(sanlock_t)
  
@@ -88771,11 +88795,12 @@ index a34eac4..c60eacd 100644
  
 +dev_read_rand(sanlock_t)
 +dev_read_urand(sanlock_t)
++dev_read_sysfs(sanlock_t)
 +
  auth_use_nsswitch(sanlock_t)
  
  init_read_utmp(sanlock_t)
-@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t)
+@@ -79,20 +88,29 @@ init_dontaudit_write_utmp(sanlock_t)
  
  logging_send_syslog_msg(sanlock_t)
  
@@ -88814,7 +88839,7 @@ index a34eac4..c60eacd 100644
  ')
  
  optional_policy(`
-@@ -100,7 +117,9 @@ optional_policy(`
+@@ -100,7 +118,9 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index add9635..3abe7d5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 190%{?dist}
+Release: 191%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Oct 14 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-191
+- Call auth_use_nsswitch to apache to read/write cloud-init keys.
+- Allow cloud-init to dbus chat with certmonger.
+- Allow sanlock to read sysfs
+- Dontaudit redirection from rpm cloud-init scriplet.
+
 * Tue Oct 14 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-190
 - Add support for /etc/.updated and /var/.updated
 - Allow dnssec_trigger_t to execute unbound-control in own domain.

More information about the scm-commits mailing list