[selinux-policy/f20] * Tue Oct 21 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-192 - Allow couchdb read sysctl_fs_t file
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Oct 21 14:04:48 UTC 2014
commit 388d3d83c97fbed6fee2533f306afd7f6a95427d
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Oct 21 16:04:39 2014 +0200
* Tue Oct 21 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-192
- Allow couchdb read sysctl_fs_t files. BZ(1154327)
- Add fowner cap in usbmuxd_t BZ (1152662)
policy-f20-contrib.patch | 15 ++++++++++-----
selinux-policy.spec | 6 +++++-
2 files changed, 15 insertions(+), 6 deletions(-)
---
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 1585855..b7300d6 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -15913,7 +15913,7 @@ index 83d6744..3f0c0dc 100644
+ ')
')
diff --git a/couchdb.te b/couchdb.te
-index 503adab..c5128a8 100644
+index 503adab..fcb0a4b 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
@@ -15939,7 +15939,7 @@ index 503adab..c5128a8 100644
manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-@@ -56,7 +59,7 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
+@@ -56,11 +59,12 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
@@ -15948,7 +15948,12 @@ index 503adab..c5128a8 100644
can_exec(couchdb_t, couchdb_exec_t)
-@@ -75,14 +78,15 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+ kernel_read_system_state(couchdb_t)
++kernel_read_fs_sysctls(couchdb_t)
+
+ corecmd_exec_bin(couchdb_t)
+ corecmd_exec_shell(couchdb_t)
+@@ -75,14 +79,15 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)
corenet_tcp_sendrecv_couchdb_port(couchdb_t)
@@ -100261,7 +100266,7 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..0d1be2a 100644
+index 8840be6..041373e 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
@@ -100287,7 +100292,7 @@ index 8840be6..0d1be2a 100644
#
-allow usbmuxd_t self:capability { kill setgid setuid };
-+allow usbmuxd_t self:capability { fsetid chown kill setgid setuid };
++allow usbmuxd_t self:capability { fowner fsetid chown kill setgid setuid };
+dontaudit usbmuxd_t self:capability sys_resource;
allow usbmuxd_t self:process { signal signull };
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3abe7d5..b6a635f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 191%{?dist}
+Release: 192%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 21 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-192
+- Allow couchdb read sysctl_fs_t files. BZ(1154327)
+- Add fowner cap in usbmuxd_t BZ (1152662)
+
* Tue Oct 14 2014 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-191
- Call auth_use_nsswitch to apache to read/write cloud-init keys.
- Allow cloud-init to dbus chat with certmonger.
More information about the scm-commits
mailing list