[selinux-policy/f21] * Wed Oct 22 2014 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-90 - Additional fixes for rolekit
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Oct 22 21:21:00 UTC 2014
commit 0ac4f5a8fa7dceacc1b8f99624d87dd05e544043
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Oct 22 23:20:50 2014 +0200
* Wed Oct 22 2014 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-90
- Additional fixes for rolekit
policy-f21-base.patch | 14 +-
policy-f21-contrib.patch | 532 +++++++++++++++++++++++++++------------------
selinux-policy.spec | 7 +-
3 files changed, 333 insertions(+), 220 deletions(-)
---
diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index dd4c505..3fa409d 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -28086,7 +28086,7 @@ index 3efd5b6..12dca57 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791d..dbf639e 100644
+index 09b791d..03657db 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -28364,12 +28364,12 @@ index 09b791d..dbf639e 100644
+systemd_hostnamed_read_config(nsswitch_domain)
+
+
- tunable_policy(`authlogin_nsswitch_use_ldap',`
-- files_list_var_lib(nsswitch_domain)
++tunable_policy(`authlogin_nsswitch_use_ldap',`
+ allow nsswitch_domain self:tcp_socket create_socket_perms;
+')
+
-+tunable_policy(`authlogin_nsswitch_use_ldap',`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+- files_list_var_lib(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_if(nsswitch_domain)
+ corenet_tcp_sendrecv_generic_node(nsswitch_domain)
+ corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
@@ -28410,7 +28410,7 @@ index 09b791d..dbf639e 100644
optional_policy(`
kerberos_use(nsswitch_domain)
')
-@@ -456,10 +520,151 @@ optional_policy(`
+@@ -456,10 +520,155 @@ optional_policy(`
optional_policy(`
sssd_stream_connect(nsswitch_domain)
@@ -28422,6 +28422,10 @@ index 09b791d..dbf639e 100644
+userdom_manage_all_users_keys(nsswitch_domain)
+optional_policy(`
+ sssd_manage_keys(nsswitch_domain)
++')
++
++optional_policy(`
++ rolekit_manage_keys(nsswitch_domain)
')
optional_policy(`
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index edcc89b..24e227a 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -38623,7 +38623,7 @@ index 4fe75fd..b05128a 100644
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/kerberos.if b/kerberos.if
-index f6c00d8..075bc4d 100644
+index f6c00d8..7b777ab 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -1,27 +1,29 @@
@@ -38804,98 +38804,62 @@ index f6c00d8..075bc4d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',`
+@@ -182,27 +178,27 @@ interface(`kerberos_rw_config',`
########################################
## <summary>
-## Create, read, write, and delete
-## kerberos home files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`kerberos_manage_krb5_home_files',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_search_user_home_dirs($1)
-- allow $1 krb5_home_t:file manage_file_perms;
--')
--
--########################################
--## <summary>
--## Relabel kerberos home files.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--#
--interface(`kerberos_relabel_krb5_home_files',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_search_user_home_dirs($1)
-- allow $1 krb5_home_t:file relabel_file_perms;
--')
--
--########################################
--## <summary>
--## Create objects in user home
--## directories with the krb5 home type.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
--## <param name="object_class">
--## <summary>
--## Class of the object being created.
--## </summary>
--## </param>
--## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
--## </summary>
--## </param>
--#
--interface(`kerberos_home_filetrans_krb5_home',`
-- gen_require(`
-- type krb5_home_t;
-- ')
--
-- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
--')
--
--########################################
--## <summary>
--## Read kerberos key table files.
+## Read the kerberos key table.
## </summary>
## <param name="domain">
## <summary>
-@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`kerberos_manage_krb5_home_files',`
++interface(`kerberos_read_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file manage_file_perms;
++ files_search_etc($1)
++ allow $1 krb5_keytab_t:file read_file_perms;
+ ')
########################################
## <summary>
--## Read and write kerberos key table files.
+-## Relabel kerberos home files.
+## Read/Write the kerberos key table.
## </summary>
## <param name="domain">
## <summary>
-@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',`
+@@ -210,47 +206,63 @@ interface(`kerberos_manage_krb5_home_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`kerberos_relabel_krb5_home_files',`
++interface(`kerberos_rw_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
+ ')
+
+- userdom_search_user_home_dirs($1)
+- allow $1 krb5_home_t:file relabel_file_perms;
++ files_search_etc($1)
++ allow $1 krb5_keytab_t:file rw_file_perms;
+ ')
########################################
## <summary>
--## Create, read, write, and delete
--## kerberos key table files.
+-## Create objects in user home
+-## directories with the krb5 home type.
+## Create keytab file in /etc
## </summary>
## <param name="domain">
@@ -38903,27 +38867,6 @@ index f6c00d8..075bc4d 100644
## Domain allowed access.
## </summary>
## </param>
--#
--interface(`kerberos_manage_keytab_files',`
-- gen_require(`
-- type krb5_keytab_t;
-- ')
--
-- files_search_etc($1)
-- allow $1 krb5_keytab_t:file manage_file_perms;
--')
--
--########################################
--## <summary>
--## Create specified objects in generic
--## etc directories with the kerberos
--## keytab file type.
--## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
--## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
@@ -38932,114 +38875,167 @@ index f6c00d8..075bc4d 100644
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
-@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',`
- type krb5_keytab_t;
+ ## </summary>
+ ## </param>
+ #
+-interface(`kerberos_home_filetrans_krb5_home',`
++interface(`kerberos_etc_filetrans_keytab',`
+ gen_require(`
+- type krb5_home_t;
++ type krb5_keytab_t;
')
-- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
+ allow $1 krb5_keytab_t:file manage_file_perms;
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
++')
++
++########################################
++## <summary>
++## Create a derived type for kerberos keytab
++## </summary>
++## <param name="prefix">
++## <summary>
++## The prefix to be used for deriving type names.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`kerberos_keytab_template',`
++ refpolicywarn(`$0($*) has been deprecated.')
++ kerberos_read_keytab($2)
++ kerberos_use($2)
')
########################################
## <summary>
--## Create a derived type for kerberos
--## keytab files.
-+## Create a derived type for kerberos keytab
+-## Read kerberos key table files.
++## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
- ## <param name="prefix">
+ ## <param name="domain">
## <summary>
-@@ -361,7 +262,7 @@ template(`kerberos_keytab_template',`
+@@ -259,18 +271,18 @@ interface(`kerberos_home_filetrans_krb5_home',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`kerberos_read_keytab',`
++interface(`kerberos_read_kdc_config',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5kdc_conf_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 krb5_keytab_t:file read_file_perms;
++ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
+ ')
########################################
## <summary>
--## Read kerberos kdc configuration files.
+-## Read and write kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
-@@ -381,8 +282,24 @@ interface(`kerberos_read_kdc_config',`
+@@ -278,254 +290,255 @@ interface(`kerberos_read_keytab',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`kerberos_rw_keytab',`
++interface(`kerberos_read_host_rcache',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5_host_rcache_t;
+ ')
+-
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file rw_file_perms;
++ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
+ ')
########################################
## <summary>
-## Create, read, write, and delete
--## kerberos host rcache files.
-+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kerberos_read_host_rcache',`
-+ gen_require(`
-+ type krb5_host_rcache_t;
-+ ')
-+ read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+')
-+
-+########################################
-+## <summary>
+-## kerberos key table files.
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
## </summary>
## <param name="domain">
## <summary>
-@@ -396,34 +313,99 @@ interface(`kerberos_manage_host_rcache',`
- type krb5_host_rcache_t;
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`kerberos_manage_keytab_files',`
++interface(`kerberos_manage_host_rcache',`
+ gen_require(`
+- type krb5_keytab_t;
++ type krb5_host_rcache_t;
')
+- files_search_etc($1)
+- allow $1 krb5_keytab_t:file manage_file_perms;
+ # creates files as system_u no matter what the selinux user
+ # cjp: should be in the below tunable but typeattribute
+ # does not work in conditionals
- domain_obj_id_change_exemption($1)
-
-- tunable_policy(`allow_kerberos',`
++ domain_obj_id_change_exemption($1)
++
+ tunable_policy(`kerberos_enabled',`
- allow $1 self:process setfscreate;
-
- selinux_validate_context($1)
-
- seutil_read_file_contexts($1)
-
++ allow $1 self:process setfscreate;
++
++ selinux_validate_context($1)
++
++ seutil_read_file_contexts($1)
++
+ files_rw_generic_tmp_dir($1)
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
- files_search_tmp($1)
-- allow $1 krb5_host_rcache_t:file manage_file_perms;
- ')
++ files_search_tmp($1)
++ ')
')
########################################
## <summary>
--## Create objects in generic temporary
--## directories with the kerberos host
--## rcache type.
+-## Create specified objects in generic
+-## etc directories with the kerberos
+-## keytab file type.
+## All of the rules required to administrate
+## an kerberos environment
## </summary>
## <param name="domain">
## <summary>
--## Domain allowed to transition.
-+## Domain allowed access.
+ ## Domain allowed access.
## </summary>
## </param>
-## <param name="object_class">
+-## <summary>
+-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+## <param name="role">
-+## <summary>
+ ## <summary>
+-## The name of the object being created.
+## The role to be allowed to manage the kerberos domain.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+## <rolecap/>
-+#
+ #
+-interface(`kerberos_etc_filetrans_keytab',`
+interface(`kerberos_admin',`
-+ gen_require(`
+ gen_require(`
+- type krb5_keytab_t;
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ ')
-+
+ ')
+
+- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
+ allow $1 kadmind_t:process signal_perms;
+ ps_process_pattern($1, kadmind_t)
+ tunable_policy(`deny_ptrace',`',`
@@ -39079,37 +39075,156 @@ index f6c00d8..075bc4d 100644
+ admin_pattern($1, krb5kdc_tmp_t)
+
+ admin_pattern($1, krb5kdc_var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Create a derived type for kerberos
+-## keytab files.
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
-+## </summary>
+ ## </summary>
+-## <param name="prefix">
+## <param name="domain">
## <summary>
+-## The prefix to be used for deriving type names.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="domain">
++## <param name="name" optional="true">
+ ## <summary>
+-## Domain allowed access.
++## The name of the object being created.
+ ## </summary>
+ ## </param>
+ #
+-template(`kerberos_keytab_template',`
+- refpolicywarn(`$0($*) has been deprecated.')
+- kerberos_read_keytab($2)
+- kerberos_use($2)
++interface(`kerberos_tmp_filetrans_host_rcache',`
++ gen_require(`
++ type krb5_host_rcache_t;
++ ')
++
++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read kerberos kdc configuration files.
++## Type transition files created in /tmp
++## to the kadmind_tmp type.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
+ #
+-interface(`kerberos_read_kdc_config',`
++interface(`kerberos_tmp_filetrans_kadmin',`
+ gen_require(`
+- type krb5kdc_conf_t;
++ type kadmind_tmp_t;
+ ')
+
+- files_search_etc($1)
+- read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++ manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t)
++ files_tmp_filetrans($1, kadmind_tmp_t, file, $2)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete
+-## kerberos host rcache files.
++## read kerberos homedir content (.k5login)
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`kerberos_manage_host_rcache',`
++interface(`kerberos_read_home_content',`
+ gen_require(`
+- type krb5_host_rcache_t;
++ type krb5_home_t;
+ ')
+
+- domain_obj_id_change_exemption($1)
+-
+- tunable_policy(`allow_kerberos',`
+- allow $1 self:process setfscreate;
+-
+- selinux_validate_context($1)
+-
+- seutil_read_file_contexts($1)
+-
+- files_search_tmp($1)
+- allow $1 krb5_host_rcache_t:file manage_file_perms;
+- ')
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Create objects in generic temporary
+-## directories with the kerberos host
+-## rcache type.
++## create kerberos content in the in the /root directory
++## with an correct label.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="object_class">
+-## <summary>
-## Class of the object being created.
+-## </summary>
+-## </param>
+-## <param name="name" optional="true">
+-## <summary>
+-## The name of the object being created.
+## Domain allowed access.
## </summary>
## </param>
- ## <param name="name" optional="true">
-@@ -437,12 +419,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
- type krb5_host_rcache_t;
+ #
+-interface(`kerberos_tmp_filetrans_host_rcache',`
++interface(`kerberos_filetrans_admin_home_content',`
+ gen_require(`
+- type krb5_host_rcache_t;
++ type krb5_home_t;
')
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
-+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
')
########################################
## <summary>
-## Connect to krb524 service.
-+## read kerberos homedir content (.k5login)
++## Transition to kerberos named content
## </summary>
## <param name="domain">
## <summary>
-@@ -450,82 +433,87 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+-## Domain allowed access.
++## Domain allowed access.
## </summary>
## </param>
#
@@ -39124,44 +39239,28 @@ index f6c00d8..075bc4d 100644
-
- corenet_sendrecv_kerberos_master_client_packets($1)
- corenet_udp_sendrecv_kerberos_master_port($1)
-+interface(`kerberos_read_home_content',`
++interface(`kerberos_filetrans_home_content',`
+ gen_require(`
+ type krb5_home_t;
')
+
-+ userdom_search_user_home_dirs($1)
-+ read_files_pattern($1, krb5_home_t, krb5_home_t)
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
++ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
')
########################################
## <summary>
-## All of the rules required to
-## administrate an kerberos environment.
-+## create kerberos content in the in the /root directory
-+## with an correct label.
++## Transition to kerberos named content
## </summary>
## <param name="domain">
## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
+-## Domain allowed access.
+-## </summary>
+-## </param>
-## <param name="role">
-+#
-+interface(`kerberos_filetrans_admin_home_content',`
-+ gen_require(`
-+ type krb5_home_t;
-+ ')
-+
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
-+')
-+
-+########################################
-+## <summary>
-+## Transition to kerberos named content
-+## </summary>
-+## <param name="domain">
- ## <summary>
+-## <summary>
-## Role allowed access.
+## Domain allowed access.
## </summary>
@@ -39169,14 +39268,14 @@ index f6c00d8..075bc4d 100644
-## <rolecap/>
#
-interface(`kerberos_admin',`
-+interface(`kerberos_filetrans_home_content',`
++interface(`kerberos_filetrans_named_content',`
gen_require(`
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
-- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
- type krb5kdc_var_run_t, krb5_host_rcache_t;
-+ type krb5_home_t;
++ type krb5kdc_principal_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
@@ -39204,28 +39303,10 @@ index f6c00d8..075bc4d 100644
-
- files_list_pids($1)
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
-+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users")
-+')
-
+-
- files_list_etc($1)
- admin_pattern($1, krb5_conf_t)
-+########################################
-+## <summary>
-+## Transition to kerberos named content
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kerberos_filetrans_named_content',`
-+ gen_require(`
-+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
-+ type krb5kdc_principal_t;
-+ ')
-
+-
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
-
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
@@ -83335,10 +83416,10 @@ index 0000000..504b6e1
+/usr/sbin/roled -- gen_context(system_u:object_r:rolekit_exec_t,s0)
diff --git a/rolekit.if b/rolekit.if
new file mode 100644
-index 0000000..e5a42e0
+index 0000000..8d833ed
--- /dev/null
+++ b/rolekit.if
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,124 @@
+## <summary>Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. </summary>
+
+########################################
@@ -83383,6 +83464,24 @@ index 0000000..e5a42e0
+
+ ps_process_pattern($1, rolekit_t)
+')
++#######################################
++## <summary>
++## Manage rolekit kernel keyrings.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rolekit_manage_keys',`
++ gen_require(`
++ type rolekit_t;
++ ')
++
++ allow $1 rolekit_t:key manage_key_perms;
++ allow rolekit_t $1:key manage_key_perms;
++')
+
+########################################
+## <summary>
@@ -83447,10 +83546,10 @@ index 0000000..e5a42e0
+')
diff --git a/rolekit.te b/rolekit.te
new file mode 100644
-index 0000000..a5d8389
+index 0000000..da7bd10
--- /dev/null
+++ b/rolekit.te
-@@ -0,0 +1,36 @@
+@@ -0,0 +1,43 @@
+policy_module(rolekit, 1.0.0)
+
+########################################
@@ -83485,7 +83584,14 @@ index 0000000..a5d8389
+auth_use_nsswitch(rolekit_t)
+
+optional_policy(`
-+ unconfined_domain(rolekit_t)
++ sssd_domtrans(rolekit_t)
++')
++
++optional_policy(`
++ unconfined_domain_noaudit(rolekit_t)
++ #should be changed for debugging
++ #unconfined_domain(rolekit_t)
++ domain_named_filetrans(rolekit_t)
+')
diff --git a/roundup.if b/roundup.if
index 975bb6a..ce4f5ea 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ee4ab60..debb09f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 89%{?dist}
+Release: 90%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,7 +604,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
-* Wed Oct 22 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-89
+* Wed Oct 22 2014 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-90
+- Additional fixes for rolekit
+
+* Wed Oct 22 2014 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-89
- Add rolekit policy based on lvrabec at redhat.com policy. This is more unconfined initial policy to allow us to add dbus chat with random domains
- Allow domains to dbus chat with rolekit.
More information about the scm-commits
mailing list