[selinux-policy/f21] - Allow rolekit transition to rpm_script_t. - Need to label rpmnew file correctly - Allow setpcap ca

Miroslav Grepl mgrepl at fedoraproject.org
Fri Oct 24 14:04:11 UTC 2014 

commit ca3105b4adef8c2f8cb7d14d067b72288bd7b363
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Oct 24 16:04:05 2014 +0200

    - Allow rolekit transition to rpm_script_t.
    - Need to label rpmnew file correctly
    - Allow setpcap capability for dhcpd.

 policy-f21-base.patch    |    9 +++++----
 policy-f21-contrib.patch |   25 ++++++++++++++++++++-----
 selinux-policy.spec      |    7 ++++++-
 3 files changed, 31 insertions(+), 10 deletions(-)
---
diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 3fa409d..202cc87 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -29278,7 +29278,7 @@ index bc0ffc8..7198bd9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..f142c45 100644
+index 79a45f6..b88e8a2 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -30745,7 +30745,7 @@ index 79a45f6..f142c45 100644
 +		type init_t;
 +	')
 +
-+	allow $1 init_t:service { start stop reload status };
++	allow $1 init_t:service manage_service_perms;
 +')
 +
 +########################################
@@ -41158,10 +41158,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..5b904b0
+index 0000000..a75ffd3
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,699 @@
+@@ -0,0 +1,700 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -41813,6 +41813,7 @@ index 0000000..5b904b0
 +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_sysctl_t)
++kernel_request_load_module(systemd_sysctl_t)
 +kernel_rw_all_sysctls(systemd_sysctl_t)
 +kernel_write_security_state(systemd_sysctl_t)
 +
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 24e227a..4719fff 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -12303,10 +12303,12 @@ index 0000000..f50b201
 +	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
 +')
 diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143e..a665b32 100644
+index 4e4143e..d5e0260 100644
 --- a/chronyd.fc
 +++ b/chronyd.fc
-@@ -2,6 +2,8 @@
+@@ -1,7 +1,9 @@
+-/etc/chrony\.keys	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
++/etc/chrony\.keys.*	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
  
  /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
  
@@ -23053,7 +23055,7 @@ index c697edb..31d45bf 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/dhcp.te b/dhcp.te
-index 98a24b9..5b576ff 100644
+index 98a24b9..401ddbc 100644
 --- a/dhcp.te
 +++ b/dhcp.te
 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -23066,6 +23068,15 @@ index 98a24b9..5b576ff 100644
  type dhcpd_state_t;
  files_type(dhcpd_state_t)
  
+@@ -34,7 +37,7 @@ files_pid_file(dhcpd_var_run_t)
+ # Local policy
+ #
+ 
+-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
++allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid setpcap sys_resource };
+ dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
+ allow dhcpd_t self:process { getcap setcap signal_perms };
+ allow dhcpd_t self:fifo_file rw_fifo_file_perms;
 @@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
  kernel_read_kernel_sysctls(dhcpd_t)
  kernel_read_network_state(dhcpd_t)
@@ -83546,10 +83557,10 @@ index 0000000..8d833ed
 +')
 diff --git a/rolekit.te b/rolekit.te
 new file mode 100644
-index 0000000..da7bd10
+index 0000000..da94453
 --- /dev/null
 +++ b/rolekit.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,47 @@
 +policy_module(rolekit, 1.0.0)
 +
 +########################################
@@ -83588,6 +83599,10 @@ index 0000000..da7bd10
 +')
 +
 +optional_policy(`
++    rpm_transition_script(rolekit_t, system_r)
++')
++
++optional_policy(`
 +    unconfined_domain_noaudit(rolekit_t)
 +    #should be changed for debugging
 +    #unconfined_domain(rolekit_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index debb09f..928b2b7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 90%{?dist}
+Release: 91%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Oct 24 2014 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-91
+- Allow rolekit transition to rpm_script_t.
+- Need to label rpmnew file correctly
+- Allow setpcap capability for dhcpd.
+
 * Wed Oct 22 2014 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-90
 - Additional fixes for rolekit

More information about the scm-commits mailing list