[selinux-policy/f19] * Tue Dec 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.30 - Allow systemd_tmpfiles_t to manag
Lukas Vrabec
lvrabec at fedoraproject.org
Tue Dec 2 11:58:19 UTC 2014
commit 428cbbdc9e474ca34eedd893f920353aa93e36c6
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue Dec 2 12:58:06 2014 +0100
* Tue Dec 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.30
- Allow systemd_tmpfiles_t to manage/relabel non auth files. BZ #(1139336)
- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories.
- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
- Allow boinc_t manage boinc_project_tmp_t files and dirs (#1135687)
- Allow apache to communicate with zoneminder, dontaudit attempts to read utmp
- Allow smoltclient to connect on http_cache port. (#982199)
- Allow mozilla_plugin_t to setcap (#981796)
policy-f19-base.patch | 51 ++++++++++--------------------
policy-f19-contrib.patch | 76 ++++++++++++++++++++++++++++------------------
selinux-policy.spec | 11 ++++++-
3 files changed, 73 insertions(+), 65 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index af264ba..e9f6c88 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -37516,10 +37516,10 @@ index 0000000..ba2e887
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..4015e6a
+index 0000000..675f0f8
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,665 @@
+@@ -0,0 +1,641 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37820,32 +37820,8 @@ index 0000000..4015e6a
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
+fs_list_all(systemd_tmpfiles_t)
+
-+files_getattr_all_dirs(systemd_tmpfiles_t)
-+files_getattr_all_files(systemd_tmpfiles_t)
-+files_getattr_all_sockets(systemd_tmpfiles_t)
-+files_getattr_all_symlinks(systemd_tmpfiles_t)
-+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
-+files_relabel_all_lock_files(systemd_tmpfiles_t)
-+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
-+files_relabel_all_pid_files(systemd_tmpfiles_t)
-+files_relabel_all_spool_dirs(systemd_tmpfiles_t)
-+files_manage_all_pids(systemd_tmpfiles_t)
-+files_manage_all_pid_dirs(systemd_tmpfiles_t)
-+files_manage_all_locks(systemd_tmpfiles_t)
-+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
-+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_delete_boot_flag(systemd_tmpfiles_t)
-+files_delete_all_non_security_dirs(systemd_tmpfiles_t)
-+files_delete_all_non_security_files(systemd_tmpfiles_t)
-+files_delete_all_pid_sockets(systemd_tmpfiles_t)
-+files_delete_all_pid_pipes(systemd_tmpfiles_t)
-+files_purge_tmp(systemd_tmpfiles_t)
-+files_manage_generic_tmp_files(systemd_tmpfiles_t)
-+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
-+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
-+files_relabel_all_tmp_files(systemd_tmpfiles_t)
++files_manage_non_auth_files(systemd_tmpfiles_t)
++files_relabel_non_auth_files(systemd_tmpfiles_t)
+files_list_lost_found(systemd_tmpfiles_t)
+
+mls_file_read_all_levels(systemd_tmpfiles_t)
@@ -39538,10 +39514,10 @@ index 0280b32..61f19e9 100644
-')
+attribute unconfined_services;
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..65191bd 100644
+index db75976..96bdcdd 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,23 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -39562,10 +39538,12 @@ index db75976..65191bd 100644
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs/.* <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
++HOME_DIR/\.tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
++HOME_DIR/tmp -d gen_context(system_u:object_r:user_tmp_t,s0)
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..a44c781 100644
+index 3c5dba7..afec557 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42260,7 +42238,7 @@ index 3c5dba7..a44c781 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3431,11 +4213,1552 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4213,1555 @@ interface(`userdom_create_all_users_keys',`
## </summary>
## </param>
#
@@ -43768,6 +43746,7 @@ index 3c5dba7..a44c781 100644
+ type home_bin_t;
+ type audio_home_t;
+ type home_cert_t;
++ type user_tmp_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin")
@@ -43776,6 +43755,8 @@ index 3c5dba7..a44c781 100644
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp")
++ userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp")
+')
+
+########################################
@@ -43815,7 +43796,7 @@ index 3c5dba7..a44c781 100644
+ dontaudit $1 user_home_type:dir_file_class_set audit_access;
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..158e013 100644
+index e2b538b..347c102 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -43903,7 +43884,7 @@ index e2b538b..158e013 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +82,228 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +82,230 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -44058,6 +44039,8 @@ index e2b538b..158e013 100644
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki")
+userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, ".tmp")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
+
+optional_policy(`
+ gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index ef49e9c..e1e4c79 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -4679,7 +4679,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..4457dc9 100644
+index 1a82e29..f6e6154 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5367,7 +5367,7 @@ index 1a82e29..4457dc9 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5480,6 +5480,8 @@ index 1a82e29..4457dc9 100644
logging_send_syslog_msg(httpd_t)
-miscfiles_read_localization(httpd_t)
++init_dontaudit_read_utmp(httpd_t)
++
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
@@ -5598,7 +5600,7 @@ index 1a82e29..4457dc9 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5658,7 +5660,7 @@ index 1a82e29..4457dc9 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +772,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5749,7 +5751,7 @@ index 1a82e29..4457dc9 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +819,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5830,7 +5832,7 @@ index 1a82e29..4457dc9 100644
')
optional_policy(`
-@@ -743,14 +871,6 @@ optional_policy(`
+@@ -743,14 +873,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5845,7 +5847,7 @@ index 1a82e29..4457dc9 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +885,23 @@ optional_policy(`
+@@ -765,6 +887,23 @@ optional_policy(`
')
optional_policy(`
@@ -5869,7 +5871,7 @@ index 1a82e29..4457dc9 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +918,47 @@ optional_policy(`
+@@ -781,34 +920,47 @@ optional_policy(`
')
optional_policy(`
@@ -5928,7 +5930,7 @@ index 1a82e29..4457dc9 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +966,18 @@ optional_policy(`
+@@ -816,8 +968,18 @@ optional_policy(`
')
optional_policy(`
@@ -5947,7 +5949,7 @@ index 1a82e29..4457dc9 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +986,7 @@ optional_policy(`
+@@ -826,6 +988,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5955,7 +5957,7 @@ index 1a82e29..4457dc9 100644
')
optional_policy(`
-@@ -836,20 +997,39 @@ optional_policy(`
+@@ -836,20 +999,39 @@ optional_policy(`
')
optional_policy(`
@@ -6001,7 +6003,7 @@ index 1a82e29..4457dc9 100644
')
optional_policy(`
-@@ -857,19 +1037,35 @@ optional_policy(`
+@@ -857,19 +1039,35 @@ optional_policy(`
')
optional_policy(`
@@ -6037,7 +6039,7 @@ index 1a82e29..4457dc9 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1073,171 @@ optional_policy(`
+@@ -877,65 +1075,173 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6051,6 +6053,8 @@ index 1a82e29..4457dc9 100644
+ zoneminder_append_log(httpd_t)
+ zoneminder_manage_lib_dirs(httpd_t)
+ zoneminder_manage_lib_files(httpd_t)
++ zoneminder_stream_connect(httpd_t)
++ zoneminder_exec(httpd_t)
+')
+
########################################
@@ -6231,7 +6235,7 @@ index 1a82e29..4457dc9 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1246,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1250,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6386,7 +6390,7 @@ index 1a82e29..4457dc9 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1330,104 @@ optional_policy(`
+@@ -1077,172 +1334,104 @@ optional_policy(`
')
')
@@ -6622,7 +6626,7 @@ index 1a82e29..4457dc9 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1435,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1439,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6719,7 +6723,7 @@ index 1a82e29..4457dc9 100644
########################################
#
-@@ -1315,8 +1510,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1514,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6736,7 +6740,7 @@ index 1a82e29..4457dc9 100644
')
########################################
-@@ -1324,49 +1526,38 @@ optional_policy(`
+@@ -1324,49 +1530,38 @@ optional_policy(`
# User content local policy
#
@@ -6801,7 +6805,7 @@ index 1a82e29..4457dc9 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1567,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1571,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -9259,7 +9263,7 @@ index 02fefaa..fbcef10 100644
+ ')
')
diff --git a/boinc.te b/boinc.te
-index 7c92aa1..ae20918 100644
+index 7c92aa1..27dd0d9 100644
--- a/boinc.te
+++ b/boinc.te
@@ -1,11 +1,20 @@
@@ -9285,7 +9289,7 @@ index 7c92aa1..ae20918 100644
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
-@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,107 +30,122 @@ files_tmpfs_file(boinc_tmpfs_t)
type boinc_var_lib_t;
files_type(boinc_var_lib_t)
@@ -9364,7 +9368,11 @@ index 7c92aa1..ae20918 100644
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+
++manage_dirs_pattern(boinc_t, boinc_project_tmp_t, boinc_project_tmp_t)
++manage_files_pattern(boinc_t, boinc_project_tmp_t, boinc_project_tmp_t)
++
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
@@ -9386,11 +9394,11 @@ index 7c92aa1..ae20918 100644
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
-logging_log_filetrans(boinc_t, boinc_log_t, file)
--
--can_exec(boinc_t, boinc_var_lib_t)
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+-can_exec(boinc_t, boinc_var_lib_t)
+-
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
@@ -9461,7 +9469,7 @@ index 7c92aa1..ae20918 100644
term_getattr_all_ptys(boinc_t)
term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +151,71 @@ init_read_utmp(boinc_t)
+@@ -130,55 +154,71 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
@@ -41273,7 +41281,7 @@ index 6194b80..99effb5 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..e3036c4 100644
+index 6a306ee..95bafda 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -41731,7 +41739,7 @@ index 6a306ee..e3036c4 100644
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
++allow mozilla_plugin_t self:process { setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -82929,10 +82937,18 @@ index a8b1aaf..4689a59 100644
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..f074b4d 100644
+index 9c8f9a5..d8d4623 100644
--- a/smoltclient.te
+++ b/smoltclient.te
-@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
+@@ -40,6 +40,7 @@ corenet_tcp_sendrecv_generic_node(smoltclient_t)
+
+ corenet_sendrecv_http_client_packets(smoltclient_t)
+ corenet_tcp_connect_http_port(smoltclient_t)
++corenet_tcp_connect_http_cache_port(smoltclient_t)
+ corenet_tcp_sendrecv_http_port(smoltclient_t)
+
+ dev_read_sysfs(smoltclient_t)
+@@ -51,14 +52,12 @@ fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
files_read_etc_runtime_files(smoltclient_t)
@@ -82947,7 +82963,7 @@ index 9c8f9a5..f074b4d 100644
optional_policy(`
abrt_stream_connect(smoltclient_t)
-@@ -77,6 +75,10 @@ optional_policy(`
+@@ -77,6 +76,10 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 12ab5e5..a22bd36 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.29%{?dist}
+Release: 74.30%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -542,6 +542,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Dec 02 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.30
+- Allow systemd_tmpfiles_t to manage/relabel non auth files. BZ #(1139336)
+- Fix labeling for HOME_DIR/tmp and HOME_DIR/.tmp directories.
+- Label ~/tmp and ~/.tmp directories in user tmp dirs as user_tmp_t
+- Allow boinc_t manage boinc_project_tmp_t files and dirs (#1135687)
+- Allow apache to communicate with zoneminder, dontaudit attempts to read utmp
+- Allow smoltclient to connect on http_cache port. (#982199)
+- Allow mozilla_plugin_t to setcap (#981796)
+
* Tue Aug 12 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.29
- Allow sensord to send a signal.
- Allow smokeping cgi script to send syslog messages (#1122163)
More information about the scm-commits
mailing list