[selinux-policy/f22] * Mon Feb 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-112 - Allow audisp to connect to system D
Lukas Vrabec
lvrabec at fedoraproject.org
Mon Feb 16 19:26:19 UTC 2015
commit 6f1d9d2e99fb958ff370e6c439a3166a5ef8adac
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon Feb 16 20:26:01 2015 +0100
* Mon Feb 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-112
- Allow audisp to connect to system DBUS for service.
- Label /dev/log correctly.
- Add interface init_read_var_lib_files().
- Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)
policy-f22-base.patch | 44 +++++++++++++++++++++++++++++++++-----------
policy-f22-contrib.patch | 15 +++++++++------
selinux-policy.spec | 8 +++++++-
3 files changed, 49 insertions(+), 18 deletions(-)
---
diff --git a/policy-f22-base.patch b/policy-f22-base.patch
index 59cae3f..752e811 100644
--- a/policy-f22-base.patch
+++ b/policy-f22-base.patch
@@ -29472,7 +29472,7 @@ index bc0ffc8..7198bd9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..b88e8a2 100644
+index 79a45f6..6c7a9d9 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -30494,7 +30494,7 @@ index 79a45f6..b88e8a2 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2380,473 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2380,492 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -30968,6 +30968,25 @@ index 79a45f6..b88e8a2 100644
+ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
+ init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+')
++
++########################################
++## <summary>
++## Read systemd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_read_var_lib_files',`
++ gen_require(`
++ type init_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, init_var_lib_t, init_var_lib_t)
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..1381948 100644
--- a/policy/modules/system/init.te
@@ -34091,10 +34110,12 @@ index 446fa99..22f539c 100644
+ plymouthd_exec_plymouth(sulogin_t)
')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..e55a556 100644
+index b50c5fe..13da95a 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -2,10 +2,13 @@
+@@ -1,11 +1,14 @@
+-/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
++/dev/log -l gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -34180,7 +34201,7 @@ index b50c5fe..e55a556 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..8de26ad 100644
+index 4e94884..6b1eae3 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -34296,8 +34317,8 @@ index 4e94884..8de26ad 100644
+ type devlog_t;
+ ')
+
-+ allow $1 devlog_t:sock_file manage_sock_file_perms;
-+ dev_filetrans($1, devlog_t, sock_file)
++ allow $1 devlog_t:lnk_file manage_sock_file_perms;
++ dev_filetrans($1, devlog_t, lnk_file)
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
+')
+
@@ -34706,7 +34727,7 @@ index 4e94884..8de26ad 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1..d9852d4 100644
+index 59b04c1..df37453 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
@@ -34858,17 +34879,18 @@ index 59b04c1..d9852d4 100644
mls_file_write_all_levels(audisp_t)
+mls_socket_write_all_levels(audisp_t)
+mls_dbus_send_all_levels(audisp_t)
-+
-+auth_use_nsswitch(audisp_t)
- logging_send_syslog_msg(audisp_t)
+-logging_send_syslog_msg(audisp_t)
++auth_use_nsswitch(audisp_t)
-miscfiles_read_localization(audisp_t)
++logging_send_syslog_msg(audisp_t)
sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
++ dbus_connect_system_bus(audisp_t)
+
+ optional_policy(`
+ setroubleshoot_dbus_chat(audisp_t)
diff --git a/policy-f22-contrib.patch b/policy-f22-contrib.patch
index 3ea2457..463359e 100644
--- a/policy-f22-contrib.patch
+++ b/policy-f22-contrib.patch
@@ -546,7 +546,7 @@ index 058d908..1e92177 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..34371ae 100644
+index eb50f07..d77f4a6 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -984,7 +984,7 @@ index eb50f07..34371ae 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +451,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +451,58 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1005,7 +1005,8 @@ index eb50f07..34371ae 100644
+# abrt_dump_oops local policy
#
- allow abrt_dump_oops_t self:capability dac_override;
+-allow abrt_dump_oops_t self:capability dac_override;
++allow abrt_dump_oops_t self:capability { fowner chown fsetid dac_override };
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@@ -1041,10 +1042,12 @@ index eb50f07..34371ae 100644
logging_read_generic_logs(abrt_dump_oops_t)
+logging_read_syslog_pid(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
++
++init_read_var_lib_files(abrt_dump_oops_t)
#######################################
#
-@@ -404,7 +508,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,7 +510,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1053,7 +1056,7 @@ index eb50f07..34371ae 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -413,16 +517,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +519,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1097,7 +1100,7 @@ index eb50f07..34371ae 100644
')
#######################################
-@@ -430,10 +560,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +562,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bbe4149..c30e141 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 111%{?dist}
+Release: 112%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -605,6 +605,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Feb 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-112
+- Allow audisp to connect to system DBUS for service.
+- Label /dev/log correctly.
+- Add interface init_read_var_lib_files().
+- Allow abrt_dump_oops_t read /var/lib/systemd/, Allow abrt_dump_oops_t cap. chown,fsetid,fowner, BZ(1187017)
+
* Tue Feb 10 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-111
- Label /usr/libexec/postgresql-ctl as postgresql_exec_t. BZ(1191004)
- Remove automatcically running filetrans_named_content form sysnet_manage_config
More information about the scm-commits
mailing list