[selinux-policy/f21] * Mon Feb 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.4 - Added logging_syslogd_pid_filetra
Lukas Vrabec
lvrabec at fedoraproject.org
Mon Feb 23 15:04:12 UTC 2015
commit 6c9d779fced911eca73ed68bd35f2a26edb9e4f8
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon Feb 23 16:04:04 2015 +0100
* Mon Feb 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.4
- Added logging_syslogd_pid_filetrans
- Additional fix for labeleling /dev/log correctly
- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
- Label /dev/log correctly.
- Create dnf and yum directories in /var with correct label
- Dontaudit sys_resource in prelink_cron)_system_t
- Add filename transitions for /var/lib/rpm and /var/cache/rpm
- Create dnf and yum directories in /var with correct label
- Allow brltty ioctl on usb_device_t. BZ(1190349)
policy-f21-base.patch | 133 +++++++++++++++++++++++++++++++----------------
policy-f21-contrib.patch | 67 +++++++++++++-----------
selinux-policy.spec | 13 ++++-
3 files changed, 138 insertions(+), 75 deletions(-)
---
diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 22fd048..ad031b1 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -9012,7 +9012,7 @@ index 6a1e4d1..7ac2831 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7fad46c 100644
+index cf04cb5..c84dc1a 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9161,7 +9161,7 @@ index cf04cb5..7fad46c 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +238,356 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,357 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9502,6 +9502,7 @@ index cf04cb5..7fad46c 100644
+ rpm_dontaudit_leaks(domain)
+ rpm_read_script_tmp_files(domain)
+ rpm_inherited_fifo(domain)
++ rpm_named_filetrans(named_filetrans_domain)
+')
+
+tunable_policy(`fips_mode',`
@@ -29420,7 +29421,7 @@ index b2097e7..0a49e14 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index bc0ffc8..7198bd9 100644
+index bc0ffc8..37b8ea5 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -1,6 +1,9 @@
@@ -29445,7 +29446,7 @@ index bc0ffc8..7198bd9 100644
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
# because nowadays, /sbin/init is often a symlink to /sbin/upstart
/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
-@@ -42,20 +50,35 @@ ifdef(`distro_gentoo', `
+@@ -42,20 +50,36 @@ ifdef(`distro_gentoo', `
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -29478,10 +29479,11 @@ index bc0ffc8..7198bd9 100644
/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/systemd/machine-id -- gen_context(system_u:object_r:machineid_t,s0)
++/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,s0)
ifdef(`distro_debian',`
/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
-@@ -74,3 +97,4 @@ ifdef(`distro_suse', `
+@@ -74,3 +98,4 @@ ifdef(`distro_suse', `
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -32394,10 +32396,10 @@ index 17eda24..32af6e4 100644
+ ')
+ ')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..ad9ef4e 100644
+index 662e79b..d32012f 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,25 @@
+@@ -1,14 +1,26 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
@@ -32405,6 +32407,7 @@ index 662e79b..ad9ef4e 100644
-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++/usr/lib/systemd/system/strongswan-swanctl.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+/usr/lib/systemd/system/strongimcv.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
+
+/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0)
@@ -32424,7 +32427,7 @@ index 662e79b..ad9ef4e 100644
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,16 +37,27 @@
+@@ -26,16 +38,28 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -32436,6 +32439,7 @@ index 662e79b..ad9ef4e 100644
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/sbin/swanctl -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/sbin/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
@@ -34139,10 +34143,12 @@ index 446fa99..22f539c 100644
+ plymouthd_exec_plymouth(sulogin_t)
')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..e55a556 100644
+index b50c5fe..13da95a 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -2,10 +2,13 @@
+@@ -1,11 +1,14 @@
+-/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
++/dev/log -l gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -34228,7 +34234,7 @@ index b50c5fe..e55a556 100644
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..8de26ad 100644
+index 4e94884..8c67cd0 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -34318,7 +34324,7 @@ index 4e94884..8de26ad 100644
########################################
## <summary>
## Send system log messages.
-@@ -530,22 +592,104 @@ interface(`logging_log_filetrans',`
+@@ -530,22 +592,105 @@ interface(`logging_log_filetrans',`
#
interface(`logging_send_syslog_msg',`
gen_require(`
@@ -34342,13 +34348,21 @@ index 4e94884..8de26ad 100644
+interface(`logging_create_devlog_dev',`
+ gen_require(`
+ type devlog_t;
-+ ')
-+
-+ allow $1 devlog_t:sock_file manage_sock_file_perms;
-+ dev_filetrans($1, devlog_t, sock_file)
+ ')
+
+- allow $1 devlog_t:lnk_file read_lnk_file_perms;
+- allow $1 devlog_t:sock_file write_sock_file_perms;
++ allow $1 devlog_t:lnk_file manage_sock_file_perms;
++ dev_filetrans($1, devlog_t, lnk_file, "log")
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
++ logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
+')
-+
+
+- # the type of socket depends on the syslog daemon
+- allow $1 syslogd_t:unix_dgram_socket sendto;
+- allow $1 syslogd_t:unix_stream_socket connectto;
+- allow $1 self:unix_dgram_socket create_socket_perms;
+- allow $1 self:unix_stream_socket create_socket_perms;
+########################################
+## <summary>
+## Relabel the devlog sock_file.
@@ -34363,7 +34377,11 @@ index 4e94884..8de26ad 100644
+ gen_require(`
+ type devlog_t;
+ ')
-+
+
+- # If syslog is down, the glibc syslog() function
+- # will write to the console.
+- term_write_console($1)
+- term_dontaudit_read_console($1)
+ allow $1 devlog_t:sock_file relabel_sock_file_perms;
+')
+
@@ -34380,10 +34398,8 @@ index 4e94884..8de26ad 100644
+interface(`logging_read_syslog_pid',`
+ gen_require(`
+ type syslogd_var_run_t;
- ')
-
-- allow $1 devlog_t:lnk_file read_lnk_file_perms;
-- allow $1 devlog_t:sock_file write_sock_file_perms;
++ ')
++
+ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+')
@@ -34405,12 +34421,7 @@ index 4e94884..8de26ad 100644
+
+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
+')
-
-- # the type of socket depends on the syslog daemon
-- allow $1 syslogd_t:unix_dgram_socket sendto;
-- allow $1 syslogd_t:unix_stream_socket connectto;
-- allow $1 self:unix_dgram_socket create_socket_perms;
-- allow $1 self:unix_stream_socket create_socket_perms;
++
+########################################
+## <summary>
+## Connect to the syslog control unix stream socket.
@@ -34425,17 +34436,13 @@ index 4e94884..8de26ad 100644
+ gen_require(`
+ type syslogd_t, syslogd_var_run_t;
+ ')
-
-- # If syslog is down, the glibc syslog() function
-- # will write to the console.
-- term_write_console($1)
-- term_dontaudit_read_console($1)
++
+ files_search_pids($1)
+ stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t)
')
########################################
-@@ -571,6 +715,25 @@ interface(`logging_read_audit_config',`
+@@ -571,6 +716,25 @@ interface(`logging_read_audit_config',`
########################################
## <summary>
@@ -34461,7 +34468,7 @@ index 4e94884..8de26ad 100644
## dontaudit search of auditd configuration files.
## </summary>
## <param name="domain">
-@@ -609,6 +772,25 @@ interface(`logging_read_syslog_config',`
+@@ -609,6 +773,25 @@ interface(`logging_read_syslog_config',`
########################################
## <summary>
@@ -34487,7 +34494,7 @@ index 4e94884..8de26ad 100644
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
-@@ -722,6 +904,25 @@ interface(`logging_setattr_all_log_dirs',`
+@@ -722,6 +905,25 @@ interface(`logging_setattr_all_log_dirs',`
allow $1 logfile:dir setattr;
')
@@ -34513,7 +34520,7 @@ index 4e94884..8de26ad 100644
########################################
## <summary>
## Do not audit attempts to get the attributes
-@@ -776,7 +977,25 @@ interface(`logging_append_all_logs',`
+@@ -776,7 +978,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -34540,7 +34547,7 @@ index 4e94884..8de26ad 100644
')
########################################
-@@ -859,7 +1078,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1079,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -34549,7 +34556,7 @@ index 4e94884..8de26ad 100644
')
########################################
-@@ -885,6 +1104,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1105,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -34594,7 +34601,7 @@ index 4e94884..8de26ad 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -905,6 +1162,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1163,24 @@ interface(`logging_write_generic_logs',`
########################################
## <summary>
@@ -34619,7 +34626,7 @@ index 4e94884..8de26ad 100644
## Dontaudit Write generic log files.
## </summary>
## <param name="domain">
-@@ -984,11 +1259,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1260,16 @@ interface(`logging_admin_audit',`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
type auditd_initrc_exec_t;
@@ -34637,7 +34644,7 @@ index 4e94884..8de26ad 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -1004,6 +1284,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1285,33 @@ interface(`logging_admin_audit',`
domain_system_change_exemption($1)
role_transition $2 auditd_initrc_exec_t system_r;
allow $2 system_r;
@@ -34671,7 +34678,7 @@ index 4e94884..8de26ad 100644
')
########################################
-@@ -1032,10 +1339,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1340,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -34689,7 +34696,7 @@ index 4e94884..8de26ad 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1369,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1370,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -34698,7 +34705,7 @@ index 4e94884..8de26ad 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -1085,3 +1399,54 @@ interface(`logging_admin',`
+@@ -1085,3 +1400,90 @@ interface(`logging_admin',`
logging_admin_audit($1, $2)
logging_admin_syslog($1, $2)
')
@@ -34753,6 +34760,42 @@ index 4e94884..8de26ad 100644
+
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
++
++#######################################
++## <summary>
++## Create objects in /run/systemd/journal/ directory
++## with an automatic type transition to
++## a specified private type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private_type">
++## <summary>
++## The type of the object to create.
++## </summary>
++## </param>
++## <param name="object_class">
++## <summary>
++## The class of the object to be created.
++## </summary>
++## </param>
++## <param name="name" optional="true">
++## <summary>
++## The name of the object being created.
++## </summary>
++## </param>
++#
++interface(`logging_syslogd_pid_filetrans',`
++ gen_require(`
++ type syslogd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
++')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1..89471ff 100644
--- a/policy/modules/system/logging.te
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 16566a2..cba16a9 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -10516,7 +10516,7 @@ index 0000000..968c957
+')
diff --git a/brltty.te b/brltty.te
new file mode 100644
-index 0000000..32c786b
+index 0000000..0efa3a2
--- /dev/null
+++ b/brltty.te
@@ -0,0 +1,61 @@
@@ -10570,7 +10570,7 @@ index 0000000..32c786b
+corenet_tcp_bind_brlp_port(brltty_t)
+
+dev_read_sysfs(brltty_t)
-+dev_getattr_generic_usb_dev(brltty_t)
++dev_rw_generic_usb_dev(brltty_t)
+
+fs_getattr_all_fs(brltty_t)
+
@@ -71897,7 +71897,7 @@ index 20d4697..e6605c1 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index 8e26216..d59dc50 100644
+index 8e26216..922c306 100644
--- a/prelink.te
+++ b/prelink.te
@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
@@ -72033,7 +72033,7 @@ index 8e26216..d59dc50 100644
')
optional_policy(`
-@@ -155,17 +138,18 @@ optional_policy(`
+@@ -155,17 +138,20 @@ optional_policy(`
########################################
#
@@ -72047,6 +72047,8 @@ index 8e26216..d59dc50 100644
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;
+ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
++
++ dontaudit prelink_cron_system_t self:capability sys_resource;
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
- allow prelink_cron_system_t prelink_cache_t:file delete_file_perms;
@@ -72055,7 +72057,7 @@ index 8e26216..d59dc50 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -174,7 +158,7 @@ optional_policy(`
+@@ -174,7 +160,7 @@ optional_policy(`
manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
@@ -72064,7 +72066,7 @@ index 8e26216..d59dc50 100644
kernel_read_system_state(prelink_cron_system_t)
-@@ -184,23 +168,36 @@ optional_policy(`
+@@ -184,23 +170,36 @@ optional_policy(`
dev_list_sysfs(prelink_cron_system_t)
dev_read_sysfs(prelink_cron_system_t)
@@ -85827,7 +85829,7 @@ index ebe91fc..fc8f8ac 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index ef3b225..ac3f823 100644
+index ef3b225..d481e0a 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -86086,7 +86088,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -302,7 +378,25 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,32 @@ interface(`rpm_manage_log',`
########################################
## <summary>
@@ -86099,12 +86101,19 @@ index ef3b225..ac3f823 100644
+## </summary>
+## </param>
+#
-+interface(`rpm_named_filetrans_log_files',`
++interface(`rpm_named_filetrans',`
+ gen_require(`
+ type rpm_log_t;
++ type rpm_var_lib_t;
+ ')
-+ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
-+ logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
++ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
++ logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
++ files_var_filetrans($1, rpm_var_lib_t, dir, "dnf")
++ files_var_filetrans($1, rpm_var_lib_t, dir, "yum")
++ files_var_filetrans($1, rpm_var_lib_t, dir, "rpm")
++ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
++ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
++ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
+')
+
+########################################
@@ -86113,7 +86122,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -320,8 +414,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +421,8 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
@@ -86124,7 +86133,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -335,12 +429,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +436,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -86141,7 +86150,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -353,14 +450,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +457,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -86159,7 +86168,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -374,12 +470,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +477,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -86175,7 +86184,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -399,7 +497,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +504,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
## <summary>
@@ -86184,7 +86193,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -420,8 +518,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +525,7 @@ interface(`rpm_read_cache',`
########################################
## <summary>
@@ -86194,7 +86203,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -442,7 +539,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +546,7 @@ interface(`rpm_manage_cache',`
########################################
## <summary>
@@ -86203,7 +86212,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -459,11 +556,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +563,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -86217,7 +86226,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -482,8 +580,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +587,7 @@ interface(`rpm_delete_db',`
########################################
## <summary>
@@ -86227,7 +86236,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -503,8 +600,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +607,28 @@ interface(`rpm_manage_db',`
########################################
## <summary>
@@ -86257,7 +86266,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -517,7 +634,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +641,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -86266,7 +86275,7 @@ index ef3b225..ac3f823 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +660,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +667,7 @@ interface(`rpm_read_pid_files',`
#####################################
## <summary>
@@ -86276,7 +86285,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -563,8 +679,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +686,7 @@ interface(`rpm_manage_pid_files',`
######################################
## <summary>
@@ -86286,7 +86295,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -573,43 +688,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +695,54 @@ interface(`rpm_manage_pid_files',`
## </param>
#
interface(`rpm_pid_filetrans',`
@@ -86358,7 +86367,7 @@ index ef3b225..ac3f823 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -617,22 +743,56 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +750,56 @@ interface(`rpm_pid_filetrans_rpm_pid',`
## </summary>
## </param>
## <param name="role">
@@ -86426,7 +86435,7 @@ index ef3b225..ac3f823 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -641,9 +801,6 @@ interface(`rpm_admin',`
+@@ -641,9 +808,6 @@ interface(`rpm_admin',`
admin_pattern($1, rpm_file_t)
@@ -95723,7 +95732,7 @@ index 634c6b4..f6db7a7 100644
+')
+
diff --git a/sosreport.te b/sosreport.te
-index f2f507d..9cf6dda 100644
+index f2f507d..b3f8d3b 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -95915,7 +95924,7 @@ index f2f507d..9cf6dda 100644
+ rpm_manage_cache(sosreport_t)
+ rpm_manage_log(sosreport_t)
+ rpm_manage_pid_files(sosreport_t)
-+ rpm_named_filetrans_log_files(sosreport_t)
++ rpm_named_filetrans(sosreport_t)
+ rpm_read_db(sosreport_t)
+ rpm_signull(sosreport_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b1a4fbd..9c9299e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 105.3%{?dist}
+Release: 105.4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Feb 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.4
+- Added logging_syslogd_pid_filetrans
+- Additional fix for labeleling /dev/log correctly
+- Label new strongswan binary swanctl and new unit file strongswan-swanctl.service. BZ(1193102)
+- Label /dev/log correctly.
+- Create dnf and yum directories in /var with correct label
+- Dontaudit sys_resource in prelink_cron)_system_t
+- Add filename transitions for /var/lib/rpm and /var/cache/rpm
+- Create dnf and yum directories in /var with correct label
+- Allow brltty ioctl on usb_device_t. BZ(1190349)
+
* Thu Feb 05 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.3
- apmd needs sys_resource when shutting down the machine
- Allow upsmon_t to read urandom device.
More information about the scm-commits
mailing list