[selinux-policy/f22] * Mon Mar 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-119 - Allow mysqld_t to use pam. BZ(11961

Lukas Vrabec lvrabec at fedoraproject.org
Mon Mar 23 15:20:12 UTC 2015 

commit 9ccc74bc698debfddecbc53968adbe9d74c37b99
Author: Lukas Vrabec <lvrabec at redhat.com>
Date:   Mon Mar 23 16:20:02 2015 +0100

    * Mon Mar 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-119
    - Allow mysqld_t to use pam. BZ(1196104)
    - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
    - Allow fetchmail to read mail_spool_t. BZ(1200552)
    - Dontaudit blueman_t write to all mountpoints. BZ(1198272)
    - docker watches for content in the /etc directory
    - Allow all domains some process flags.
    - Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide.  Eventually will need this in RHEL

 policy-f22-base.patch    | 29 +++++++++++++++--------------
 policy-f22-contrib.patch | 22 +++++++++++++---------
 selinux-policy.spec      | 11 ++++++++++-
 3 files changed, 38 insertions(+), 24 deletions(-)
---
diff --git a/policy-f22-base.patch b/policy-f22-base.patch
index 6ea32b6..cc9b3cf 100644
--- a/policy-f22-base.patch
+++ b/policy-f22-base.patch
@@ -9035,7 +9035,7 @@ index 6a1e4d1..7ac2831 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..005fd45 100644
+index cf04cb5..9dff373 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9102,7 +9102,7 @@ index cf04cb5..005fd45 100644
  
  # create child processes in the domain
 -allow domain self:process { fork sigchld };
-+allow domain self:process { getcap fork getsched signal_perms };
++allow domain self:process { getcap fork getsched signal_perms setrlimit getattr getcap getsched getsession };
  
  # Use trusted objects in /dev
 +dev_read_cpu_online(domain)
@@ -15731,10 +15731,10 @@ index 8416beb..75c7b9d 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..c0b17f8 100644
+index e7d1738..3ed4189 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
-@@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
@@ -15746,6 +15746,7 @@ index e7d1738..c0b17f8 100644
  fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
 +fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
@@ -15753,7 +15754,7 @@ index e7d1738..c0b17f8 100644
  
  # Use the allocating task SID to label inodes in the following filesystem
  # types, and label the filesystem itself with the specified context.
-@@ -53,6 +57,7 @@ type anon_inodefs_t;
+@@ -53,6 +58,7 @@ type anon_inodefs_t;
  fs_type(anon_inodefs_t)
  files_mountpoint(anon_inodefs_t)
  genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -15761,7 +15762,7 @@ index e7d1738..c0b17f8 100644
  
  type bdev_t;
  fs_type(bdev_t)
-@@ -63,12 +68,18 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,12 +69,18 @@ fs_type(binfmt_misc_fs_t)
  files_mountpoint(binfmt_misc_fs_t)
  genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
  
@@ -15781,7 +15782,7 @@ index e7d1738..c0b17f8 100644
  fs_type(cgroup_t)
  files_mountpoint(cgroup_t)
  dev_associate_sysfs(cgroup_t)
-@@ -88,6 +99,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -88,6 +100,11 @@ fs_noxattr_type(ecryptfs_t)
  files_mountpoint(ecryptfs_t)
  genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
  
@@ -15793,7 +15794,7 @@ index e7d1738..c0b17f8 100644
  type futexfs_t;
  fs_type(futexfs_t)
  genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -96,6 +112,7 @@ type hugetlbfs_t;
+@@ -96,6 +113,7 @@ type hugetlbfs_t;
  fs_type(hugetlbfs_t)
  files_mountpoint(hugetlbfs_t)
  fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -15801,7 +15802,7 @@ index e7d1738..c0b17f8 100644
  
  type ibmasmfs_t;
  fs_type(ibmasmfs_t)
-@@ -118,13 +135,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +136,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
@@ -15817,7 +15818,7 @@ index e7d1738..c0b17f8 100644
  fs_type(pstore_t)
  files_mountpoint(pstore_t)
  dev_associate_sysfs(pstore_t)
-@@ -150,11 +168,6 @@ fs_type(spufs_t)
+@@ -150,11 +169,6 @@ fs_type(spufs_t)
  genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
  files_mountpoint(spufs_t)
  
@@ -15829,7 +15830,7 @@ index e7d1738..c0b17f8 100644
  type sysv_t;
  fs_noxattr_type(sysv_t)
  files_mountpoint(sysv_t)
-@@ -172,6 +185,8 @@ type vxfs_t;
+@@ -172,6 +186,8 @@ type vxfs_t;
  fs_noxattr_type(vxfs_t)
  files_mountpoint(vxfs_t)
  genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -15838,7 +15839,7 @@ index e7d1738..c0b17f8 100644
  
  #
  # tmpfs_t is the type for tmpfs filesystems
-@@ -182,6 +197,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +198,8 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
@@ -15847,7 +15848,7 @@ index e7d1738..c0b17f8 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -261,6 +278,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +279,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -15856,7 +15857,7 @@ index e7d1738..c0b17f8 100644
  files_mountpoint(removable_t)
  
  #
-@@ -280,6 +299,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +300,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
diff --git a/policy-f22-contrib.patch b/policy-f22-contrib.patch
index 9e4b237..70eb517 100644
--- a/policy-f22-contrib.patch
+++ b/policy-f22-contrib.patch
@@ -9558,7 +9558,7 @@ index 16ec525..1dd4059 100644
  
  ########################################
 diff --git a/blueman.te b/blueman.te
-index 3a5032e..2097425 100644
+index 3a5032e..7987a21 100644
 --- a/blueman.te
 +++ b/blueman.te
 @@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
@@ -9589,7 +9589,7 @@ index 3a5032e..2097425 100644
  kernel_read_system_state(blueman_t)
  kernel_request_load_module(blueman_t)
  
-@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t)
+@@ -41,29 +42,45 @@ corecmd_exec_bin(blueman_t)
  dev_read_rand(blueman_t)
  dev_read_urand(blueman_t)
  dev_rw_wireless(blueman_t)
@@ -9599,6 +9599,7 @@ index 3a5032e..2097425 100644
  
  files_list_tmp(blueman_t)
 -files_read_usr_files(blueman_t)
++files_dontaudit_write_all_mountpoints(blueman_t)
  
  auth_use_nsswitch(blueman_t)
  
@@ -28038,7 +28039,7 @@ index c3f7916..cab3954 100644
  	admin_pattern($1, fetchmail_etc_t)
  
 diff --git a/fetchmail.te b/fetchmail.te
-index 742559a..57711b3 100644
+index 742559a..fa51d09 100644
 --- a/fetchmail.te
 +++ b/fetchmail.te
 @@ -32,14 +32,18 @@ files_type(fetchmail_uidl_cache_t)
@@ -28069,7 +28070,7 @@ index 742559a..57711b3 100644
  corenet_all_recvfrom_netlabel(fetchmail_t)
  corenet_tcp_sendrecv_generic_if(fetchmail_t)
  corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,15 +87,23 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +87,24 @@ fs_search_auto_mountpoints(fetchmail_t)
  
  domain_use_interactive_fds(fetchmail_t)
  
@@ -28088,6 +28089,7 @@ index 742559a..57711b3 100644
 +
 +optional_policy(`
 +    mta_send_mail(fetchmail_t)
++    mta_read_spool(fetchmail_t)
 +')
 +
 +optional_policy(`
@@ -52668,10 +52670,10 @@ index b708708..dd6e04b 100644
 +	apache_search_sys_content(munin_t)
 +')
 diff --git a/mysql.fc b/mysql.fc
-index 06f8666..4a315d5 100644
+index 06f8666..d813d8a 100644
 --- a/mysql.fc
 +++ b/mysql.fc
-@@ -1,12 +1,25 @@
+@@ -1,12 +1,26 @@
 -HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
 -
 -/etc/my\.cnf	--	gen_context(system_u:object_r:mysqld_etc_t,s0)
@@ -52697,6 +52699,7 @@ index 06f8666..4a315d5 100644
 +#
 +/etc/my\.cnf		--	gen_context(system_u:object_r:mysqld_etc_t,s0)
 +/etc/mysql(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)
++/etc/my\.cnf\.d(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)
 +/etc/rc\.d/init\.d/mysqld --	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
 +
@@ -52706,7 +52709,7 @@ index 06f8666..4a315d5 100644
  /usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
  /usr/bin/mysql_upgrade	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  
-@@ -14,14 +27,17 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -14,14 +28,17 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
  
  /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -53284,7 +53287,7 @@ index 687af38..5381f1b 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 7584bbe..a110a1a 100644
+index 7584bbe..b852ab1 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
@@ -53417,7 +53420,8 @@ index 7584bbe..a110a1a 100644
 +files_search_pids(mysqld_t)
 +files_getattr_all_sockets(mysqld_t)
  
- auth_use_nsswitch(mysqld_t)
+-auth_use_nsswitch(mysqld_t)
++auth_use_pam(mysqld_t)
  
  logging_send_syslog_msg(mysqld_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c2d2b01..8553c5c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 118%{?dist}
+Release: 119%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Mar 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-119
+- Allow mysqld_t to use pam. BZ(1196104)
+- Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)
+- Allow fetchmail to read mail_spool_t. BZ(1200552)
+- Dontaudit blueman_t write to all mountpoints. BZ(1198272)
+- docker watches for content in the /etc directory
+- Allow all domains some process flags.
+- Turn on overlayfs labeling for testin, we need this backported to F22 and Rawhide.  Eventually will need this in RHEL
+
 * Mon Mar 16 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-118
 - docker watches for content in the /etc directory
 - Fix abrt_filetrans_named_content() to create /var/tmp/abrt with the correct abrt_var_cache_t labeling.

More information about the scm-commits mailing list