lvrabec pushed to selinux-policy (f22). "* Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-121 (..more)"

notifications at fedoraproject.org notifications at fedoraproject.org
Tue Apr 7 14:29:47 UTC 2015 

>From 0904e526bc8b9ec528e92999ec5cf71152136a74 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue, 7 Apr 2015 16:29:31 +0200
Subject: * Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-121 -
 Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013) -
 Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180) -
 Merge postfix spool types(maildrop,flush) to one postfix_spool_t - Add
 collectd net_raw capability. BZ(1194169) - Fix cloudform policy.(m4 is case
 sensitive) - Allow networkmanager and cloud_init_t to dbus chat - Allow
 polkit to dbus chat with xserver. (1207478)


diff --git a/policy-f22-base.patch b/policy-f22-base.patch
index 066b881..9e29560 100644
--- a/policy-f22-base.patch
+++ b/policy-f22-base.patch
@@ -25776,7 +25776,7 @@ index 6bf0ecc..b036584 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..4f6e00b 100644
+index 8b40377..2532a81 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,66 @@ gen_require(`
@@ -26941,7 +26941,7 @@ index 8b40377..4f6e00b 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1281,50 @@ optional_policy(`
+@@ -785,17 +1281,54 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26984,6 +26984,10 @@ index 8b40377..4f6e00b 100644
 +')
 +
 +optional_policy(`
++    policykit_dbus_chat(xserver_t)
++')
++
++optional_policy(`
  	udev_read_db(xserver_t)
  ')
  
@@ -26994,7 +26998,7 @@ index 8b40377..4f6e00b 100644
  ')
  
  optional_policy(`
-@@ -803,6 +1332,10 @@ optional_policy(`
+@@ -803,6 +1336,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27005,7 +27009,7 @@ index 8b40377..4f6e00b 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -818,18 +1351,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1355,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -27030,7 +27034,7 @@ index 8b40377..4f6e00b 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -842,26 +1374,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1378,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -27065,7 +27069,7 @@ index 8b40377..4f6e00b 100644
  ')
  
  optional_policy(`
-@@ -912,7 +1439,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1443,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -27074,7 +27078,7 @@ index 8b40377..4f6e00b 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -966,11 +1493,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1497,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -27106,7 +27110,7 @@ index 8b40377..4f6e00b 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1539,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1543,148 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
diff --git a/policy-f22-contrib.patch b/policy-f22-contrib.patch
index 22ccf53..2b81411 100644
--- a/policy-f22-contrib.patch
+++ b/policy-f22-contrib.patch
@@ -5153,7 +5153,7 @@ index f6eb485..164501c 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 6649962..12fcbb6 100644
+index 6649962..9c06038 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -5856,7 +5856,7 @@ index 6649962..12fcbb6 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -6035,6 +6035,7 @@ index 6649962..12fcbb6 100644
 -	corenet_sendrecv_oracledb_client_packets(httpd_t)
 -	corenet_tcp_connect_oracledb_port(httpd_t)
 -	corenet_tcp_sendrecv_oracledb_port(httpd_t)
++	corenet_tcp_connect_mongod_port(httpd_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_t)
 +	corenet_tcp_connect_oracle_port(httpd_t)
 +	corenet_sendrecv_oracle_client_packets(httpd_t)
@@ -6095,7 +6096,7 @@ index 6649962..12fcbb6 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -6155,7 +6156,7 @@ index 6649962..12fcbb6 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +796,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +797,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -6248,7 +6249,7 @@ index 6649962..12fcbb6 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +845,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +846,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6329,7 +6330,7 @@ index 6649962..12fcbb6 100644
  ')
  
  optional_policy(`
-@@ -749,24 +898,32 @@ optional_policy(`
+@@ -749,24 +899,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6368,7 +6369,7 @@ index 6649962..12fcbb6 100644
  ')
  
  optional_policy(`
-@@ -775,6 +932,10 @@ optional_policy(`
+@@ -775,6 +933,10 @@ optional_policy(`
  	tunable_policy(`httpd_dbus_avahi',`
  		avahi_dbus_chat(httpd_t)
  	')
@@ -6379,7 +6380,7 @@ index 6649962..12fcbb6 100644
  ')
  
  optional_policy(`
-@@ -786,35 +947,60 @@ optional_policy(`
+@@ -786,35 +948,60 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6453,7 +6454,7 @@ index 6649962..12fcbb6 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1008,18 @@ optional_policy(`
+@@ -822,8 +1009,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6472,7 +6473,7 @@ index 6649962..12fcbb6 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1028,7 @@ optional_policy(`
+@@ -832,6 +1029,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -6480,7 +6481,7 @@ index 6649962..12fcbb6 100644
  ')
  
  optional_policy(`
-@@ -842,20 +1039,40 @@ optional_policy(`
+@@ -842,20 +1040,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6527,7 +6528,7 @@ index 6649962..12fcbb6 100644
  ')
  
  optional_policy(`
-@@ -863,19 +1080,35 @@ optional_policy(`
+@@ -863,19 +1081,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6563,7 +6564,7 @@ index 6649962..12fcbb6 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -883,65 +1116,189 @@ optional_policy(`
+@@ -883,65 +1117,189 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6775,7 +6776,7 @@ index 6649962..12fcbb6 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -950,123 +1307,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6930,7 +6931,7 @@ index 6649962..12fcbb6 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1391,107 @@ optional_policy(`
+@@ -1083,172 +1392,107 @@ optional_policy(`
  	')
  ')
  
@@ -7168,7 +7169,7 @@ index 6649962..12fcbb6 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1499,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -7265,7 +7266,7 @@ index 6649962..12fcbb6 100644
  
  ########################################
  #
-@@ -1321,8 +1574,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -7282,7 +7283,7 @@ index 6649962..12fcbb6 100644
  ')
  
  ########################################
-@@ -1330,49 +1590,38 @@ optional_policy(`
+@@ -1330,49 +1591,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -7347,7 +7348,7 @@ index 6649962..12fcbb6 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1631,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1632,101 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -13522,10 +13523,10 @@ index 0000000..a06f04b
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..21e071f
+index 0000000..8c06c5d
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,240 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -13645,6 +13646,10 @@ index 0000000..21e071f
 +')
 +
 +optional_policy(`
++    networkmanager_dbus_chat(cloud_init_t)
++')
++
++optional_policy(`
 +    dmidecode_domtrans(cloud_init_t)
 +')
 +
@@ -14534,7 +14539,7 @@ index 954309e..6780142 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..32e85d5 100644
+index 6471fa8..294d8e0 100644
 --- a/collectd.te
 +++ b/collectd.te
 @@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
@@ -14556,7 +14561,7 @@ index 6471fa8..32e85d5 100644
  #
  
 -allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_admin sys_nice sys_ptrace dac_override };
++allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override };
  allow collectd_t self:process { getsched setsched signal };
  allow collectd_t self:fifo_file rw_fifo_file_perms;
  allow collectd_t self:packet_socket create_socket_perms;
@@ -47557,16 +47562,17 @@ index 0000000..e7220a5
 +logging_send_syslog_msg(mon_procd_t)
 +
 diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..91adcaf 100644
+index 6fcfc31..1719247 100644
 --- a/mongodb.fc
 +++ b/mongodb.fc
-@@ -1,9 +1,13 @@
+@@ -1,9 +1,14 @@
  /etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
  
 -/usr/bin/mongod	--	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/bin/mongod	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/bin/mongos	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/share/aeolus-conductor/dbomatic/dbomatic   --   gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/libexec/mongodb-scl-helper                 --   gen_context(system_u:object_r:mongod_exec_t,s0)
  
  /var/lib/mongo.*	gen_context(system_u:object_r:mongod_var_lib_t,s0)
  
@@ -70080,7 +70086,7 @@ index ded95ec..3cf7146 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 5cfb83e..a1ed642 100644
+index 5cfb83e..501c935 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -70153,12 +70159,14 @@ index 5cfb83e..a1ed642 100644
 -files_type(postfix_spool_t)
 +files_spool_file(postfix_spool_t)
  
- type postfix_spool_maildrop_t, postfix_spool_type;
+-type postfix_spool_maildrop_t, postfix_spool_type;
 -files_type(postfix_spool_maildrop_t)
++typealias postfix_spool_t alias postfix_spool_maildrop_t;
 +files_spool_file(postfix_spool_maildrop_t)
  
- type postfix_spool_flush_t, postfix_spool_type;
+-type postfix_spool_flush_t, postfix_spool_type;
 -files_type(postfix_spool_flush_t)
++typealias postfix_spool_t alias postfix_spool_flush_t;
 +files_spool_file(postfix_spool_flush_t)
  
  type postfix_public_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d92a6ee..9f4d7d5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 120%{?dist}
+Release: 121%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,15 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-121
+- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
+- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
+- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
+- Add collectd net_raw capability. BZ(1194169)
+- Fix cloudform policy.(m4 is case sensitive)
+- Allow networkmanager and cloud_init_t to dbus chat
+- Allow polkit to dbus chat with xserver. (1207478)
+
 * Mon Mar 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-120
 - Allow kmscon to read system state. BZ (1206871)
 - Allow plymouthd to open usbttys. BZ(1202429)
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f22&id=0904e526bc8b9ec528e92999ec5cf71152136a74

More information about the scm-commits mailing list