lvrabec pushed to selinux-policy (f22). "* Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-121 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 7 14:29:47 UTC 2015
>From 0904e526bc8b9ec528e92999ec5cf71152136a74 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue, 7 Apr 2015 16:29:31 +0200
Subject: * Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-121 -
Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013) -
Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180) -
Merge postfix spool types(maildrop,flush) to one postfix_spool_t - Add
collectd net_raw capability. BZ(1194169) - Fix cloudform policy.(m4 is case
sensitive) - Allow networkmanager and cloud_init_t to dbus chat - Allow
polkit to dbus chat with xserver. (1207478)
diff --git a/policy-f22-base.patch b/policy-f22-base.patch
index 066b881..9e29560 100644
--- a/policy-f22-base.patch
+++ b/policy-f22-base.patch
@@ -25776,7 +25776,7 @@ index 6bf0ecc..b036584 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..4f6e00b 100644
+index 8b40377..2532a81 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -26941,7 +26941,7 @@ index 8b40377..4f6e00b 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1281,50 @@ optional_policy(`
+@@ -785,17 +1281,54 @@ optional_policy(`
')
optional_policy(`
@@ -26984,6 +26984,10 @@ index 8b40377..4f6e00b 100644
+')
+
+optional_policy(`
++ policykit_dbus_chat(xserver_t)
++')
++
++optional_policy(`
udev_read_db(xserver_t)
')
@@ -26994,7 +26998,7 @@ index 8b40377..4f6e00b 100644
')
optional_policy(`
-@@ -803,6 +1332,10 @@ optional_policy(`
+@@ -803,6 +1336,10 @@ optional_policy(`
')
optional_policy(`
@@ -27005,7 +27009,7 @@ index 8b40377..4f6e00b 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1351,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1355,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -27030,7 +27034,7 @@ index 8b40377..4f6e00b 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1374,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1378,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -27065,7 +27069,7 @@ index 8b40377..4f6e00b 100644
')
optional_policy(`
-@@ -912,7 +1439,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1443,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -27074,7 +27078,7 @@ index 8b40377..4f6e00b 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1493,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1497,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -27106,7 +27110,7 @@ index 8b40377..4f6e00b 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1539,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1543,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
diff --git a/policy-f22-contrib.patch b/policy-f22-contrib.patch
index 22ccf53..2b81411 100644
--- a/policy-f22-contrib.patch
+++ b/policy-f22-contrib.patch
@@ -5153,7 +5153,7 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..12fcbb6 100644
+index 6649962..9c06038 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -5856,7 +5856,7 @@ index 6649962..12fcbb6 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -6035,6 +6035,7 @@ index 6649962..12fcbb6 100644
- corenet_sendrecv_oracledb_client_packets(httpd_t)
- corenet_tcp_connect_oracledb_port(httpd_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_t)
++ corenet_tcp_connect_mongod_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
@@ -6095,7 +6096,7 @@ index 6649962..12fcbb6 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -6155,7 +6156,7 @@ index 6649962..12fcbb6 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +796,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +797,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6248,7 +6249,7 @@ index 6649962..12fcbb6 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +845,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +846,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6329,7 +6330,7 @@ index 6649962..12fcbb6 100644
')
optional_policy(`
-@@ -749,24 +898,32 @@ optional_policy(`
+@@ -749,24 +899,32 @@ optional_policy(`
')
optional_policy(`
@@ -6368,7 +6369,7 @@ index 6649962..12fcbb6 100644
')
optional_policy(`
-@@ -775,6 +932,10 @@ optional_policy(`
+@@ -775,6 +933,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6379,7 +6380,7 @@ index 6649962..12fcbb6 100644
')
optional_policy(`
-@@ -786,35 +947,60 @@ optional_policy(`
+@@ -786,35 +948,60 @@ optional_policy(`
')
optional_policy(`
@@ -6453,7 +6454,7 @@ index 6649962..12fcbb6 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1008,18 @@ optional_policy(`
+@@ -822,8 +1009,18 @@ optional_policy(`
')
optional_policy(`
@@ -6472,7 +6473,7 @@ index 6649962..12fcbb6 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1028,7 @@ optional_policy(`
+@@ -832,6 +1029,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6480,7 +6481,7 @@ index 6649962..12fcbb6 100644
')
optional_policy(`
-@@ -842,20 +1039,40 @@ optional_policy(`
+@@ -842,20 +1040,40 @@ optional_policy(`
')
optional_policy(`
@@ -6527,7 +6528,7 @@ index 6649962..12fcbb6 100644
')
optional_policy(`
-@@ -863,19 +1080,35 @@ optional_policy(`
+@@ -863,19 +1081,35 @@ optional_policy(`
')
optional_policy(`
@@ -6563,7 +6564,7 @@ index 6649962..12fcbb6 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1116,189 @@ optional_policy(`
+@@ -883,65 +1117,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6775,7 +6776,7 @@ index 6649962..12fcbb6 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1307,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6930,7 +6931,7 @@ index 6649962..12fcbb6 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1391,107 @@ optional_policy(`
+@@ -1083,172 +1392,107 @@ optional_policy(`
')
')
@@ -7168,7 +7169,7 @@ index 6649962..12fcbb6 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1499,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7265,7 +7266,7 @@ index 6649962..12fcbb6 100644
########################################
#
-@@ -1321,8 +1574,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7282,7 +7283,7 @@ index 6649962..12fcbb6 100644
')
########################################
-@@ -1330,49 +1590,38 @@ optional_policy(`
+@@ -1330,49 +1591,38 @@ optional_policy(`
# User content local policy
#
@@ -7347,7 +7348,7 @@ index 6649962..12fcbb6 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1631,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1632,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -13522,10 +13523,10 @@ index 0000000..a06f04b
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..21e071f
+index 0000000..8c06c5d
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,240 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -13645,6 +13646,10 @@ index 0000000..21e071f
+')
+
+optional_policy(`
++ networkmanager_dbus_chat(cloud_init_t)
++')
++
++optional_policy(`
+ dmidecode_domtrans(cloud_init_t)
+')
+
@@ -14534,7 +14539,7 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..32e85d5 100644
+index 6471fa8..294d8e0 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
@@ -14556,7 +14561,7 @@ index 6471fa8..32e85d5 100644
#
-allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_admin sys_nice sys_ptrace dac_override };
++allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
@@ -47557,16 +47562,17 @@ index 0000000..e7220a5
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..91adcaf 100644
+index 6fcfc31..1719247 100644
--- a/mongodb.fc
+++ b/mongodb.fc
-@@ -1,9 +1,13 @@
+@@ -1,9 +1,14 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
@@ -70080,7 +70086,7 @@ index ded95ec..3cf7146 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 5cfb83e..a1ed642 100644
+index 5cfb83e..501c935 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -70153,12 +70159,14 @@ index 5cfb83e..a1ed642 100644
-files_type(postfix_spool_t)
+files_spool_file(postfix_spool_t)
- type postfix_spool_maildrop_t, postfix_spool_type;
+-type postfix_spool_maildrop_t, postfix_spool_type;
-files_type(postfix_spool_maildrop_t)
++typealias postfix_spool_t alias postfix_spool_maildrop_t;
+files_spool_file(postfix_spool_maildrop_t)
- type postfix_spool_flush_t, postfix_spool_type;
+-type postfix_spool_flush_t, postfix_spool_type;
-files_type(postfix_spool_flush_t)
++typealias postfix_spool_t alias postfix_spool_flush_t;
+files_spool_file(postfix_spool_flush_t)
type postfix_public_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d92a6ee..9f4d7d5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 120%{?dist}
+Release: 121%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-121
+- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
+- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
+- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
+- Add collectd net_raw capability. BZ(1194169)
+- Fix cloudform policy.(m4 is case sensitive)
+- Allow networkmanager and cloud_init_t to dbus chat
+- Allow polkit to dbus chat with xserver. (1207478)
+
* Mon Mar 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-120
- Allow kmscon to read system state. BZ (1206871)
- Allow plymouthd to open usbttys. BZ(1202429)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f22&id=0904e526bc8b9ec528e92999ec5cf71152136a74
More information about the scm-commits
mailing list