lvrabec pushed to selinux-policy (f21). "* Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.12 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 7 14:32:48 UTC 2015
>From 8378748437ae41e9cb3e654fde38af4303f85d39 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Tue, 7 Apr 2015 16:32:22 +0200
Subject: * Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.12 -
Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013) -
Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180) -
Merge postfix spool types(maildrop,flush) to one postfix_spool_t - Add
collectd net_raw capability. BZ(1194169)
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index b64644c..8ecfe90 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -5143,7 +5143,7 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 6649962..3226dec 100644
+index 6649962..0eb93ab 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@@ -5846,7 +5846,7 @@ index 6649962..3226dec 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -450,140 +567,173 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +567,174 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -6025,6 +6025,7 @@ index 6649962..3226dec 100644
- corenet_sendrecv_oracledb_client_packets(httpd_t)
- corenet_tcp_connect_oracledb_port(httpd_t)
- corenet_tcp_sendrecv_oracledb_port(httpd_t)
++ corenet_tcp_connect_mongod_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracle_client_packets(httpd_t)
@@ -6085,7 +6086,7 @@ index 6649962..3226dec 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -594,28 +744,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +745,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -6145,7 +6146,7 @@ index 6649962..3226dec 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +796,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +797,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -6238,7 +6239,7 @@ index 6649962..3226dec 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +845,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +846,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -6319,7 +6320,7 @@ index 6649962..3226dec 100644
')
optional_policy(`
-@@ -749,24 +898,32 @@ optional_policy(`
+@@ -749,24 +899,32 @@ optional_policy(`
')
optional_policy(`
@@ -6358,7 +6359,7 @@ index 6649962..3226dec 100644
')
optional_policy(`
-@@ -775,6 +932,10 @@ optional_policy(`
+@@ -775,6 +933,10 @@ optional_policy(`
tunable_policy(`httpd_dbus_avahi',`
avahi_dbus_chat(httpd_t)
')
@@ -6369,7 +6370,7 @@ index 6649962..3226dec 100644
')
optional_policy(`
-@@ -786,35 +947,60 @@ optional_policy(`
+@@ -786,35 +948,60 @@ optional_policy(`
')
optional_policy(`
@@ -6443,7 +6444,7 @@ index 6649962..3226dec 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1008,18 @@ optional_policy(`
+@@ -822,8 +1009,18 @@ optional_policy(`
')
optional_policy(`
@@ -6462,7 +6463,7 @@ index 6649962..3226dec 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -832,6 +1028,7 @@ optional_policy(`
+@@ -832,6 +1029,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -6470,7 +6471,7 @@ index 6649962..3226dec 100644
')
optional_policy(`
-@@ -842,20 +1039,40 @@ optional_policy(`
+@@ -842,20 +1040,40 @@ optional_policy(`
')
optional_policy(`
@@ -6517,7 +6518,7 @@ index 6649962..3226dec 100644
')
optional_policy(`
-@@ -863,19 +1080,35 @@ optional_policy(`
+@@ -863,19 +1081,35 @@ optional_policy(`
')
optional_policy(`
@@ -6553,7 +6554,7 @@ index 6649962..3226dec 100644
udev_read_db(httpd_t)
')
-@@ -883,65 +1116,189 @@ optional_policy(`
+@@ -883,65 +1117,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6765,7 +6766,7 @@ index 6649962..3226dec 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -950,123 +1307,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6920,7 +6921,7 @@ index 6649962..3226dec 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1391,106 @@ optional_policy(`
+@@ -1083,172 +1392,106 @@ optional_policy(`
')
')
@@ -7157,7 +7158,7 @@ index 6649962..3226dec 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1498,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1499,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -7254,7 +7255,7 @@ index 6649962..3226dec 100644
########################################
#
-@@ -1321,8 +1573,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1574,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -7271,7 +7272,7 @@ index 6649962..3226dec 100644
')
########################################
-@@ -1330,49 +1589,38 @@ optional_policy(`
+@@ -1330,49 +1590,38 @@ optional_policy(`
# User content local policy
#
@@ -7336,7 +7337,7 @@ index 6649962..3226dec 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1630,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1631,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -14523,7 +14524,7 @@ index 954309e..6780142 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..32e85d5 100644
+index 6471fa8..294d8e0 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
@@ -14545,7 +14546,7 @@ index 6471fa8..32e85d5 100644
#
-allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_admin sys_nice sys_ptrace dac_override };
++allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_override };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
@@ -47372,16 +47373,17 @@ index 0000000..e7220a5
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..91adcaf 100644
+index 6fcfc31..1719247 100644
--- a/mongodb.fc
+++ b/mongodb.fc
-@@ -1,9 +1,13 @@
+@@ -1,9 +1,14 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
++/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
@@ -69894,7 +69896,7 @@ index ded95ec..3cf7146 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 5cfb83e..a1ed642 100644
+index 5cfb83e..501c935 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -69967,12 +69969,14 @@ index 5cfb83e..a1ed642 100644
-files_type(postfix_spool_t)
+files_spool_file(postfix_spool_t)
- type postfix_spool_maildrop_t, postfix_spool_type;
+-type postfix_spool_maildrop_t, postfix_spool_type;
-files_type(postfix_spool_maildrop_t)
++typealias postfix_spool_t alias postfix_spool_maildrop_t;
+files_spool_file(postfix_spool_maildrop_t)
- type postfix_spool_flush_t, postfix_spool_type;
+-type postfix_spool_flush_t, postfix_spool_type;
-files_type(postfix_spool_flush_t)
++typealias postfix_spool_t alias postfix_spool_flush_t;
+files_spool_file(postfix_spool_flush_t)
type postfix_public_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index defcd88..6842829 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 105.11%{?dist}
+Release: 105.12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.12
+- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
+- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
+- Merge postfix spool types(maildrop,flush) to one postfix_spool_t
+- Add collectd net_raw capability. BZ(1194169)
+
* Thu Apr 02 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.11
- Allow networkmanager and cloud_init_t to dbus chat
- Fix sysnet_filetrans_named_content interface. BZ(1207942)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f21&id=8378748437ae41e9cb3e654fde38af4303f85d39
More information about the scm-commits
mailing list