lvrabec pushed to selinux-policy (f22). "* Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-122 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed Apr 15 15:17:39 UTC 2015
>From 95a9e4b8b9534b258c3debd092cbf207dae94f60 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed, 15 Apr 2015 17:17:22 +0200
Subject: * Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-122 -
Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to
read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) -
Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to create
resolv files labeled as net_conf_t - Allow dnssec_trigger_t to stream connect
to networkmanager. - Fix labeling for keystone CGI scripts. - Add more
restriction on entrypoint for unconfined domains. - Allow systemd_networkd_t
to load kernel module. BZ(1209402) - Allow systemd_networkd cap.
dac_override. BZ(1204352) - Label new dnssec-trigger files.
diff --git a/policy-f22-base.patch b/policy-f22-base.patch
index 9e29560..201e244 100644
--- a/policy-f22-base.patch
+++ b/policy-f22-base.patch
@@ -15731,7 +15731,7 @@ index 8416beb..75c7b9d 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..3ed4189 100644
+index e7d1738..6ac60c3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -15865,6 +15865,19 @@ index e7d1738..3ed4189 100644
########################################
#
+@@ -301,9 +322,10 @@ fs_associate_noxattr(noxattrfs)
+ # Unconfined access to this module
+ #
+
+-allow filesystem_unconfined_type filesystem_type:filesystem *;
++allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms;
+
+ # Create/access other files. fs_type is to pick up various
+ # pseudo filesystem types that are applied to both the filesystem
+ # and its files.
+-allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
++allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
++allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
index 7be4ddf..71e675a 100644
--- a/policy/modules/kernel/kernel.fc
@@ -17088,7 +17101,7 @@ index e100d88..f45a698 100644
+ allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..96d9a91 100644
+index 8dbab4c..15c063c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -17375,7 +17388,23 @@ index 8dbab4c..96d9a91 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +496,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) {
+ # Rules for unconfined acccess to this module
+ #
+
+-allow kern_unconfined proc_type:{ dir file lnk_file } *;
++allow kern_unconfined proc_type:{ file } ~entrypoint;
++allow kern_unconfined proc_type:{ dir lnk_file } *;
+
+-allow kern_unconfined sysctl_type:{ dir file } *;
++allow kern_unconfined sysctl_type:{ file } ~entrypoint;
++allow kern_unconfined sysctl_type:{ dir } *;
+
+ allow kern_unconfined kernel_t:system *;
+
+-allow kern_unconfined unlabeled_t:dir_file_class_set *;
++allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
++allow kern_unconfined unlabeled_t:file ~entrypoint;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -39294,10 +39323,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 40edc18..b328c40 100644
+index 40edc18..95f4458 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,23 +17,27 @@ ifdef(`distro_debian',`
+@@ -17,23 +17,29 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -39312,6 +39341,8 @@ index 40edc18..b328c40 100644
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
++/etc/resolv-secure.conf.* gen_context(system_u:object_r:net_conf_t,s0)
++/etc/\.resolv\.conf.* gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -39330,7 +39361,7 @@ index 40edc18..b328c40 100644
#
# /sbin
-@@ -44,6 +48,7 @@ ifdef(`distro_redhat',`
+@@ -44,6 +50,7 @@ ifdef(`distro_redhat',`
/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
@@ -39338,7 +39369,7 @@ index 40edc18..b328c40 100644
/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
-@@ -55,6 +60,21 @@ ifdef(`distro_redhat',`
+@@ -55,6 +62,21 @@ ifdef(`distro_redhat',`
#
# /usr
#
@@ -39360,7 +39391,7 @@ index 40edc18..b328c40 100644
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
-@@ -77,3 +97,6 @@ ifdef(`distro_debian',`
+@@ -77,3 +99,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
@@ -39368,7 +39399,7 @@ index 40edc18..b328c40 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..8dbfc5b 100644
+index 2cea692..fd3a212 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -39737,7 +39768,7 @@ index 2cea692..8dbfc5b 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1010,122 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1010,125 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -39807,6 +39838,9 @@ index 2cea692..8dbfc5b 100644
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp")
+ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved")
++ files_etc_filetrans($1, net_conf_t, file, "resolv-secure.conf")
++ files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger")
++ files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger")
+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
@@ -41776,10 +41810,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b4916c2
+index 0000000..0005833
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,707 @@
+@@ -0,0 +1,708 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -42020,7 +42054,7 @@ index 0000000..b4916c2
+# systemd-networkd local policy
+#
+
-+allow systemd_networkd_t self:capability { net_admin net_raw setuid fowner chown setgid setpcap };
++allow systemd_networkd_t self:capability { dac_override net_admin net_raw setuid fowner chown setgid setpcap };
+allow systemd_networkd_t self:process { getcap setcap };
+
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -42034,6 +42068,7 @@ index 0000000..b4916c2
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+kernel_dgram_send(systemd_networkd_t)
++kernel_request_load_module(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+
diff --git a/policy-f22-contrib.patch b/policy-f22-contrib.patch
index 2b81411..0944a3b 100644
--- a/policy-f22-contrib.patch
+++ b/policy-f22-contrib.patch
@@ -546,7 +546,7 @@ index 058d908..158acba 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..ab4ab96 100644
+index eb50f07..7f6a8b6 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -1006,7 +1006,7 @@ index eb50f07..ab4ab96 100644
#
-allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:capability { fowner chown fsetid dac_override };
++allow abrt_dump_oops_t self:capability { ipc_lock fowner chown fsetid dac_override };
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@@ -1049,7 +1049,7 @@ index eb50f07..ab4ab96 100644
#######################################
#
-@@ -404,25 +512,54 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +512,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1068,6 +1068,10 @@ index eb50f07..ab4ab96 100644
logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
++optional_policy(`
++ gnome_list_home_config(abrt_watch_log_t)
++')
++
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
@@ -1106,7 +1110,7 @@ index eb50f07..ab4ab96 100644
')
#######################################
-@@ -430,10 +567,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +571,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -24837,10 +24841,10 @@ index 0000000..457d4dd
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..7f0943f
+index 0000000..46f4d2c
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,63 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -24885,6 +24889,7 @@ index 0000000..7f0943f
+domain_use_interactive_fds(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
++files_dontaudit_list_tmp(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
@@ -24892,6 +24897,7 @@ index 0000000..7f0943f
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
++sysnet_filetrans_named_content(dnssec_trigger_t)
+
+optional_policy(`
+ bind_domtrans(dnssec_trigger_t)
@@ -24899,7 +24905,9 @@ index 0000000..7f0943f
+ bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
-+
++optional_policy(`
++ networkmanager_stream_connect(dnssec_trigger_t)
++')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e7..e6fe2f40 100644
--- a/dnssectrigger.te
@@ -40548,7 +40556,7 @@ index 628b78b..fe65617 100644
-
-miscfiles_read_localization(keyboardd_t)
diff --git a/keystone.fc b/keystone.fc
-index b273d80..9b6e9bd 100644
+index b273d80..6b2b50d 100644
--- a/keystone.fc
+++ b/keystone.fc
@@ -1,7 +1,13 @@
@@ -40558,7 +40566,7 @@ index b273d80..9b6e9bd 100644
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
-+/usr/share/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
++/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
+
/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
@@ -46942,10 +46950,10 @@ index 0000000..f5b98e6
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..1bf717f
+index 0000000..86766b0
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,278 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -47080,6 +47088,7 @@ index 0000000..1bf717f
+term_search_ptys(mock_t)
+term_mount_pty_fs(mock_t)
+term_unmount_pty_fs(mock_t)
++term_use_ptmx(mock_t)
+
+auth_use_nsswitch(mock_t)
+
@@ -47562,17 +47571,16 @@ index 0000000..e7220a5
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..1719247 100644
+index 6fcfc31..91adcaf 100644
--- a/mongodb.fc
+++ b/mongodb.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
-+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f4d7d5..c4bcf6c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 121%{?dist}
+Release: 122%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-122
+- Allow abrtd to list home config. BZ(1199658)
+- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
+- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
+- Allow mock_t to use ptmx. BZ(1181333)
+- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
+- Allow dnssec_trigger_t to stream connect to networkmanager.
+- Fix labeling for keystone CGI scripts.
+- Add more restriction on entrypoint for unconfined domains.
+- Allow systemd_networkd_t to load kernel module. BZ(1209402)
+- Allow systemd_networkd cap. dac_override. BZ(1204352)
+- Label new dnssec-trigger files.
+
* Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-121
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f22&id=95a9e4b8b9534b258c3debd092cbf207dae94f60
More information about the scm-commits
mailing list