lvrabec pushed to selinux-policy (f21). "* Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.13 (..more)"

notifications at fedoraproject.org notifications at fedoraproject.org
Wed Apr 15 15:21:11 UTC 2015 

>From 7342bb242847d2af4cb70fa711eb0a228131def4 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed, 15 Apr 2015 17:20:54 +0200
Subject: * Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.13
 -Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to
 read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) -
 Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to create
 resolv files labeled as net_conf_t - Allow dnssec_trigger_t to stream connect
 to networkmanager. - Add more restriction on entrypoint for unconfined
 domains. - Allow systemd_networkd_t to load kernel module. BZ(1209402) -
 Allow systemd_networkd cap. dac_override. BZ(1204352)


diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 5d6b5e9..123a0fa 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -15607,7 +15607,7 @@ index 8416beb..75c7b9d 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..c0b17f8 100644
+index e7d1738..7224181 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -15740,6 +15740,19 @@ index e7d1738..c0b17f8 100644
  
  ########################################
  #
+@@ -301,9 +321,10 @@ fs_associate_noxattr(noxattrfs)
+ # Unconfined access to this module
+ #
+ 
+-allow filesystem_unconfined_type filesystem_type:filesystem *;
++allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms;
+ 
+ # Create/access other files. fs_type is to pick up various
+ # pseudo filesystem types that are applied to both the filesystem
+ # and its files.
+-allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
++allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
++allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
 diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
 index 7be4ddf..71e675a 100644
 --- a/policy/modules/kernel/kernel.fc
@@ -16945,7 +16958,7 @@ index e100d88..9e881e6 100644
 +	allow $1 usermodehelper_t:file relabelto;
  ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..15230be 100644
+index 8dbab4c..2312029 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -17228,7 +17241,23 @@ index 8dbab4c..15230be 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -399,14 +482,39 @@ if( ! secure_mode_insmod ) {
+ # Rules for unconfined acccess to this module
+ #
+ 
+-allow kern_unconfined proc_type:{ dir file lnk_file } *;
++allow kern_unconfined proc_type:{ file } ~entrypoint;
++allow kern_unconfined proc_type:{ dir lnk_file } *;
+ 
+-allow kern_unconfined sysctl_type:{ dir file } *;
++allow kern_unconfined sysctl_type:{ file } ~entrypoint;
++allow kern_unconfined sysctl_type:{ dir } *;
+ 
+ allow kern_unconfined kernel_t:system *;
+ 
+-allow kern_unconfined unlabeled_t:dir_file_class_set *;
++allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
++allow kern_unconfined unlabeled_t:file ~entrypoint;
  allow kern_unconfined unlabeled_t:filesystem *;
  allow kern_unconfined unlabeled_t:association *;
  allow kern_unconfined unlabeled_t:packet *;
@@ -41605,10 +41634,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..3ebbad0
+index 0000000..f8c10a5
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,706 @@
+@@ -0,0 +1,707 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -41848,7 +41877,7 @@ index 0000000..3ebbad0
 +# systemd-networkd local policy
 +#
 +
-+allow systemd_networkd_t self:capability { net_admin net_raw setuid fowner chown setgid setpcap };
++allow systemd_networkd_t self:capability { dac_override net_admin net_raw setuid fowner chown setgid setpcap };
 +allow systemd_networkd_t self:process { getcap setcap };
 +
 +allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -41862,6 +41891,7 @@ index 0000000..3ebbad0
 +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
 +
 +kernel_dgram_send(systemd_networkd_t)
++kernel_request_load_module(systemd_networkd_t)
 +
 +dev_read_sysfs(systemd_networkd_t)
 +
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 8ecfe90..1fe73ae 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -539,7 +539,7 @@ index 058d908..1e92177 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..984adc8 100644
+index eb50f07..b544b89 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -782,9 +782,9 @@ index eb50f07..984adc8 100644
 +logging_send_syslog_msg(abrt_t)
 +logging_stream_connect_syslog(abrt_t)
 +logging_read_syslog_pid(abrt_t)
-+
-+auth_use_nsswitch(abrt_t)
  
++auth_use_nsswitch(abrt_t)
++
 +init_read_utmp(abrt_t)
 +
 +miscfiles_read_generic_certs(abrt_t)
@@ -998,7 +998,8 @@ index eb50f07..984adc8 100644
 +# abrt_dump_oops local policy
  #
  
- allow abrt_dump_oops_t self:capability dac_override;
+-allow abrt_dump_oops_t self:capability dac_override;
++allow abrt_dump_oops_t self:capability { ipc_lock dac_override };
  allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
 -allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
 +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@@ -1039,7 +1040,7 @@ index eb50f07..984adc8 100644
  
  #######################################
  #
-@@ -404,25 +510,54 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +510,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1058,6 +1059,10 @@ index eb50f07..984adc8 100644
  logging_read_all_logs(abrt_watch_log_t)
 +logging_send_syslog_msg(abrt_watch_log_t)
 +
++optional_policy(`
++    gnome_list_home_config(abrt_watch_log_t)
++')
++
 +tunable_policy(`abrt_upload_watch_anon_write',`
 +	miscfiles_manage_public_files(abrt_upload_watch_t)
 +')
@@ -1096,7 +1101,7 @@ index eb50f07..984adc8 100644
  ')
  
  #######################################
-@@ -430,10 +565,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +569,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
  # Global local policy
  #
  
@@ -24811,10 +24816,10 @@ index 0000000..457d4dd
 +')
 diff --git a/dnssec.te b/dnssec.te
 new file mode 100644
-index 0000000..7f0943f
+index 0000000..46f4d2c
 --- /dev/null
 +++ b/dnssec.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,63 @@
 +policy_module(dnssec, 1.0.0)
 +
 +########################################
@@ -24859,6 +24864,7 @@ index 0000000..7f0943f
 +domain_use_interactive_fds(dnssec_trigger_t)
 +
 +files_read_etc_runtime_files(dnssec_trigger_t)
++files_dontaudit_list_tmp(dnssec_trigger_t)
 +
 +logging_send_syslog_msg(dnssec_trigger_t)
 +
@@ -24866,6 +24872,7 @@ index 0000000..7f0943f
 +
 +sysnet_dns_name_resolve(dnssec_trigger_t)
 +sysnet_manage_config(dnssec_trigger_t)
++sysnet_filetrans_named_content(dnssec_trigger_t)
 +
 +optional_policy(`
 +    bind_domtrans(dnssec_trigger_t)
@@ -24873,7 +24880,9 @@ index 0000000..7f0943f
 +	bind_read_dnssec_keys(dnssec_trigger_t)
 +')
 +
-+
++optional_policy(`
++    networkmanager_stream_connect(dnssec_trigger_t)
++')
 diff --git a/dnssectrigger.te b/dnssectrigger.te
 index c7bb4e7..e6fe2f40 100644
 --- a/dnssectrigger.te
@@ -46753,10 +46762,10 @@ index 0000000..f5b98e6
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..1bf717f
+index 0000000..86766b0
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,278 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@@ -46891,6 +46900,7 @@ index 0000000..1bf717f
 +term_search_ptys(mock_t)
 +term_mount_pty_fs(mock_t)
 +term_unmount_pty_fs(mock_t)
++term_use_ptmx(mock_t)
 +
 +auth_use_nsswitch(mock_t)
 +
@@ -47373,17 +47383,16 @@ index 0000000..e7220a5
 +logging_send_syslog_msg(mon_procd_t)
 +
 diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..1719247 100644
+index 6fcfc31..91adcaf 100644
 --- a/mongodb.fc
 +++ b/mongodb.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,13 @@
  /etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
  
 -/usr/bin/mongod	--	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/bin/mongod	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/bin/mongos	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/share/aeolus-conductor/dbomatic/dbomatic   --   gen_context(system_u:object_r:mongod_exec_t,s0)
-+/usr/libexec/mongodb-scl-helper                 --   gen_context(system_u:object_r:mongod_exec_t,s0)
  
  /var/lib/mongo.*	gen_context(system_u:object_r:mongod_var_lib_t,s0)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6842829..be832c3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 105.12%{?dist}
+Release: 105.13%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,17 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.13
+-Allow abrtd to list home config. BZ(1199658)
+- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
+- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
+- Allow mock_t to use ptmx. BZ(1181333)
+- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
+- Allow dnssec_trigger_t to stream connect to networkmanager.
+- Add more restriction on entrypoint for unconfined domains.
+- Allow systemd_networkd_t to load kernel module. BZ(1209402)
+- Allow systemd_networkd cap. dac_override. BZ(1204352)
+
 * Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.12
 - Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
 - Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f21&id=7342bb242847d2af4cb70fa711eb0a228131def4

More information about the scm-commits mailing list