lvrabec pushed to selinux-policy (f21). "* Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.13 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Wed Apr 15 15:21:11 UTC 2015
>From 7342bb242847d2af4cb70fa711eb0a228131def4 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed, 15 Apr 2015 17:20:54 +0200
Subject: * Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.13
-Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to
read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) -
Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to create
resolv files labeled as net_conf_t - Allow dnssec_trigger_t to stream connect
to networkmanager. - Add more restriction on entrypoint for unconfined
domains. - Allow systemd_networkd_t to load kernel module. BZ(1209402) -
Allow systemd_networkd cap. dac_override. BZ(1204352)
diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 5d6b5e9..123a0fa 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -15607,7 +15607,7 @@ index 8416beb..75c7b9d 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e7d1738..c0b17f8 100644
+index e7d1738..7224181 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -15740,6 +15740,19 @@ index e7d1738..c0b17f8 100644
########################################
#
+@@ -301,9 +321,10 @@ fs_associate_noxattr(noxattrfs)
+ # Unconfined access to this module
+ #
+
+-allow filesystem_unconfined_type filesystem_type:filesystem *;
++allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms;
+
+ # Create/access other files. fs_type is to pick up various
+ # pseudo filesystem types that are applied to both the filesystem
+ # and its files.
+-allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
++allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
++allow filesystem_unconfined_type filesystem_type:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
index 7be4ddf..71e675a 100644
--- a/policy/modules/kernel/kernel.fc
@@ -16945,7 +16958,7 @@ index e100d88..9e881e6 100644
+ allow $1 usermodehelper_t:file relabelto;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..15230be 100644
+index 8dbab4c..2312029 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -17228,7 +17241,23 @@ index 8dbab4c..15230be 100644
########################################
#
# Unlabeled process local policy
-@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -399,14 +482,39 @@ if( ! secure_mode_insmod ) {
+ # Rules for unconfined acccess to this module
+ #
+
+-allow kern_unconfined proc_type:{ dir file lnk_file } *;
++allow kern_unconfined proc_type:{ file } ~entrypoint;
++allow kern_unconfined proc_type:{ dir lnk_file } *;
+
+-allow kern_unconfined sysctl_type:{ dir file } *;
++allow kern_unconfined sysctl_type:{ file } ~entrypoint;
++allow kern_unconfined sysctl_type:{ dir } *;
+
+ allow kern_unconfined kernel_t:system *;
+
+-allow kern_unconfined unlabeled_t:dir_file_class_set *;
++allow kern_unconfined unlabeled_t:{ dir lnk_file sock_file fifo_file chr_file blk_file } *;
++allow kern_unconfined unlabeled_t:file ~entrypoint;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -41605,10 +41634,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..3ebbad0
+index 0000000..f8c10a5
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,706 @@
+@@ -0,0 +1,707 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -41848,7 +41877,7 @@ index 0000000..3ebbad0
+# systemd-networkd local policy
+#
+
-+allow systemd_networkd_t self:capability { net_admin net_raw setuid fowner chown setgid setpcap };
++allow systemd_networkd_t self:capability { dac_override net_admin net_raw setuid fowner chown setgid setpcap };
+allow systemd_networkd_t self:process { getcap setcap };
+
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -41862,6 +41891,7 @@ index 0000000..3ebbad0
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+kernel_dgram_send(systemd_networkd_t)
++kernel_request_load_module(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index 8ecfe90..1fe73ae 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -539,7 +539,7 @@ index 058d908..1e92177 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..984adc8 100644
+index eb50f07..b544b89 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -782,9 +782,9 @@ index eb50f07..984adc8 100644
+logging_send_syslog_msg(abrt_t)
+logging_stream_connect_syslog(abrt_t)
+logging_read_syslog_pid(abrt_t)
-+
-+auth_use_nsswitch(abrt_t)
++auth_use_nsswitch(abrt_t)
++
+init_read_utmp(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
@@ -998,7 +998,8 @@ index eb50f07..984adc8 100644
+# abrt_dump_oops local policy
#
- allow abrt_dump_oops_t self:capability dac_override;
+-allow abrt_dump_oops_t self:capability dac_override;
++allow abrt_dump_oops_t self:capability { ipc_lock dac_override };
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@@ -1039,7 +1040,7 @@ index eb50f07..984adc8 100644
#######################################
#
-@@ -404,25 +510,54 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +510,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1058,6 +1059,10 @@ index eb50f07..984adc8 100644
logging_read_all_logs(abrt_watch_log_t)
+logging_send_syslog_msg(abrt_watch_log_t)
+
++optional_policy(`
++ gnome_list_home_config(abrt_watch_log_t)
++')
++
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
@@ -1096,7 +1101,7 @@ index eb50f07..984adc8 100644
')
#######################################
-@@ -430,10 +565,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +569,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -24811,10 +24816,10 @@ index 0000000..457d4dd
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
-index 0000000..7f0943f
+index 0000000..46f4d2c
--- /dev/null
+++ b/dnssec.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,63 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -24859,6 +24864,7 @@ index 0000000..7f0943f
+domain_use_interactive_fds(dnssec_trigger_t)
+
+files_read_etc_runtime_files(dnssec_trigger_t)
++files_dontaudit_list_tmp(dnssec_trigger_t)
+
+logging_send_syslog_msg(dnssec_trigger_t)
+
@@ -24866,6 +24872,7 @@ index 0000000..7f0943f
+
+sysnet_dns_name_resolve(dnssec_trigger_t)
+sysnet_manage_config(dnssec_trigger_t)
++sysnet_filetrans_named_content(dnssec_trigger_t)
+
+optional_policy(`
+ bind_domtrans(dnssec_trigger_t)
@@ -24873,7 +24880,9 @@ index 0000000..7f0943f
+ bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
-+
++optional_policy(`
++ networkmanager_stream_connect(dnssec_trigger_t)
++')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e7..e6fe2f40 100644
--- a/dnssectrigger.te
@@ -46753,10 +46762,10 @@ index 0000000..f5b98e6
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..1bf717f
+index 0000000..86766b0
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,278 @@
+policy_module(mock,1.0.0)
+
+## <desc>
@@ -46891,6 +46900,7 @@ index 0000000..1bf717f
+term_search_ptys(mock_t)
+term_mount_pty_fs(mock_t)
+term_unmount_pty_fs(mock_t)
++term_use_ptmx(mock_t)
+
+auth_use_nsswitch(mock_t)
+
@@ -47373,17 +47383,16 @@ index 0000000..e7220a5
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..1719247 100644
+index 6fcfc31..91adcaf 100644
--- a/mongodb.fc
+++ b/mongodb.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,13 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
-+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6842829..be832c3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 105.12%{?dist}
+Release: 105.13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Apr 15 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.13
+-Allow abrtd to list home config. BZ(1199658)
+- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
+- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
+- Allow mock_t to use ptmx. BZ(1181333)
+- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
+- Allow dnssec_trigger_t to stream connect to networkmanager.
+- Add more restriction on entrypoint for unconfined domains.
+- Allow systemd_networkd_t to load kernel module. BZ(1209402)
+- Allow systemd_networkd cap. dac_override. BZ(1204352)
+
* Tue Apr 07 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.12
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f21&id=7342bb242847d2af4cb70fa711eb0a228131def4
More information about the scm-commits
mailing list