From 1e9cc1a7e6bd7a5df6dc1c189a07a69d97af19af Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 18 2012 11:41:21 +0000 Subject: * Wed Jul 18 2012 Miroslav Grepl 3.10.0-140 - Add support for rhnsd daemon - Allow cgclear to read cgconfig - Allow sys_ptrace capability for snmp - Allow freshclam to read /proc - Fix rhsmcertd pid filetrans - Allow NM to execute wpa_cli - Allow procmail to manage /home/user/Maildir content - Allow amavis to read clamd system state - Allow postdrop to use unix_stream_sockets leaked into it - Allow uucpd_t to uucpd port --- diff --git a/policy-F16.patch b/policy-F16.patch index 6d0b438..5648130 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -86118,7 +86118,7 @@ index e31d92a..1aa0718 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index deca9d3..e25ae7a 100644 +index deca9d3..f20cfea 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -38,7 +38,7 @@ type amavis_quarantine_t; @@ -86175,7 +86175,7 @@ index deca9d3..e25ae7a 100644 # uses uptime which reads utmp - redhat bug 561383 init_read_utmp(amavis_t) init_stream_connect_script(amavis_t) -@@ -153,29 +159,34 @@ sysnet_use_ldap(amavis_t) +@@ -153,16 +159,17 @@ sysnet_use_ldap(amavis_t) userdom_dontaudit_search_user_home_dirs(amavis_t) @@ -86189,18 +86189,18 @@ index deca9d3..e25ae7a 100644 optional_policy(` clamav_stream_connect(amavis_t) clamav_domtrans_clamscan(amavis_t) - ') - - optional_policy(` ++ clamav_read_state_clamd(amavis_t) ++') ++ ++optional_policy(` + #Cron handling + cron_use_fds(amavis_t) + cron_use_system_job_fds(amavis_t) + cron_rw_pipes(amavis_t) -+') -+ -+optional_policy(` - dcc_domtrans_client(amavis_t) - dcc_stream_connect_dccifd(amavis_t) + ') + + optional_policy(` +@@ -171,11 +178,16 @@ optional_policy(` ') optional_policy(` @@ -86217,7 +86217,7 @@ index deca9d3..e25ae7a 100644 ') optional_policy(` -@@ -188,6 +199,10 @@ optional_policy(` +@@ -188,6 +200,10 @@ optional_policy(` ') optional_policy(` @@ -92434,7 +92434,7 @@ index 33facaf..225e70c 100644 admin_pattern($1, cgrules_etc_t) files_list_etc($1) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te -index dad226c..59c2a27 100644 +index dad226c..8a093ca 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -92448,15 +92448,19 @@ index dad226c..59c2a27 100644 init_daemon_domain(cgconfig_t, cgconfig_exec_t) type cgconfig_initrc_exec_t; -@@ -39,7 +39,6 @@ files_config_file(cgconfig_etc_t) +@@ -39,9 +39,10 @@ files_config_file(cgconfig_etc_t) # # cgclear personal policy. # - allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; ++allow cgclear_t cgconfig_etc_t:file read_file_perms; ++ kernel_read_system_state(cgclear_t) -@@ -72,12 +71,15 @@ fs_mount_cgroup(cgconfig_t) + + domain_setpriority_all_domains(cgclear_t) +@@ -72,12 +73,15 @@ fs_mount_cgroup(cgconfig_t) fs_mounton_cgroup(cgconfig_t) fs_unmount_cgroup(cgconfig_t) @@ -92473,7 +92477,7 @@ index dad226c..59c2a27 100644 allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; -@@ -86,6 +88,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file) +@@ -86,6 +90,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file) allow cgred_t cgrules_etc_t:file read_file_perms; @@ -92483,7 +92487,7 @@ index dad226c..59c2a27 100644 # rc script creates pid file manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -@@ -104,6 +109,8 @@ files_read_etc_files(cgred_t) +@@ -104,6 +111,8 @@ files_read_etc_files(cgred_t) fs_write_cgroup_files(cgred_t) @@ -92795,7 +92799,7 @@ index e8e9a21..22986ef 100644 /var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0) /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if -index 1f11572..87840b4 100644 +index 1f11572..99c5cca 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -33,6 +33,7 @@ interface(`clamav_stream_connect',` @@ -92822,7 +92826,7 @@ index 1f11572..87840b4 100644 ') ######################################## -@@ -133,6 +134,49 @@ interface(`clamav_exec_clamscan',` +@@ -133,6 +134,68 @@ interface(`clamav_exec_clamscan',` ######################################## ## @@ -92845,6 +92849,25 @@ index 1f11572..87840b4 100644 + +####################################### +## ++## Read clamd state files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clamav_read_state_clamd',` ++ gen_require(` ++ type clamd_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, clamd_t) ++') ++ ++####################################### ++## +## Execute clamd server in the clamd domain. +## +## @@ -92872,7 +92895,7 @@ index 1f11572..87840b4 100644 ## All of the rules required to administrate ## an clamav environment ## -@@ -151,19 +195,25 @@ interface(`clamav_exec_clamscan',` +@@ -151,19 +214,25 @@ interface(`clamav_exec_clamscan',` interface(`clamav_admin',` gen_require(` type clamd_t, clamd_etc_t, clamd_tmp_t; @@ -92904,7 +92927,7 @@ index 1f11572..87840b4 100644 ps_process_pattern($1, freshclam_t) init_labeled_script_domtrans($1, clamd_initrc_exec_t) -@@ -171,6 +221,10 @@ interface(`clamav_admin',` +@@ -171,6 +240,10 @@ interface(`clamav_admin',` role_transition $2 clamd_initrc_exec_t system_r; allow $2 system_r; @@ -92915,7 +92938,7 @@ index 1f11572..87840b4 100644 files_list_etc($1) admin_pattern($1, clamd_etc_t) -@@ -189,4 +243,10 @@ interface(`clamav_admin',` +@@ -189,4 +262,10 @@ interface(`clamav_admin',` admin_pattern($1, clamscan_tmp_t) admin_pattern($1, freshclam_var_log_t) @@ -92927,7 +92950,7 @@ index 1f11572..87840b4 100644 + ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..5207f78 100644 +index f758323..f931f27 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,23 @@ @@ -93051,7 +93074,7 @@ index f758323..5207f78 100644 ') ######################################## -@@ -178,10 +211,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +211,17 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -93062,6 +93085,7 @@ index f758323..5207f78 100644 logging_log_filetrans(freshclam_t, freshclam_var_log_t, file) +kernel_read_kernel_sysctls(freshclam_t) ++kernel_read_network_state(freshclam_t) +kernel_read_system_state(freshclam_t) + +corecmd_exec_shell(freshclam_t) @@ -93070,7 +93094,7 @@ index f758323..5207f78 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +228,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +229,8 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -93079,7 +93103,7 @@ index f758323..5207f78 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +248,22 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +249,22 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -93106,7 +93130,7 @@ index f758323..5207f78 100644 ######################################## # # clamscam local policy -@@ -242,15 +289,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,15 +290,35 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; @@ -93142,7 +93166,7 @@ index f758323..5207f78 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -264,10 +331,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +332,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -111269,7 +111293,7 @@ index 3368699..7a7fc02 100644 # interface(`modemmanager_domtrans',` diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te -index b3ace16..83392b6 100644 +index b3ace16..46f4b11 100644 --- a/policy/modules/services/modemmanager.te +++ b/policy/modules/services/modemmanager.te @@ -8,6 +8,7 @@ policy_module(modemmanager, 1.1.0) @@ -111290,7 +111314,7 @@ index b3ace16..83392b6 100644 allow modemmanager_t self:fifo_file rw_file_perms; allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -28,13 +30,25 @@ dev_rw_modem(modemmanager_t) +@@ -28,13 +30,27 @@ dev_rw_modem(modemmanager_t) files_read_etc_files(modemmanager_t) @@ -111298,6 +111322,8 @@ index b3ace16..83392b6 100644 +term_use_generic_ptys(modemmanager_t) +term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t +term_use_usb_ttys(modemmanager_t) ++ ++xserver_read_state_xdm(modemmanager_t) miscfiles_read_localization(modemmanager_t) @@ -114014,7 +114040,7 @@ index 2324d9e..da61d01 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..ff617f1 100644 +index 0619395..7c2d938 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -114033,7 +114059,7 @@ index 0619395..ff617f1 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -35,16 +44,26 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -35,26 +44,49 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) @@ -114064,10 +114090,12 @@ index 0619395..ff617f1 100644 allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -52,9 +71,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; + allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; can_exec(NetworkManager_t, NetworkManager_exec_t) - ++#wicd ++can_exec(NetworkManager_t, wpa_cli_exec_t) ++ +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) @@ -114077,7 +114105,7 @@ index 0619395..ff617f1 100644 +filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) + +logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) -+ + manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -114085,7 +114113,7 @@ index 0619395..ff617f1 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -95,11 +125,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) +@@ -95,11 +127,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) corenet_rw_tun_tap_dev(NetworkManager_t) corenet_getattr_ppp_dev(NetworkManager_t) @@ -114099,7 +114127,7 @@ index 0619395..ff617f1 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) -@@ -113,10 +144,11 @@ corecmd_exec_shell(NetworkManager_t) +@@ -113,10 +146,11 @@ corecmd_exec_shell(NetworkManager_t) corecmd_exec_bin(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) @@ -114112,7 +114140,7 @@ index 0619395..ff617f1 100644 files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) -@@ -128,35 +160,44 @@ init_domtrans_script(NetworkManager_t) +@@ -128,35 +162,44 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -114159,7 +114187,7 @@ index 0619395..ff617f1 100644 ') optional_policy(` -@@ -176,10 +217,17 @@ optional_policy(` +@@ -176,10 +219,17 @@ optional_policy(` ') optional_policy(` @@ -114177,7 +114205,7 @@ index 0619395..ff617f1 100644 ') ') -@@ -191,6 +239,7 @@ optional_policy(` +@@ -191,6 +241,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -114185,7 +114213,7 @@ index 0619395..ff617f1 100644 ') optional_policy(` -@@ -202,23 +251,45 @@ optional_policy(` +@@ -202,23 +253,45 @@ optional_policy(` ') optional_policy(` @@ -114231,7 +114259,7 @@ index 0619395..ff617f1 100644 openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -234,6 +305,10 @@ optional_policy(` +@@ -234,6 +307,10 @@ optional_policy(` ') optional_policy(` @@ -114242,7 +114270,7 @@ index 0619395..ff617f1 100644 ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_manage_pid_files(NetworkManager_t) -@@ -241,6 +316,7 @@ optional_policy(` +@@ -241,6 +318,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -114250,7 +114278,7 @@ index 0619395..ff617f1 100644 ') optional_policy(` -@@ -254,6 +330,10 @@ optional_policy(` +@@ -254,6 +332,10 @@ optional_policy(` ') optional_policy(` @@ -114261,7 +114289,7 @@ index 0619395..ff617f1 100644 udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') -@@ -263,6 +343,7 @@ optional_policy(` +@@ -263,6 +345,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -119300,7 +119328,7 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..99499ef 100644 +index 46bee12..eccdc20 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -28,75 +28,19 @@ interface(`postfix_stub',` @@ -119599,7 +119627,7 @@ index 46bee12..99499ef 100644 ') ######################################## -@@ -621,3 +643,154 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +643,155 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -119715,6 +119743,7 @@ index 46bee12..99499ef 100644 + + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; ++ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr }; +') + +######################################## @@ -121249,7 +121278,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te -index 29b9295..624afe6 100644 +index 29b9295..fcbe654 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -121353,6 +121382,14 @@ index 29b9295..624afe6 100644 ') optional_policy(` +@@ -134,6 +149,7 @@ optional_policy(` + + optional_policy(` + mta_read_config(procmail_t) ++ mta_manage_home_rw(procmail_t) + sendmail_domtrans(procmail_t) + sendmail_signal(procmail_t) + sendmail_dontaudit_rw_tcp_sockets(procmail_t) diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if index bc329d1..20bb463 100644 --- a/policy/modules/services/psad.if @@ -124951,14 +124988,15 @@ index 0f262a7..4d10897 100644 manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t) diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc new file mode 100644 -index 0000000..b2a8835 +index 0000000..17e561f --- /dev/null +++ b/policy/modules/services/rhsmcertd.fc -@@ -0,0 +1,12 @@ +@@ -0,0 +1,14 @@ + +/etc/rc\.d/init\.d/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0) + +/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) ++/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) + +/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0) + @@ -124967,6 +125005,7 @@ index 0000000..b2a8835 +/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0) + +/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) ++/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhsmcertd_var_run_t,s0) diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if new file mode 100644 index 0000000..6572600 @@ -125275,7 +125314,7 @@ index 0000000..6572600 +') diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 -index 0000000..fd0cbc3 +index 0000000..f82fdec --- /dev/null +++ b/policy/modules/services/rhsmcertd.te @@ -0,0 +1,71 @@ @@ -125327,7 +125366,7 @@ index 0000000..fd0cbc3 + +manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) -+files_pid_filetrans(rhsmcertd_var_run_t, rhsmcertd_var_run_t, { file dir }) ++files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) + +kernel_read_network_state(rhsmcertd_t) +kernel_read_system_state(rhsmcertd_t) @@ -129180,7 +129219,7 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..f4d9c37 100644 +index 3d8d1b3..1ef6c7f 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -129197,7 +129236,7 @@ index 3d8d1b3..f4d9c37 100644 # -allow snmpd_t self:capability { chown dac_override kill ipc_lock sys_ptrace net_admin sys_nice sys_tty_config }; + -+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config }; ++allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace }; + dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; @@ -133489,7 +133528,7 @@ index ebc5414..8f8ac45 100644 logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index d4349e9..2f0887d 100644 +index d4349e9..24ac39b 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -24,7 +24,7 @@ type uucpd_ro_t; @@ -133501,7 +133540,15 @@ index d4349e9..2f0887d 100644 type uucpd_log_t; logging_log_file(uucpd_log_t) -@@ -125,6 +125,8 @@ optional_policy(` +@@ -83,6 +83,7 @@ corenet_udp_sendrecv_generic_node(uucpd_t) + corenet_tcp_sendrecv_all_ports(uucpd_t) + corenet_udp_sendrecv_all_ports(uucpd_t) + corenet_tcp_connect_ssh_port(uucpd_t) ++corenet_tcp_connect_uucpd_port(uucpd_t) + + dev_read_urand(uucpd_t) + +@@ -125,6 +126,8 @@ optional_policy(` allow uux_t self:capability { setuid setgid }; allow uux_t self:fifo_file write_fifo_file_perms; @@ -133510,7 +133557,7 @@ index d4349e9..2f0887d 100644 uucp_append_log(uux_t) uucp_manage_spool(uux_t) -@@ -134,6 +136,8 @@ files_read_etc_files(uux_t) +@@ -134,6 +137,8 @@ files_read_etc_files(uux_t) fs_rw_anon_inodefs_files(uux_t) @@ -133519,7 +133566,7 @@ index d4349e9..2f0887d 100644 logging_send_syslog_msg(uux_t) miscfiles_read_localization(uux_t) -@@ -145,5 +149,5 @@ optional_policy(` +@@ -145,5 +150,5 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index d732ae3..50543d0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 139%{?dist} +Release: 140%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -479,6 +479,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jul 18 2012 Miroslav Grepl 3.10.0-140 +- Add support for rhnsd daemon +- Allow cgclear to read cgconfig +- Allow sys_ptrace capability for snmp +- Allow freshclam to read /proc +- Fix rhsmcertd pid filetrans +- Allow NM to execute wpa_cli +- Allow procmail to manage /home/user/Maildir content +- Allow amavis to read clamd system state +- Allow postdrop to use unix_stream_sockets leaked into it +- Allow uucpd_t to uucpd port + * Sun Jul 15 2012 Miroslav Grepl 3.10.0-139 - Add support for ecryptfs * ecryptfs does not support xattr