From ddb8061c6ddd40bdec1e502b79b5e86b28ea4543 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 27 2012 17:06:55 +0000 Subject: * Thu Sep 27 2012 Miroslav Grepl 3.10.0-151 - Allow winbind to connect do ldap without a boolean - Allow mozilla-plugin to connect to commplex port - Fix tomcat template interface - Allow thumb to use user fonts --- diff --git a/policy-F16.patch b/policy-F16.patch index 4f509ef..a9e88cb 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -72195,7 +72195,7 @@ index fbb5c5a..67c1168 100644 +') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..4476c7f 100644 +index 2e9318b..67eb88c 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3) @@ -72384,7 +72384,7 @@ index 2e9318b..4476c7f 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -322,31 +354,49 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug +@@ -322,31 +354,50 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -72428,6 +72428,7 @@ index 2e9318b..4476c7f 100644 +corenet_tcp_connect_streaming_port(mozilla_plugin_t) +corenet_tcp_connect_soundd_port(mozilla_plugin_t) +corenet_tcp_connect_vnc_port(mozilla_plugin_t) ++corenet_tcp_connect_commplex_port(mozilla_plugin_t) +corenet_tcp_connect_couchdb_port(mozilla_plugin_t) +corenet_tcp_connect_monopd_port(mozilla_plugin_t) +corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) @@ -72441,7 +72442,7 @@ index 2e9318b..4476c7f 100644 dev_read_video_dev(mozilla_plugin_t) dev_write_video_dev(mozilla_plugin_t) dev_read_sysfs(mozilla_plugin_t) -@@ -355,6 +405,7 @@ dev_write_sound(mozilla_plugin_t) +@@ -355,6 +406,7 @@ dev_write_sound(mozilla_plugin_t) # for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) dev_dontaudit_rw_dri(mozilla_plugin_t) @@ -72449,7 +72450,7 @@ index 2e9318b..4476c7f 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -362,15 +413,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -362,15 +414,21 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -72471,7 +72472,7 @@ index 2e9318b..4476c7f 100644 logging_send_syslog_msg(mozilla_plugin_t) miscfiles_read_localization(mozilla_plugin_t) -@@ -383,34 +440,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t) +@@ -383,34 +441,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t) term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) @@ -72520,7 +72521,7 @@ index 2e9318b..4476c7f 100644 ') optional_policy(` -@@ -421,24 +474,33 @@ optional_policy(` +@@ -421,24 +475,33 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -72558,7 +72559,7 @@ index 2e9318b..4476c7f 100644 ') optional_policy(` -@@ -446,10 +508,105 @@ optional_policy(` +@@ -446,10 +509,105 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -76462,10 +76463,10 @@ index 0000000..9127cec +') diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te new file mode 100644 -index 0000000..c7af0d8 +index 0000000..1662c7b --- /dev/null +++ b/policy/modules/apps/thumb.te -@@ -0,0 +1,121 @@ +@@ -0,0 +1,122 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -76573,6 +76574,7 @@ index 0000000..c7af0d8 +xserver_dontaudit_read_xdm_pid(thumb_t) +xserver_dontaudit_xdm_tmp_dirs(thumb_t) +xserver_stream_connect(thumb_t) ++xserver_use_user_fonts(thumb_t) + +optional_policy(` + dbus_dontaudit_stream_connect_session_bus(thumb_t) @@ -132555,7 +132557,7 @@ index 82cb169..9642fe3 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..2b51fe4 100644 +index e30bb63..caa639a 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,4 +1,4 @@ @@ -133013,10 +133015,15 @@ index e30bb63..2b51fe4 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -864,6 +938,11 @@ userdom_manage_user_home_content_sockets(winbind_t) +@@ -864,6 +938,16 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` ++ ldap_stream_connect(winbind_t) ++ dirsrv_stream_connect(winbind_t) ++') ++ ++optional_policy(` + ctdbd_stream_connect(winbind_t) + ctdbd_manage_lib_files(winbind_t) +') @@ -133025,7 +133032,7 @@ index e30bb63..2b51fe4 100644 kerberos_use(winbind_t) ') -@@ -904,7 +983,8 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +988,8 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -133035,7 +133042,7 @@ index e30bb63..2b51fe4 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,19 +1002,34 @@ optional_policy(` +@@ -922,19 +1007,34 @@ optional_policy(` # optional_policy(` @@ -138348,10 +138355,10 @@ index 0000000..a8385bc +/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0) diff --git a/policy/modules/services/tomcat.if b/policy/modules/services/tomcat.if new file mode 100644 -index 0000000..226293f +index 0000000..c531b5e --- /dev/null +++ b/policy/modules/services/tomcat.if -@@ -0,0 +1,395 @@ +@@ -0,0 +1,400 @@ + +## policy for tomcat + @@ -138402,15 +138409,18 @@ index 0000000..226293f + + manage_dirs_pattern($1_t, $1_log_t, $1_log_t) + manage_files_pattern($1_t, $1_log_t, $1_log_t) ++ manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t) + logging_log_filetrans($1_t, $1_log_t, { dir file }) + + manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) -+ files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file }) ++ manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) ++ files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file }) + + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -+ files_pid_filetrans($1_t, $1_var_run_t, { dir file }) ++ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file }) + + manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) @@ -138420,6 +138430,8 @@ index 0000000..226293f + can_exec($1_t, $1_exec_t) + + kernel_read_system_state($1_t) ++ ++ logging_send_syslog_msg($1_t) +') + +######################################## diff --git a/selinux-policy.spec b/selinux-policy.spec index f4183fc..4bc5f87 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 150%{?dist} +Release: 151%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -479,6 +479,12 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Sep 27 2012 Miroslav Grepl 3.10.0-151 +- Allow winbind to connect do ldap without a boolean +- Allow mozilla-plugin to connect to commplex port +- Fix tomcat template interface +- Allow thumb to use user fonts + * Mon Sep 24 2012 Miroslav Grepl 3.10.0-150 - Backport tomcat fixes from F18 - Add filename transition for mongod.log