From f4744de76a9263dc005fc61c6e26617737aa0102 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 13 2014 12:54:27 +0000 Subject: - Add missing dyntransition for sandbox_x_domain --- diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 4380e89..b04126d 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -40158,7 +40158,7 @@ index 7bab8e5..17ea89c 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index 4256a4c..7569cd9 100644 +index 4256a4c..aea48db 100644 --- a/logwatch.te +++ b/logwatch.te @@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6) @@ -40245,11 +40245,13 @@ index 4256a4c..7569cd9 100644 ######################################## # # Mail local policy -@@ -164,6 +186,17 @@ dev_read_sysfs(logwatch_mail_t) +@@ -164,6 +186,19 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) +mta_read_home(logwatch_mail_t) ++mta_filetrans_home_content(logwatch_mail_t) ++mta_filetrans_admin_home_content(logwatch_mail_t) + optional_policy(` cron_use_system_job_fds(logwatch_mail_t) @@ -86326,10 +86328,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..3258f45 +index 0000000..03bdcef --- /dev/null +++ b/sandboxX.if -@@ -0,0 +1,394 @@ +@@ -0,0 +1,395 @@ + +## policy for sandboxX + @@ -86358,6 +86360,7 @@ index 0000000..3258f45 + ') + + allow $1 sandbox_x_domain:process { signal_perms transition }; ++ allow $1 sandbox_x_domain:process dyntransition; + dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; + allow sandbox_x_domain $1:process { sigchld signull }; + allow { sandbox_x_domain sandbox_xserver_t } $1:fd use; @@ -92214,7 +92217,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index 4faa7e0..32f670e 100644 +index 4faa7e0..e8531d9 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -1,4 +1,4 @@ @@ -92524,7 +92527,7 @@ index 4faa7e0..32f670e 100644 ') ######################################## -@@ -167,72 +248,85 @@ optional_policy(` +@@ -167,72 +248,90 @@ optional_policy(` # Client local policy # @@ -92564,6 +92567,8 @@ index 4faa7e0..32f670e 100644 +manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +userdom_append_user_home_content_files(spamc_t) ++spamassassin_filetrans_home_content(spamc_t) ++spamassassin_filetrans_admin_home_content(spamc_t) +# for /root/.pyzor +allow spamc_t self:capability dac_override; @@ -92571,6 +92576,9 @@ index 4faa7e0..32f670e 100644 read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) -stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t) ++read_files_pattern(spamc_t, spamd_spool_t, spamd_spool_t) ++list_dirs_pattern(spamc_t, spamd_spool_t, spamd_spool_t) ++ +# Allow connecting to a local spamd +allow spamc_t spamd_t:unix_stream_socket connectto; +allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; @@ -92641,7 +92649,7 @@ index 4faa7e0..32f670e 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +337,7 @@ optional_policy(` +@@ -243,6 +342,7 @@ optional_policy(` ') optional_policy(` @@ -92649,7 +92657,7 @@ index 4faa7e0..32f670e 100644 evolution_stream_connect(spamc_t) ') -@@ -251,52 +346,55 @@ optional_policy(` +@@ -251,52 +351,55 @@ optional_policy(` ') optional_policy(` @@ -92701,17 +92709,17 @@ index 4faa7e0..32f670e 100644 allow spamd_t self:unix_dgram_socket sendto; -allow spamd_t self:unix_stream_socket { accept connectto listen }; -allow spamd_t self:tcp_socket { accept listen }; -- ++allow spamd_t self:unix_stream_socket connectto; ++allow spamd_t self:tcp_socket create_stream_socket_perms; ++allow spamd_t self:udp_socket create_socket_perms; + -manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t) -userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd") -+allow spamd_t self:unix_stream_socket connectto; -+allow spamd_t self:tcp_socket create_stream_socket_perms; -+allow spamd_t self:udp_socket create_socket_perms; - +- -manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) @@ -92730,7 +92738,7 @@ index 4faa7e0..32f670e 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +406,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +411,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -92740,7 +92748,7 @@ index 4faa7e0..32f670e 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +416,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +421,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -92756,7 +92764,7 @@ index 4faa7e0..32f670e 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +431,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +436,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -92860,7 +92868,7 @@ index 4faa7e0..32f670e 100644 ') optional_policy(` -@@ -421,21 +502,13 @@ optional_policy(` +@@ -421,21 +507,13 @@ optional_policy(` ') optional_policy(` @@ -92884,7 +92892,7 @@ index 4faa7e0..32f670e 100644 ') optional_policy(` -@@ -443,8 +516,8 @@ optional_policy(` +@@ -443,8 +521,8 @@ optional_policy(` ') optional_policy(` @@ -92894,7 +92902,7 @@ index 4faa7e0..32f670e 100644 ') optional_policy(` -@@ -455,7 +528,12 @@ optional_policy(` +@@ -455,7 +533,12 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -92908,7 +92916,7 @@ index 4faa7e0..32f670e 100644 ') optional_policy(` -@@ -463,9 +541,9 @@ optional_policy(` +@@ -463,9 +546,9 @@ optional_policy(` ') optional_policy(` @@ -92919,7 +92927,7 @@ index 4faa7e0..32f670e 100644 ') optional_policy(` -@@ -474,32 +552,32 @@ optional_policy(` +@@ -474,32 +557,32 @@ optional_policy(` ######################################## # @@ -92962,7 +92970,7 @@ index 4faa7e0..32f670e 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +591,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 4091b31..d69cf88 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 162%{?dist} +Release: 163%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue May 13 2014 Miroslav Grepl 3.12.1-163 +- Add missing dyntransition for sandbox_x_domain + * Mon May 12 2014 Lukas Vrabec 3.12.1-162 - More rules needed for openshift/gear in rhel7 - svirt sandbox domains to read gear content in /run. Allow gear_t to manage openshift files