From f78292e7808cfe16f4b2dc1bfce34cd165df65a4 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl
Date: Mar 10 2014 10:17:24 +0000
Subject: - Allow numad to write scan_sleep_millisecs
- Turn on entropyd_use_audio boolean by default
- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
- Fix label on irclogs in the homedir
- Allow kerberos_keytab_domain domains to manage keys until we get sssd fix
- Allow postgresql to use ldap
- Add missing syslog-conn port
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 5a37828..883486b 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -5596,7 +5596,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..3173c7b 100644
+index 4edc40d..28e68c5 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5852,7 +5852,7 @@ index 4edc40d..3173c7b 100644
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +266,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,51 +266,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@@ -5905,7 +5905,12 @@ index 4edc40d..3173c7b 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +316,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+ network_port(svrloc, tcp,427,s0, udp,427,s0)
+ network_port(swat, tcp,901,s0)
+ network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
+-network_port(syslogd, udp,514,s0)
++network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
+ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -22845,7 +22850,7 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..3e23acb 100644
+index 346d011..e73a293 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -22937,15 +22942,19 @@ index 346d011..3e23acb 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t)
+@@ -354,20 +361,28 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
-miscfiles_read_localization(postgresql_t)
-
+-
seutil_libselinux_linked(postgresql_t)
seutil_read_default_contexts(postgresql_t)
-@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t)
+
++sysnet_use_ldap(postgresql_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+ userdom_dontaudit_search_user_home_dirs(postgresql_t)
userdom_dontaudit_use_user_terminals(postgresql_t)
optional_policy(`
@@ -22965,7 +22974,7 @@ index 346d011..3e23acb 100644
allow postgresql_t self:process execmem;
')
-@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@@ -23022,7 +23031,7 @@ index 346d011..3e23acb 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -23031,7 +23040,7 @@ index 346d011..3e23acb 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 2d08b5b..d9019a5 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -11065,7 +11065,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index fdee107..9bb9ad1 100644
+index fdee107..1910951 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -11093,7 +11093,7 @@ index fdee107..9bb9ad1 100644
domain_setpriority_all_domains(cgclear_t)
fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
kernel_list_unlabeled(cgconfig_t)
kernel_read_system_state(cgconfig_t)
@@ -11118,7 +11118,11 @@ index fdee107..9bb9ad1 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -99,10 +102,11 @@ domain_setpriority_all_domains(cgred_t)
++allow cgred_t cgconfig_t:file read_file_perms;
+ allow cgred_t cgrules_etc_t:file read_file_perms;
+
+ allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
files_getattr_all_files(cgred_t)
files_getattr_all_sockets(cgred_t)
files_read_all_symlinks(cgred_t)
@@ -24807,9 +24811,18 @@ index 266cb8f..b619351 100644
+ procmail_domtrans(dspam_t)
+')
diff --git a/entropyd.te b/entropyd.te
-index a0da189..d8bc9d5 100644
+index a0da189..dc22b89 100644
--- a/entropyd.te
+++ b/entropyd.te
+@@ -12,7 +12,7 @@ policy_module(entropyd, 1.7.2)
+ ## the entropy feeds.
+ ##
+ ##
+-gen_tunable(entropyd_use_audio, false)
++gen_tunable(entropyd_use_audio, true)
+
+ type entropyd_t;
+ type entropyd_exec_t;
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
dev_read_rand(entropyd_t)
dev_write_rand(entropyd_t)
@@ -32777,14 +32790,14 @@ index 0000000..0fd2678
+ kerberos_use(ipa_otpd_t)
+')
diff --git a/irc.fc b/irc.fc
-index 48e7739..c3285c2 100644
+index 48e7739..1bf0326 100644
--- a/irc.fc
+++ b/irc.fc
@@ -1,6 +1,6 @@
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
-+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0)
++HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
@@ -36040,7 +36053,7 @@ index f9de9fc..11504e6 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..c37f70b 100644
+index 3465a9a..31ad037 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -1,4 +1,4 @@
@@ -36371,7 +36384,7 @@ index 3465a9a..c37f70b 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
-@@ -303,28 +343,34 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,28 +343,37 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -36408,6 +36421,9 @@ index 3465a9a..c37f70b 100644
+# kerberos keytab domain local policy
+#
+
++#until we get sssd fix
++allow kerberos_keytab_domain kerberos_keytab_domain:key manage_key_perms;
++
+userdom_manage_all_users_keys(kerberos_keytab_domain)
+
+optional_policy(`
@@ -53957,7 +53973,7 @@ index 0d3c270..709dda1 100644
+ ')
')
diff --git a/numad.te b/numad.te
-index f5d145d..97e1148 100644
+index f5d145d..f050103 100644
--- a/numad.te
+++ b/numad.te
@@ -1,4 +1,4 @@
@@ -53966,7 +53982,7 @@ index f5d145d..97e1148 100644
########################################
#
-@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3)
+@@ -8,37 +8,44 @@ policy_module(numad, 1.0.3)
type numad_t;
type numad_exec_t;
init_daemon_domain(numad_t, numad_exec_t)
@@ -54005,15 +54021,17 @@ index f5d145d..97e1148 100644
manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
files_pid_filetrans(numad_t, numad_var_run_t, file)
-@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
- dev_read_sysfs(numad_t)
+ kernel_read_system_state(numad_t)
--files_read_etc_files(numad_t)
+-dev_read_sysfs(numad_t)
++dev_rw_sysfs(numad_t)
++
+domain_use_interactive_fds(numad_t)
+domain_read_all_domains_state(numad_t)
+domain_setpriority_all_domains(numad_t)
-+
+
+-files_read_etc_files(numad_t)
+fs_manage_cgroup_dirs(numad_t)
+fs_rw_cgroup_files(numad_t)
@@ -78024,7 +78042,7 @@ index 6dbc905..4b17c93 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..b23c97a 100644
+index 1cedd70..d193f7a 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -78045,13 +78063,15 @@ index 1cedd70..b23c97a 100644
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,21 +51,45 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -51,22 +50,47 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
-
++kernel_read_sysctl(rhsmcertd_t)
++
+corenet_tcp_connect_http_port(rhsmcertd_t)
+corenet_tcp_connect_squid_port(rhsmcertd_t)
-+
+
corecmd_exec_bin(rhsmcertd_t)
+corecmd_exec_shell(rhsmcertd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f70a229..b1e1c56 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 132%{?dist}
+Release: 133%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 10 2014 Miroslav Grepl 3.12.1-133
+- Allow numad to write scan_sleep_millisecs
+- Turn on entropyd_use_audio boolean by default
+- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
+- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
+- Fix label on irclogs in the homedir
+- Allow kerberos_keytab_domain domains to manage keys until we get sssd fix
+- Allow postgresql to use ldap
+- Add missing syslog-conn port
+
* Fri Mar 7 2014 Miroslav Grepl 3.12.1-132
- Modify xdm_write_home to allow create files/links in /root with xdm_home_
- Allow virt domains to read network state