diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index e670e6d..fd42ade 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -31636,7 +31636,7 @@ index 3c7b1e8..1e155f5 100644 + +/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/logwatch.te b/logwatch.te -index 75ce30f..9279c2d 100644 +index 75ce30f..061b725 100644 --- a/logwatch.te +++ b/logwatch.te @@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0) @@ -31680,7 +31680,11 @@ index 75ce30f..9279c2d 100644 files_read_usr_files(logwatch_t) files_search_spool(logwatch_t) files_search_mnt(logwatch_t) -@@ -70,6 +80,10 @@ fs_getattr_all_fs(logwatch_t) +@@ -67,9 +77,14 @@ files_dontaudit_search_boot(logwatch_t) + files_dontaudit_search_all_dirs(logwatch_t) + + fs_getattr_all_fs(logwatch_t) ++fs_getattr_all_dirs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) @@ -31691,7 +31695,7 @@ index 75ce30f..9279c2d 100644 term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) -@@ -84,19 +98,19 @@ libs_read_lib_files(logwatch_t) +@@ -84,19 +99,19 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) @@ -31715,7 +31719,7 @@ index 75ce30f..9279c2d 100644 files_getattr_all_file_type_fs(logwatch_t) ') -@@ -145,3 +159,24 @@ optional_policy(` +@@ -145,3 +160,24 @@ optional_policy(` samba_read_log(logwatch_t) samba_read_share_files(logwatch_t) ') @@ -36874,7 +36878,7 @@ index c358d8f..1cc176c 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index f17583b..dd96224 100644 +index f17583b..de08ab6 100644 --- a/munin.te +++ b/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -36987,7 +36991,7 @@ index f17583b..dd96224 100644 allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -190,15 +205,15 @@ corecmd_exec_shell(disk_munin_plugin_t) +@@ -190,15 +205,18 @@ corecmd_exec_shell(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) @@ -37001,13 +37005,16 @@ index f17583b..dd96224 100644 dev_read_sysfs(disk_munin_plugin_t) dev_read_urand(disk_munin_plugin_t) +dev_read_all_blk_files(munin_disk_plugin_t) ++ ++fs_getattr_all_fs(disk_munin_plugin_t) ++fs_getattr_all_dirs(disk_munin_plugin_t) -storage_getattr_fixed_disk_dev(disk_munin_plugin_t) +storage_raw_read_fixed_disk(disk_munin_plugin_t) sysnet_read_config(disk_munin_plugin_t) -@@ -221,30 +236,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,30 +239,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -37061,7 +37068,7 @@ index f17583b..dd96224 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +287,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +290,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -37076,7 +37083,7 @@ index f17583b..dd96224 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -279,6 +308,10 @@ optional_policy(` +@@ -279,6 +311,10 @@ optional_policy(` ') optional_policy(` @@ -37087,7 +37094,7 @@ index f17583b..dd96224 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +319,18 @@ optional_policy(` +@@ -286,6 +322,18 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -37106,7 +37113,7 @@ index f17583b..dd96224 100644 ################################## # # local policy for system plugins -@@ -295,12 +340,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,12 +343,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -37122,7 +37129,7 @@ index f17583b..dd96224 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +356,47 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +359,47 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -38404,7 +38411,7 @@ index 386543b..8fe1d63 100644 /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 2324d9e..7c9fca9 100644 +index 2324d9e..96dbf6f 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',` @@ -38570,10 +38577,10 @@ index 2324d9e..7c9fca9 100644 +# +interface(`networkmanager_manage_lib',` + gen_require(` -+ type NetworkManager_log_t; ++ type NetworkManager_var_lib_t; + ') + -+ manage_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) ++ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +') + + diff --git a/selinux-policy.spec b/selinux-policy.spec index 131a886..bcfcfed 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 65%{?dist} +Release: 66%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -524,6 +524,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Dec 17 2012 Miroslav Grepl 3.11.1-66 +- Allow munin disk plugins to get attributes of all directories +- Allow munin disk plugins to get attributes of all directorie +- Allow logwatch to get attributes of all directories +- Fix networkmanager_manage_lib() interface +- Fix gnome_manage_config() to allow to manage sock_file +- Fix virtual_domain_context +- Add support for dynamic DNS for DHCPv6 + * Sat Dec 15 2012 Miroslav Grepl 3.11.1-65 - Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch - Add additional labeling for /var/www/openshift/broker