diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 9fdd91f..f12084f 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -2981,10 +2981,10 @@ index 0000000..a2cafbc + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..0dfadc0 100644 +index 550a69e..0bbc8f5 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,161 +1,197 @@ +@@ -1,161 +1,198 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3227,6 +3227,7 @@ index 550a69e..0dfadc0 100644 /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +ifdef(`distro_debian', ` +/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -23365,7 +23366,7 @@ index 6041113..ef3b449 100644 role_transition $2 exim_initrc_exec_t system_r; allow $2 system_r; diff --git a/exim.te b/exim.te -index 19325ce..b5c157f 100644 +index 19325ce..3e86b12 100644 --- a/exim.te +++ b/exim.te @@ -49,7 +49,7 @@ type exim_log_t; @@ -23422,18 +23423,19 @@ index 19325ce..b5c157f 100644 ') optional_policy(` -@@ -192,8 +190,9 @@ optional_policy(` +@@ -192,11 +190,6 @@ optional_policy(` ') optional_policy(` - mailman_read_data_files(exim_t) -+ mailman_manage_data_files(exim_t) - mailman_domtrans(exim_t) -+ mailman_read_log(exim_t) +- mailman_domtrans(exim_t) +-') +- +-optional_policy(` + nagios_search_spool(exim_t) ') - optional_policy(` -@@ -218,6 +217,7 @@ optional_policy(` +@@ -218,6 +211,7 @@ optional_policy(` optional_policy(` procmail_domtrans(exim_t) @@ -38048,10 +38050,10 @@ index cba62db..562833a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 92508b2..2213a03 100644 +index 92508b2..9c51c34 100644 --- a/milter.te +++ b/milter.te -@@ -1,77 +1,117 @@ +@@ -1,77 +1,121 @@ -policy_module(milter, 1.4.2) +policy_module(milter, 1.4.0) @@ -38098,6 +38100,8 @@ index 92508b2..2213a03 100644 allow milter_domains self:fifo_file rw_fifo_file_perms; -allow milter_domains self:tcp_socket { accept listen }; + ++allow milter_domains self:process signull; ++ +# Allow communication with MTA over a TCP socket +allow milter_domains self:tcp_socket create_stream_socket_perms; @@ -38139,6 +38143,8 @@ index 92508b2..2213a03 100644 + +kernel_read_kernel_sysctls(dkim_milter_t) + ++corenet_udp_bind_all_ports(dkim_milter_t) ++ +auth_use_nsswitch(dkim_milter_t) + +sysnet_dns_name_resolve(dkim_milter_t) @@ -38197,7 +38203,7 @@ index 92508b2..2213a03 100644 optional_policy(` mysql_stream_connect(greylist_milter_t) -@@ -79,30 +119,45 @@ optional_policy(` +@@ -79,30 +123,45 @@ optional_policy(` ######################################## # @@ -42818,7 +42824,7 @@ index ed81cac..566684a 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..4ab8177 100644 +index afd2fad..09ebbbe 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -43025,11 +43031,11 @@ index afd2fad..4ab8177 100644 + +allow system_mail_t mail_home_t:file manage_file_perms; +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) - --userdom_use_user_terminals(system_mail_t) + -+logging_append_all_logs(system_mail_t) + ++logging_append_all_logs(system_mail_t) + +-userdom_use_user_terminals(system_mail_t) +logging_send_syslog_msg(system_mail_t) optional_policy(` @@ -43235,7 +43241,7 @@ index afd2fad..4ab8177 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -387,24 +277,165 @@ optional_policy(` +@@ -387,24 +277,173 @@ optional_policy(` ######################################## # @@ -43408,6 +43414,14 @@ index afd2fad..4ab8177 100644 + antivirus_stream_connect(user_mail_domain) + antivirus_stream_connect(mta_user_agent) +') ++ ++optional_policy(` ++ mailman_manage_data_files(mailserver_domain) ++ mailman_domtrans(mailserver_domain) ++ mailman_append_log(mailserver_domain) ++ mailman_read_log(mailserver_domain) ++') ++ diff --git a/munin.fc b/munin.fc index eb4b72a..4968324 100644 --- a/munin.fc @@ -66847,10 +66861,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..801835e 100644 +index 769d1fd..0a85601 100644 --- a/quantum.te +++ b/quantum.te -@@ -1,96 +1,109 @@ +@@ -1,96 +1,113 @@ -policy_module(quantum, 1.0.2) +policy_module(quantum, 1.0.3) @@ -66988,31 +67002,35 @@ index 769d1fd..801835e 100644 optional_policy(` - brctl_domtrans(quantum_t) -+ mysql_stream_connect(neutron_t) -+ mysql_read_config(neutron_t) -+ -+ mysql_tcp_connect(neutron_t) ++ iptables_domtrans(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ postgresql_stream_connect(neutron_t) -+ postgresql_unpriv_client(neutron_t) ++ mysql_stream_connect(neutron_t) ++ mysql_read_config(neutron_t) - mysql_tcp_connect(quantum_t) -+ postgresql_tcp_connect(neutron_t) ++ mysql_tcp_connect(neutron_t) ') optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) -+ openvswitch_domtrans(neutron_t) -+ openvswitch_stream_connect(neutron_t) ++ postgresql_stream_connect(neutron_t) ++ postgresql_unpriv_client(neutron_t) ++ ++ postgresql_tcp_connect(neutron_t) +') - postgresql_tcp_connect(quantum_t) +optional_policy(` ++ openvswitch_domtrans(neutron_t) ++ openvswitch_stream_connect(neutron_t) ++') ++ ++optional_policy(` + sudo_exec(neutron_t) ') diff --git a/quota.fc b/quota.fc @@ -70569,7 +70587,7 @@ index 56bc01f..b8d154e 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..a499664 100644 +index 2c2de9a..983d2dc 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -70939,7 +70957,15 @@ index 2c2de9a..a499664 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -148,9 +429,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -140,6 +421,7 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t) + + corenet_sendrecv_zented_server_packets(fenced_t) + corenet_tcp_bind_zented_port(fenced_t) ++corenet_udp_bind_zented_port(fenced_t) + corenet_tcp_sendrecv_zented_port(fenced_t) + + corenet_sendrecv_http_client_packets(fenced_t) +@@ -148,9 +430,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -70950,7 +70976,7 @@ index 2c2de9a..a499664 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +439,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +440,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -70959,7 +70985,7 @@ index 2c2de9a..a499664 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -182,7 +461,8 @@ optional_policy(` +@@ -182,7 +462,8 @@ optional_policy(` ') optional_policy(` @@ -70969,7 +70995,7 @@ index 2c2de9a..a499664 100644 ') optional_policy(` -@@ -190,12 +470,12 @@ optional_policy(` +@@ -190,12 +471,12 @@ optional_policy(` ') optional_policy(` @@ -70985,7 +71011,7 @@ index 2c2de9a..a499664 100644 ') optional_policy(` -@@ -203,6 +483,13 @@ optional_policy(` +@@ -203,6 +484,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -70999,7 +71025,7 @@ index 2c2de9a..a499664 100644 ####################################### # # foghorn local policy -@@ -221,16 +508,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) +@@ -221,16 +509,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) corenet_tcp_connect_agentx_port(foghorn_t) corenet_tcp_sendrecv_agentx_port(foghorn_t) @@ -71020,7 +71046,7 @@ index 2c2de9a..a499664 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +546,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +547,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -71029,7 +71055,7 @@ index 2c2de9a..a499664 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +566,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +567,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -71071,7 +71097,7 @@ index 2c2de9a..a499664 100644 ###################################### # # qdiskd local policy -@@ -321,6 +641,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +642,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 31a2015..8d1929d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.17%{?dist} +Release: 74.18%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -542,6 +542,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Feb 11 2014 Lukas Vrabec 3.12.1-74.18 +- Allow mailserver_domains to manage and transition to mailman data +- Fixed broken interface in milter policy +- Allow dkim-milter to bind udp ports +- Allow milter domains to send signull itself +- Add labeling for /var/log/php_errors.log +- Allow neutron domtrans to iptables +- Allow fenced_t to bind on zented udp port + * Fri Jan 10 2014 Lukas Vrabec 3.12.1-74.17 - Allow polipo to connect to http_cache_ports - Add new access for mythtv