diff --git a/policy-F13.patch b/policy-F13.patch index 6c6ff05..cd3c7b6 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -18902,17 +18902,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.19/policy/modules/services/cgroup.fc --- nsaserefpolicy/policy/modules/services/cgroup.fc 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/cgroup.fc 2010-08-10 14:13:34.000000000 +0000 -@@ -0,0 +1,10 @@ ++++ serefpolicy-3.7.19/policy/modules/services/cgroup.fc 2011-02-07 14:04:08.475796001 +0000 +@@ -0,0 +1,15 @@ +/etc/cgconfig.conf -- gen_context(system_u:object_r:cgconfig_etc_t,s0) +/etc/cgrules.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) + ++/etc/sysconfig/cgconfig -- gen_context(system_u:object_r:cgconfig_etc_t,s0) ++/etc/sysconfig/cgred.conf -- gen_context(system_u:object_r:cgrules_etc_t,s0) ++ +/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t,s0) +/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t,s0) + +/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0) +/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0) ++/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0) + ++/var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0) +/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.19/policy/modules/services/cgroup.if --- nsaserefpolicy/policy/modules/services/cgroup.if 1970-01-01 00:00:00.000000000 +0000 @@ -19067,8 +19072,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.19/policy/modules/services/cgroup.te --- nsaserefpolicy/policy/modules/services/cgroup.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2010-08-10 14:14:55.000000000 +0000 -@@ -0,0 +1,79 @@ ++++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2011-02-07 14:09:12.598796002 +0000 +@@ -0,0 +1,104 @@ +policy_module(cgroup, 1.0.0) + +######################################## @@ -19076,6 +19081,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +# Declarations +# + ++type cgclear_t; ++type cgclear_exec_t; ++init_daemon_domain(cgclear_t, cgclear_exec_t) ++ +type cgred_t; +type cgred_exec_t; +init_daemon_domain(cgred_t, cgred_exec_t) @@ -19083,6 +19092,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +type cgred_initrc_exec_t; +init_script_file(cgred_initrc_exec_t) + ++type cgred_log_t; ++logging_log_file(cgred_log_t) ++ +type cgred_var_run_t; +files_pid_file(cgred_var_run_t) + @@ -19099,12 +19111,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro +type cgconfig_etc_t; +files_config_file(cgconfig_etc_t) + ++####################################### ++# ++# cgclear personal policy. ++# ++allow cgclear_t self:capability { dac_read_search dac_override sys_admin }; ++ ++kernel_read_system_state(cgclear_t) ++ ++domain_setpriority_all_domains(cgclear_t) ++ ++fs_manage_cgroup_dirs(cgclear_t) ++fs_manage_cgroup_files(cgclear_t) ++fs_unmount_cgroup(cgclear_t) ++ +######################################## +# +# cgconfig personal policy. +# + -+allow cgconfig_t self:capability { dac_override fowner chown sys_admin }; ++allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin }; + +allow cgconfig_t cgconfig_etc_t:file read_file_perms; + @@ -19130,8 +19156,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro + +allow cgred_t cgrules_etc_t:file read_file_perms; + ++manage_files_pattern(cgred_t, cgred_log_t, cgred_log_t) ++logging_log_filetrans(cgred_t, cgred_log_t, file) ++ ++manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) +manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t) -+files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file) ++files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file }) + +kernel_read_system_state(cgred_t) + @@ -23428,7 +23458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2011-01-14 13:46:52.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2011-02-07 13:53:03.122796000 +0000 @@ -9,6 +9,9 @@ type dovecot_exec_t; init_daemon_domain(dovecot_t, dovecot_exec_t) @@ -23458,7 +23488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove type dovecot_etc_t; files_config_file(dovecot_etc_t) -@@ -54,15 +60,16 @@ +@@ -54,33 +60,50 @@ # dovecot local policy # @@ -23477,7 +23507,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_t dovecot_cert_t:dir list_dir_perms; read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) -@@ -73,14 +80,26 @@ + read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) + + allow dovecot_t dovecot_etc_t:file read_file_perms; ++read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t) ++read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t) ++read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) ++ + files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) @@ -23505,7 +23542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) -@@ -93,16 +112,20 @@ +@@ -93,16 +116,20 @@ corenet_tcp_sendrecv_generic_node(dovecot_t) corenet_tcp_sendrecv_all_ports(dovecot_t) corenet_tcp_bind_generic_node(dovecot_t) @@ -23526,7 +23563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove fs_search_auto_mountpoints(dovecot_t) fs_list_inotifyfs(dovecot_t) -@@ -142,6 +165,16 @@ +@@ -142,6 +169,16 @@ ') optional_policy(` @@ -23543,7 +23580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove seutil_sigchld_newrole(dovecot_t) ') -@@ -166,17 +199,14 @@ +@@ -166,17 +203,14 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; @@ -23563,7 +23600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) dovecot_stream_connect_auth(dovecot_auth_t) -@@ -197,11 +227,13 @@ +@@ -197,11 +231,13 @@ files_search_pids(dovecot_auth_t) files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) @@ -23578,7 +23615,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_auth_t) seutil_dontaudit_search_config(dovecot_auth_t) -@@ -225,6 +257,7 @@ +@@ -218,6 +254,9 @@ + optional_policy(` + mysql_search_db(dovecot_auth_t) + mysql_stream_connect(dovecot_auth_t) ++ mysql_read_config(dovecot_auth_t) ++ mysql_tcp_connect(dovecot_auth_t) ++ + ') + + optional_policy(` +@@ -225,6 +264,7 @@ ') optional_policy(` @@ -23586,7 +23633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -234,18 +267,35 @@ +@@ -234,18 +274,35 @@ # allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; @@ -23622,7 +23669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_deliver_t) -@@ -263,15 +313,30 @@ +@@ -263,15 +320,30 @@ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) tunable_policy(`use_nfs_home_dirs',` diff --git a/selinux-policy.spec b/selinux-policy.spec index 005d181..a329e6c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 89%{?dist} +Release: 90%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,12 @@ exit 0 %endif %changelog +* Mon Feb 7 2011 Miroslav Grepl 3.7.19-90 +- shutdown is passed stdout to a xdm_log_t file +- dovecot_etc_t contains a lnk_file that domains need to read +- dovecot-auth needs to be able to connect to mysqld via the network as well as locally +- Fixes for cgroup policy + * Fri Feb 4 2011 Miroslav Grepl 3.7.19-89 - dirsrv needs to be able to create /var/lib/snmp - Fix labeling for dirsrv