diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9f673ed..ac008ee 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -689,7 +689,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index 28802c5..ee01d6e 100644 +index 28802c5..88519a9 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -728,7 +728,16 @@ index 28802c5..ee01d6e 100644 } # -@@ -827,6 +837,9 @@ class kernel_service +@@ -690,6 +700,8 @@ class nscd + shmemhost + getserv + shmemserv ++ getnetgrp ++ shmemnetgrp + } + + # Define the access vector interpretation for controlling +@@ -827,6 +839,9 @@ class kernel_service class tun_socket inherits socket @@ -738,7 +747,7 @@ index 28802c5..ee01d6e 100644 class x_pointer inherits x_device -@@ -862,3 +875,20 @@ inherits database +@@ -862,3 +877,20 @@ inherits database implement execute } @@ -28008,7 +28017,7 @@ index 24e7804..76da5dd 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..e9ab9ba 100644 +index dd3be8d..d145ffc 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28196,7 +28205,7 @@ index dd3be8d..e9ab9ba 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +230,51 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -28224,6 +28233,7 @@ index dd3be8d..e9ab9ba 100644 +term_use_unallocated_ttys(init_t) +term_use_console(init_t) +term_use_all_inherited_terms(init_t) ++term_use_generic_ptys(init_t) # Run init scripts. init_domtrans_script(init_t) @@ -28251,7 +28261,7 @@ index dd3be8d..e9ab9ba 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +283,204 @@ ifdef(`distro_gentoo',` +@@ -186,29 +284,204 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -28281,19 +28291,19 @@ index dd3be8d..e9ab9ba 100644 + +optional_policy(` + chronyd_read_keys(init_t) ++') ++ ++optional_policy(` ++ kdump_read_crash(init_t) ') optional_policy(` - auth_rw_login_records(init_t) -+ kdump_read_crash(init_t) ++ gnome_filetrans_home_content(init_t) ++ gnome_manage_data(init_t) ') optional_policy(` -+ gnome_filetrans_home_content(init_t) -+ gnome_manage_data(init_t) -+') -+ -+optional_policy(` + iscsi_read_lib_files(init_t) +') + @@ -28464,7 +28474,7 @@ index dd3be8d..e9ab9ba 100644 ') optional_policy(` -@@ -216,7 +488,30 @@ optional_policy(` +@@ -216,7 +489,30 @@ optional_policy(` ') optional_policy(` @@ -28495,7 +28505,7 @@ index dd3be8d..e9ab9ba 100644 ') ######################################## -@@ -225,8 +520,9 @@ optional_policy(` +@@ -225,8 +521,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28507,7 +28517,7 @@ index dd3be8d..e9ab9ba 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +553,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +554,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28524,7 +28534,7 @@ index dd3be8d..e9ab9ba 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +578,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +579,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28567,7 +28577,7 @@ index dd3be8d..e9ab9ba 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +615,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +616,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28579,7 +28589,7 @@ index dd3be8d..e9ab9ba 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +627,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +628,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28590,7 +28600,7 @@ index dd3be8d..e9ab9ba 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +638,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +639,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28600,7 +28610,7 @@ index dd3be8d..e9ab9ba 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +647,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +648,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28608,7 +28618,7 @@ index dd3be8d..e9ab9ba 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +654,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +655,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28616,7 +28626,7 @@ index dd3be8d..e9ab9ba 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +662,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +663,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28634,7 +28644,7 @@ index dd3be8d..e9ab9ba 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +680,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +681,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28648,7 +28658,7 @@ index dd3be8d..e9ab9ba 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +695,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +696,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -28662,7 +28672,7 @@ index dd3be8d..e9ab9ba 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +708,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +709,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -28670,7 +28680,7 @@ index dd3be8d..e9ab9ba 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +720,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +721,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -28678,7 +28688,7 @@ index dd3be8d..e9ab9ba 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +739,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +740,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -28702,7 +28712,7 @@ index dd3be8d..e9ab9ba 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +772,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +773,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -28710,7 +28720,7 @@ index dd3be8d..e9ab9ba 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +806,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +807,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -28721,7 +28731,7 @@ index dd3be8d..e9ab9ba 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +830,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +831,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -28730,7 +28740,7 @@ index dd3be8d..e9ab9ba 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +845,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +846,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -28738,7 +28748,7 @@ index dd3be8d..e9ab9ba 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +866,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +867,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -28746,7 +28756,7 @@ index dd3be8d..e9ab9ba 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +876,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +877,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -28791,7 +28801,7 @@ index dd3be8d..e9ab9ba 100644 ') optional_policy(` -@@ -558,14 +921,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +922,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -28823,7 +28833,7 @@ index dd3be8d..e9ab9ba 100644 ') ') -@@ -576,6 +956,39 @@ ifdef(`distro_suse',` +@@ -576,6 +957,39 @@ ifdef(`distro_suse',` ') ') @@ -28863,7 +28873,7 @@ index dd3be8d..e9ab9ba 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +1001,8 @@ optional_policy(` +@@ -588,6 +1002,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28872,7 +28882,7 @@ index dd3be8d..e9ab9ba 100644 ') optional_policy(` -@@ -609,6 +1024,7 @@ optional_policy(` +@@ -609,6 +1025,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28880,7 +28890,7 @@ index dd3be8d..e9ab9ba 100644 ') optional_policy(` -@@ -625,6 +1041,17 @@ optional_policy(` +@@ -625,6 +1042,17 @@ optional_policy(` ') optional_policy(` @@ -28898,7 +28908,7 @@ index dd3be8d..e9ab9ba 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1068,13 @@ optional_policy(` +@@ -641,9 +1069,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28912,7 +28922,7 @@ index dd3be8d..e9ab9ba 100644 ') optional_policy(` -@@ -656,15 +1087,11 @@ optional_policy(` +@@ -656,15 +1088,11 @@ optional_policy(` ') optional_policy(` @@ -28930,7 +28940,7 @@ index dd3be8d..e9ab9ba 100644 ') optional_policy(` -@@ -685,6 +1112,15 @@ optional_policy(` +@@ -685,6 +1113,15 @@ optional_policy(` ') optional_policy(` @@ -28946,7 +28956,7 @@ index dd3be8d..e9ab9ba 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1161,7 @@ optional_policy(` +@@ -725,6 +1162,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28954,7 +28964,7 @@ index dd3be8d..e9ab9ba 100644 ') optional_policy(` -@@ -742,7 +1179,13 @@ optional_policy(` +@@ -742,7 +1180,13 @@ optional_policy(` ') optional_policy(` @@ -28969,7 +28979,7 @@ index dd3be8d..e9ab9ba 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1208,10 @@ optional_policy(` +@@ -765,6 +1209,10 @@ optional_policy(` ') optional_policy(` @@ -28980,7 +28990,7 @@ index dd3be8d..e9ab9ba 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1221,20 @@ optional_policy(` +@@ -774,10 +1222,20 @@ optional_policy(` ') optional_policy(` @@ -29001,7 +29011,7 @@ index dd3be8d..e9ab9ba 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1243,10 @@ optional_policy(` +@@ -786,6 +1244,10 @@ optional_policy(` ') optional_policy(` @@ -29012,7 +29022,7 @@ index dd3be8d..e9ab9ba 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1268,6 @@ optional_policy(` +@@ -807,8 +1269,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29021,7 +29031,7 @@ index dd3be8d..e9ab9ba 100644 ') optional_policy(` -@@ -817,6 +1276,10 @@ optional_policy(` +@@ -817,6 +1277,10 @@ optional_policy(` ') optional_policy(` @@ -29032,7 +29042,7 @@ index dd3be8d..e9ab9ba 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1289,12 @@ optional_policy(` +@@ -826,10 +1290,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -29045,10 +29055,15 @@ index dd3be8d..e9ab9ba 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1321,28 @@ optional_policy(` +@@ -856,12 +1322,33 @@ optional_policy(` ') optional_policy(` ++ virt_read_config(init_t) ++ virt_stream_connect(init_t) ++') ++ ++optional_policy(` + virt_manage_pid_dirs(initrc_t) + virt_manage_cache(initrc_t) + virt_manage_lib_files(initrc_t) @@ -29075,7 +29090,7 @@ index dd3be8d..e9ab9ba 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1352,18 @@ optional_policy(` +@@ -871,6 +1358,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29094,7 +29109,7 @@ index dd3be8d..e9ab9ba 100644 ') optional_policy(` -@@ -886,6 +1379,10 @@ optional_policy(` +@@ -886,6 +1385,10 @@ optional_policy(` ') optional_policy(` @@ -29105,7 +29120,7 @@ index dd3be8d..e9ab9ba 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1393,218 @@ optional_policy(` +@@ -896,3 +1399,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index a4ccbb8..4602c3a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 95%{?dist} +Release: 96%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -573,7 +573,19 @@ SELinux Reference policy mls base module. %endif %changelog -* Mon Oct 28 2013 Miroslav Grepl 3.12.1-95 +* Fri Nov 1 2013 Miroslav Grepl 3.12.1-96 +- Add missing permission checks for nscd + +* Wed Oct 30 2013 Miroslav Grepl 3.12.1-95 +- Fix alias decl in corenetwork.te.in +- Add support for fuse.glusterfs +- Add file transition rules for content created by f5link +- Rename quantum_port information to neutron +- Allow all antivirus domains to manage also own log dirs +- Rename quantum_port information to neutron +- Allow pegasus_openlmi_services_t to stream connect to sssd_t + +* Mon Oct 28 2013 Miroslav Grepl 3.12.1-94 - Allow sysadm_t to read login information - Allow systemd_tmpfiles to setattr on var_log_t directories - Udpdate Makefile to include systemd_contexts