From 1b634710d175d1b9538f5fb7774c8f9e03be6e25 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 18 May 2012 11:42:50 -0400 Subject: [PATCH] Allow stream sock_files to be stored in /tmp and etc_rw_t directories by sepolgen - Trigger on selinux-policy needs to change to selinux-policy-devel - Update translations - Fix semanage dontaudit off/on exception --- policycoreutils-rhat.patch | 60 +++++++++++++++++++++++++++++++++++--- policycoreutils.spec | 7 ++--- 2 files changed, 59 insertions(+), 8 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 0ec44a7..47bf144 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -12227,10 +12227,10 @@ index 0000000..f7af4d8 + diff --git a/policycoreutils/gui/templates/etc_rw.py b/policycoreutils/gui/templates/etc_rw.py new file mode 100644 -index 0000000..0d3dbfe +index 0000000..1cea8b1 --- /dev/null +++ b/policycoreutils/gui/templates/etc_rw.py -@@ -0,0 +1,112 @@ +@@ -0,0 +1,138 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -12265,6 +12265,11 @@ index 0000000..0d3dbfe +files_etc_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, { dir file }) +""" + ++te_stream_rules=""" ++allow TEMPLATETYPE_t TEMPLATETYPE_etc_rw_t:sock_file manage_sock_file_perms; ++files_pid_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, sock_file) ++""" ++ +########################### Interface File ############################# +if_rules=""" +######################################## @@ -12327,6 +12332,27 @@ index 0000000..0d3dbfe + +""" + ++if_stream_rules="""\ ++######################################## ++## ++## Connect to TEMPLATETYPE over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`TEMPLATETYPE_stream_connect',` ++ gen_require(` ++ type TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_t) ++') ++""" ++ +if_admin_types=""" + type TEMPLATETYPE_etc_rw_t;""" + @@ -13218,10 +13244,10 @@ index 0000000..194fb2c + diff --git a/policycoreutils/gui/templates/tmp.py b/policycoreutils/gui/templates/tmp.py new file mode 100644 -index 0000000..d2adaa4 +index 0000000..33d4340 --- /dev/null +++ b/policycoreutils/gui/templates/tmp.py -@@ -0,0 +1,102 @@ +@@ -0,0 +1,128 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -13256,6 +13282,11 @@ index 0000000..d2adaa4 +files_tmp_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, { dir file }) +""" + ++te_stream_rules=""" ++allow TEMPLATETYPE_t TEMPLATETYPE_tmp_t:sock_file manage_sock_file_perms; ++files_pid_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, sock_file) ++""" ++ +if_rules=""" +######################################## +## @@ -13317,6 +13348,27 @@ index 0000000..d2adaa4 +') +""" + ++if_stream_rules="""\ ++######################################## ++## ++## Connect to TEMPLATETYPE over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`TEMPLATETYPE_stream_connect',` ++ gen_require(` ++ type TEMPLATETYPE_t, TEMPLATETYPE_tmp_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t, TEMPLATETYPE_t) ++') ++""" ++ +if_admin_types=""" + type TEMPLATETYPE_tmp_t;""" + diff --git a/policycoreutils.spec b/policycoreutils.spec index 713e202..90cbdfa 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.11 -Release: 14%{?dist} +Release: 15%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -340,10 +340,9 @@ fi %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog -* Fri May 18 2012 Dan Walsh - 2.1.11-14 +* Fri May 18 2012 Dan Walsh - 2.1.11-15 +- Allow stream sock_files to be stored in /tmp and etc_rw_t directories by sepolgen - Trigger on selinux-policy needs to change to selinux-policy-devel - -* Fri May 18 2012 Dan Walsh - 2.1.11-13 - Update translations - Fix semanage dontaudit off/on exception