* Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154

- Allow winbindd to send signull to kernel. BZ(#1269193) - Merge branch 'rawhide-contrib-chrony' into rawhide-contrib - Fixes for chrony version 2.2 BZ(#1259636) * Allow chrony chown capability * Allow sendto dgram_sockets to itself and to unconfined_t domains. - Merge branch 'rawhide-contrib-chrony' into rawhide-contrib - Add boolean allowing mysqld to connect to http port. #1262125 - Merge pull request #52 from 1dot75cm/rawhide-base - Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877) - Fix attribute in corenetwork.if.in
2015-10-20 15:11:36 +02:00 · 2015-10-20 15:11:36 +02:00 · 0bdc2482e7
commit 0bdc2482e7
parent 8c4eb92cbb
3 changed files with 64 additions and 35 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -4131,7 +4131,7 @@ index f9b25c1..9af1f7a 100644
 +/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
 +/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 07126bd..015bd7a 100644
+index 07126bd..04cf2da 100644
 --- a/policy/modules/kernel/corenetwork.if.in
 +++ b/policy/modules/kernel/corenetwork.if.in
@@ -55,6 +55,7 @@ interface(`corenet_reserved_port',`
@ -4900,10 +4900,10 @@ index 07126bd..015bd7a 100644
 +#
 +interface(`corenet_tcp_bind_unreserved_ports',`
 +	gen_require(`
-+		attribute unreserved_port_t;
+		attribute unreserved_port_type;
 +	')
 +
-+	allow $1 unreserved_port_t:tcp_socket name_bind;
+	allow $1 unreserved_port_type:tcp_socket name_bind;
 +')
 +
 +########################################
@ -44936,10 +44936,10 @@ index 0000000..4f142e9
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..ad113b6
+index 0000000..bf0a5c8
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,782 @@
+@@ -0,0 +1,784 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -45567,6 +45567,8 @@ index 0000000..ad113b6
 +dev_write_kmsg(systemd_hostnamed_t)
 +dev_read_sysfs(systemd_hostnamed_t)
 +
+fs_read_xenfs_files(systemd_hostnamed_t)
+
 +init_status(systemd_hostnamed_t)
 +init_stream_connect(systemd_hostnamed_t)
 +
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3430,10 +3430,10 @@ index 0000000..6183b21
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 7caefc3..77e26bf 100644
+index 7caefc3..b25689b 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,162 +1,210 @@
+@@ -1,162 +1,211 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -3596,6 +3596,7 @@ index 7caefc3..77e26bf 100644
 +/usr/share/glpi(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/nginx/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/ntop/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@ -13058,10 +13059,10 @@ index 0000000..5955ff0
 +	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
 +')
 diff --git a/chronyd.fc b/chronyd.fc
-index 4e4143e..36ee9e1 100644
+index 4e4143e..f03dba0 100644
 --- a/chronyd.fc
 +++ b/chronyd.fc
-@@ -1,13 +1,17 @@
+@@ -1,13 +1,18 @@
 -/etc/chrony\.keys	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 +/etc/chrony\.keys.*	--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 
@ -13077,6 +13078,7 @@ index 4e4143e..36ee9e1 100644
 /var/log/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_log_t,s0)
 
 -/var/run/chronyd(/.*)	gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chrony(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 +/var/run/chronyd(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 +/var/run/chrony-helper(/.*)?	gen_context(system_u:object_r:chronyd_var_run_t,s0)
 /var/run/chronyd\.pid	--	gen_context(system_u:object_r:chronyd_var_run_t,s0)
@ -13277,7 +13279,7 @@ index 32e8265..c5a2913 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
 ')
 diff --git a/chronyd.te b/chronyd.te
-index e5b621c..337110c 100644
+index e5b621c..135100a 100644
 --- a/chronyd.te
 +++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@ -13296,11 +13298,11 @@ index e5b621c..337110c 100644
 
 -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
 -allow chronyd_t self:process { getcap setcap setrlimit signal };
-+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time chown };
 +allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
 allow chronyd_t self:shm create_shm_perms;
 +allow chronyd_t self:udp_socket create_socket_perms;
-+allow chronyd_t self:unix_dgram_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto };
 allow chronyd_t self:fifo_file rw_fifo_file_perms;
 
 +allow chronyd_t chronyd_keys_t:file append_file_perms;
@ -13308,7 +13310,7 @@ index e5b621c..337110c 100644
 allow chronyd_t chronyd_keys_t:file read_file_perms;
 
 manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
-@@ -76,18 +83,36 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+@@ -76,18 +83,38 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
 corenet_udp_bind_chronyd_port(chronyd_t)
 corenet_udp_sendrecv_chronyd_port(chronyd_t)
 
@ -13332,6 +13334,8 @@ index e5b621c..337110c 100644
 +sysnet_read_dhcpc_state(chronyd_t)
 +
 +systemd_exec_systemctl(chronyd_t)
+
+userdom_dgram_send(chronyd_t)
 
 optional_policy(`
 	gpsd_rw_shm(chronyd_t)
@ -54701,10 +54705,10 @@ index 687af38..5381f1b 100644
 +	mysql_stream_connect($1)
 ')
 diff --git a/mysql.te b/mysql.te
-index 7584bbe..c2babeb 100644
+index 7584bbe..dbbdb99 100644
 --- a/mysql.te
 +++ b/mysql.te
-@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
+@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
 #
 
 ## <desc>
@ -54719,7 +54723,13 @@ index 7584bbe..c2babeb 100644
 gen_tunable(mysql_connect_any, false)
 
 -attribute_role mysqld_roles;
-
+## <desc>
+## <p>
+## Allow mysqld to connect to http port
+## </p>
+## </desc>
+gen_tunable(mysql_connect_http, false)
+ 
 type mysqld_t;
 type mysqld_exec_t;
 init_daemon_domain(mysqld_t, mysqld_exec_t)
@ -54728,7 +54738,7 @@ index 7584bbe..c2babeb 100644
 
 type mysqld_safe_t;
 type mysqld_safe_exec_t;
-@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
+@@ -27,7 +29,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
 
 type mysqld_var_run_t;
 files_pid_file(mysqld_var_run_t)
@ -54736,7 +54746,7 @@ index 7584bbe..c2babeb 100644
 
 type mysqld_db_t;
 files_type(mysqld_db_t)
-@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t)
+@@ -38,6 +39,9 @@ files_config_file(mysqld_etc_t)
 type mysqld_home_t;
 userdom_user_home_content(mysqld_home_t)
 
@ -54746,7 +54756,7 @@ index 7584bbe..c2babeb 100644
 type mysqld_initrc_exec_t;
 init_script_file(mysqld_initrc_exec_t)
 
-@@ -62,28 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
+@@ -62,28 +66,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
 # Local policy
 #
 
@ -54783,7 +54793,7 @@ index 7584bbe..c2babeb 100644
 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
 
 manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -95,50 +93,60 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -95,50 +100,64 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
 manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
 files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
 
@ -54859,10 +54869,14 @@ index 7584bbe..c2babeb 100644
 	corenet_tcp_connect_all_ports(mysqld_t)
 -	corenet_tcp_sendrecv_all_ports(mysqld_t)
 +	corenet_sendrecv_all_client_packets(mysqld_t)
+')
+
+tunable_policy(`mysql_connect_http',`
+	corenet_tcp_connect_http_port(mysqld_t)
 ')
 
 optional_policy(`
-@@ -146,6 +154,10 @@ optional_policy(`
+@@ -146,6 +165,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -54873,7 +54887,7 @@ index 7584bbe..c2babeb 100644
 	seutil_sigchld_newrole(mysqld_t)
 ')
 
-@@ -155,21 +167,18 @@ optional_policy(`
+@@ -155,21 +178,18 @@ optional_policy(`
 
 #######################################
 #
@ -54900,7 +54914,7 @@ index 7584bbe..c2babeb 100644
 
 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-@@ -177,9 +186,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +197,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 
 manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@ -54911,7 +54925,7 @@ index 7584bbe..c2babeb 100644
 
 kernel_read_system_state(mysqld_safe_t)
 kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,21 +194,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +205,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
 corecmd_exec_bin(mysqld_safe_t)
 corecmd_exec_shell(mysqld_safe_t)
 
@ -54927,9 +54941,9 @@ index 7584bbe..c2babeb 100644
 +files_dontaudit_access_check_root(mysqld_safe_t)
 files_dontaudit_search_all_mountpoints(mysqld_safe_t)
 +files_dontaudit_getattr_all_dirs(mysqld_safe_t)
- 
-+files_write_root_dirs(mysqld_safe_t)
 +
+files_write_root_dirs(mysqld_safe_t)
+ 
 +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
 logging_send_syslog_msg(mysqld_safe_t)
 
@ -54947,7 +54961,7 @@ index 7584bbe..c2babeb 100644
 
 optional_policy(`
 	hostname_exec(mysqld_safe_t)
-@@ -209,7 +224,7 @@ optional_policy(`
+@@ -209,7 +235,7 @@ optional_policy(`
 
 ########################################
 #
@ -54956,7 +54970,7 @@ index 7584bbe..c2babeb 100644
 #
 
 allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -218,11 +233,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +244,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
 allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
 allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
 
@ -54974,7 +54988,7 @@ index 7584bbe..c2babeb 100644
 
 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
 
-@@ -230,31 +246,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +257,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
 filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
 
@ -91644,7 +91658,7 @@ index 50d07fb..e9569d2 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..bf7a710 100644
+index 2b7c441..0232e85 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@ -92769,7 +92783,7 @@ index 2b7c441..bf7a710 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +962,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +962,42 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
 
 rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
 
@ -92802,6 +92816,7 @@ index 2b7c441..bf7a710 100644
 kernel_read_kernel_sysctls(winbind_t)
 kernel_read_system_state(winbind_t)
 +kernel_read_usermodehelper_state(winbind_t)
+kernel_signull(winbind_t)
 
 corecmd_exec_bin(winbind_t)
 
@ -92822,7 +92837,7 @@ index 2b7c441..bf7a710 100644
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1004,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1005,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
 
@ -92881,7 +92896,7 @@ index 2b7c441..bf7a710 100644
 ')
 
 optional_policy(`
-@@ -959,31 +1065,36 @@ optional_policy(`
+@@ -959,31 +1066,36 @@ optional_policy(`
 # Winbind helper local policy
 #
 
@ -92925,7 +92940,7 @@ index 2b7c441..bf7a710 100644
 
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1108,38 @@ optional_policy(`
+@@ -997,25 +1109,38 @@ optional_policy(`
 
 ########################################
 #
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 153%{?dist}
+Release: 154%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -656,6 +656,18 @@ exit 0
 %endif

 %changelog
+* Tue Oct 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-154
+- Allow winbindd to send signull to kernel. BZ(#1269193)
+- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
+- Fixes for chrony version 2.2 BZ(#1259636)
+  * Allow chrony chown capability
+  * Allow sendto dgram_sockets to itself and to unconfined_t domains.
+- Merge branch 'rawhide-contrib-chrony' into rawhide-contrib
+- Add boolean allowing mysqld to connect to http port. #1262125
+- Merge pull request #52 from 1dot75cm/rawhide-base
+- Allow systemd_hostnamed to read xenfs_t files. BZ(#1233877)
+- Fix attribute in corenetwork.if.in
+
 * Tue Oct 13 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-153
 - Allow abrt_t to read sysctl_net_t files. BZ(#1194280)
 - Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib