* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8

- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.
- Add labeling for all tomcat6 dirs
- Add support for tomcat6
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow cgclear to read cgconfig config files
- Fix bcf2g.fc
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other
- Allow dbomatic to execute ruby
- abrt_watch_log should be abrt_domain
- Allow mozilla_plugin to connect to gatekeeper port
This commit is contained in:
Miroslav Grepl 2012-07-03 23:11:32 +02:00
parent 1de5de6450
commit 0f07ba7f55
3 changed files with 392 additions and 316 deletions

View File

@ -60457,7 +60457,7 @@ index db981df..b77f19f 100644
+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..ba59ffd 100644 index 9e9263a..c4dc1b6 100644
--- a/policy/modules/kernel/corecommands.if --- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if
@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',` @@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
@ -60534,7 +60534,18 @@ index 9e9263a..ba59ffd 100644
read_sock_files_pattern($1, bin_t, bin_t) read_sock_files_pattern($1, bin_t, bin_t)
') ')
@@ -362,6 +385,7 @@ interface(`corecmd_manage_bin_files',` @@ -345,6 +368,10 @@ interface(`corecmd_exec_bin',`
read_lnk_files_pattern($1, bin_t, bin_t)
list_dirs_pattern($1, bin_t, bin_t)
can_exec($1, bin_t)
+ #ifdef(`enable_mls',`',`
+ # files_exec_usr_files($1)
+ # libs_exec_lib_files($1)
+ #')
')
########################################
@@ -362,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
type bin_t; type bin_t;
') ')
@ -60542,7 +60553,7 @@ index 9e9263a..ba59ffd 100644
manage_files_pattern($1, bin_t, bin_t) manage_files_pattern($1, bin_t, bin_t)
') ')
@@ -398,6 +422,7 @@ interface(`corecmd_mmap_bin_files',` @@ -398,6 +426,7 @@ interface(`corecmd_mmap_bin_files',`
type bin_t; type bin_t;
') ')
@ -60550,7 +60561,7 @@ index 9e9263a..ba59ffd 100644
mmap_files_pattern($1, bin_t, bin_t) mmap_files_pattern($1, bin_t, bin_t)
') ')
@@ -954,6 +979,24 @@ interface(`corecmd_exec_chroot',` @@ -954,6 +983,24 @@ interface(`corecmd_exec_chroot',`
######################################## ########################################
## <summary> ## <summary>
@ -60575,7 +60586,7 @@ index 9e9263a..ba59ffd 100644
## Get the attributes of all executable files. ## Get the attributes of all executable files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1049,6 +1092,7 @@ interface(`corecmd_manage_all_executables',` @@ -1049,6 +1096,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t; type bin_t;
') ')
@ -76848,7 +76859,7 @@ index 6ce867a..ee79c5a 100644
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
') ')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index f12b8ff..2293c1b 100644 index f12b8ff..3b80e52 100644
--- a/policy/modules/system/authlogin.te --- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te
@@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1) @@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1)
@ -76957,7 +76968,7 @@ index f12b8ff..2293c1b 100644
# Allow utemper to write to /tmp/.xses-* # Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t) userdom_write_user_tmp_files(utempter_t)
@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',` @@ -388,10 +416,79 @@ ifdef(`distro_ubuntu',`
') ')
optional_policy(` optional_policy(`
@ -76978,6 +76989,11 @@ index f12b8ff..2293c1b 100644
+ ') + ')
+') +')
+ +
+######################################
+#
+# nsswitch_domain local policy
+#
+
+auth_read_passwd(nsswitch_domain) +auth_read_passwd(nsswitch_domain)
+ +
+# read /etc/nsswitch.conf +# read /etc/nsswitch.conf
@ -78579,7 +78595,7 @@ index d26fe81..3ff8fef 100644
+ allow $1 init_t:system undefined; + allow $1 init_t:system undefined;
+') +')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5fb9683..0721079 100644 index 5fb9683..a2c2556 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(` @@ -16,6 +16,34 @@ gen_require(`
@ -79001,7 +79017,7 @@ index 5fb9683..0721079 100644
init_write_initctl(initrc_t) init_write_initctl(initrc_t)
@@ -265,20 +494,34 @@ kernel_change_ring_buffer_level(initrc_t) @@ -265,20 +494,35 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t) kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t) kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t) kernel_read_all_sysctls(initrc_t)
@ -79024,6 +79040,7 @@ index 5fb9683..0721079 100644
+fs_manage_tmpfs_symlinks(initrc_t) +fs_manage_tmpfs_symlinks(initrc_t)
+fs_delete_tmpfs_files(initrc_t) +fs_delete_tmpfs_files(initrc_t)
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file) +fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
+fs_read_nfsd_files(initrc_t)
corecmd_exec_all_executables(initrc_t) corecmd_exec_all_executables(initrc_t)
@ -79040,7 +79057,7 @@ index 5fb9683..0721079 100644
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
@@ -286,6 +529,7 @@ corenet_sendrecv_all_client_packets(initrc_t) @@ -286,6 +530,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t) dev_read_rand(initrc_t)
dev_read_urand(initrc_t) dev_read_urand(initrc_t)
@ -79048,7 +79065,7 @@ index 5fb9683..0721079 100644
dev_write_kmsg(initrc_t) dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t) dev_write_rand(initrc_t)
dev_write_urand(initrc_t) dev_write_urand(initrc_t)
@@ -296,8 +540,10 @@ dev_write_framebuffer(initrc_t) @@ -296,8 +541,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t) dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t) dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t)
@ -79059,7 +79076,7 @@ index 5fb9683..0721079 100644
dev_delete_lvm_control_dev(initrc_t) dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t) dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t) dev_manage_generic_files(initrc_t)
@@ -305,17 +551,16 @@ dev_manage_generic_files(initrc_t) @@ -305,17 +552,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t) dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t) dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t) dev_getattr_all_chr_files(initrc_t)
@ -79079,7 +79096,7 @@ index 5fb9683..0721079 100644
domain_getsession_all_domains(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t) domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
@@ -323,6 +568,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) @@ -323,6 +569,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t)
@ -79087,7 +79104,7 @@ index 5fb9683..0721079 100644
files_getattr_all_dirs(initrc_t) files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t) files_getattr_all_files(initrc_t)
@@ -330,8 +576,10 @@ files_getattr_all_symlinks(initrc_t) @@ -330,8 +577,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t) files_purge_tmp(initrc_t)
@ -79099,7 +79116,7 @@ index 5fb9683..0721079 100644
files_delete_all_pids(initrc_t) files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t) files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t) files_read_etc_files(initrc_t)
@@ -347,8 +595,12 @@ files_list_isid_type_dirs(initrc_t) @@ -347,8 +596,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t) files_list_default(initrc_t)
files_mounton_default(initrc_t) files_mounton_default(initrc_t)
@ -79113,7 +79130,7 @@ index 5fb9683..0721079 100644
fs_list_inotifyfs(initrc_t) fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t) fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs # rhgb-console writes to ramfs
@@ -358,9 +610,12 @@ fs_mount_all_fs(initrc_t) @@ -358,9 +611,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t) fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t) fs_getattr_all_fs(initrc_t)
@ -79127,7 +79144,7 @@ index 5fb9683..0721079 100644
mcs_killall(initrc_t) mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t) mcs_process_set_categories(initrc_t)
@@ -370,6 +625,7 @@ mls_process_read_up(initrc_t) @@ -370,6 +626,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t) mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t) mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t) mls_fd_share_all_levels(initrc_t)
@ -79135,7 +79152,7 @@ index 5fb9683..0721079 100644
selinux_get_enforce_mode(initrc_t) selinux_get_enforce_mode(initrc_t)
@@ -381,6 +637,7 @@ term_use_all_terms(initrc_t) @@ -381,6 +638,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t) term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t) auth_rw_login_records(initrc_t)
@ -79143,7 +79160,7 @@ index 5fb9683..0721079 100644
auth_setattr_login_records(initrc_t) auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t) auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t) auth_read_pam_pid(initrc_t)
@@ -401,18 +658,17 @@ logging_read_audit_config(initrc_t) @@ -401,18 +659,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t) miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript # slapd needs to read cert files from its initscript
@ -79165,7 +79182,7 @@ index 5fb9683..0721079 100644
ifdef(`distro_debian',` ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t) dev_setattr_generic_dirs(initrc_t)
@@ -465,6 +721,10 @@ ifdef(`distro_gentoo',` @@ -465,6 +722,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t) sysnet_setattr_config(initrc_t)
optional_policy(` optional_policy(`
@ -79176,7 +79193,7 @@ index 5fb9683..0721079 100644
alsa_read_lib(initrc_t) alsa_read_lib(initrc_t)
') ')
@@ -485,7 +745,7 @@ ifdef(`distro_redhat',` @@ -485,7 +746,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -79185,7 +79202,7 @@ index 5fb9683..0721079 100644
files_dontaudit_read_root_files(initrc_t) files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd # These seem to be from the initrd
@@ -500,6 +760,7 @@ ifdef(`distro_redhat',` @@ -500,6 +761,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t) files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
@ -79193,7 +79210,7 @@ index 5fb9683..0721079 100644
# wants to read /.fonts directory # wants to read /.fonts directory
files_read_default_files(initrc_t) files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t) files_mountpoint(initrc_tmp_t)
@@ -520,6 +781,7 @@ ifdef(`distro_redhat',` @@ -520,6 +782,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t) miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t) miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t) miscfiles_relabel_localization(initrc_t)
@ -79201,7 +79218,7 @@ index 5fb9683..0721079 100644
miscfiles_read_fonts(initrc_t) miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t) miscfiles_read_hwdata(initrc_t)
@@ -529,8 +791,35 @@ ifdef(`distro_redhat',` @@ -529,8 +792,35 @@ ifdef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -79237,7 +79254,7 @@ index 5fb9683..0721079 100644
') ')
optional_policy(` optional_policy(`
@@ -538,14 +827,27 @@ ifdef(`distro_redhat',` @@ -538,14 +828,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t) rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t) rpc_manage_nfs_state_data(initrc_t)
') ')
@ -79265,7 +79282,7 @@ index 5fb9683..0721079 100644
') ')
') ')
@@ -556,6 +858,39 @@ ifdef(`distro_suse',` @@ -556,6 +859,39 @@ ifdef(`distro_suse',`
') ')
') ')
@ -79305,7 +79322,7 @@ index 5fb9683..0721079 100644
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -568,6 +903,8 @@ optional_policy(` @@ -568,6 +904,8 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(initrc_t) apache_read_config(initrc_t)
apache_list_modules(initrc_t) apache_list_modules(initrc_t)
@ -79314,7 +79331,7 @@ index 5fb9683..0721079 100644
') ')
optional_policy(` optional_policy(`
@@ -589,6 +926,7 @@ optional_policy(` @@ -589,6 +927,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cgroup_stream_connect_cgred(initrc_t) cgroup_stream_connect_cgred(initrc_t)
@ -79322,7 +79339,7 @@ index 5fb9683..0721079 100644
') ')
optional_policy(` optional_policy(`
@@ -601,6 +939,17 @@ optional_policy(` @@ -601,6 +940,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79340,7 +79357,7 @@ index 5fb9683..0721079 100644
dev_getattr_printer_dev(initrc_t) dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t) cups_read_log(initrc_t)
@@ -617,9 +966,13 @@ optional_policy(` @@ -617,9 +967,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t) dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
@ -79354,7 +79371,7 @@ index 5fb9683..0721079 100644
') ')
optional_policy(` optional_policy(`
@@ -644,6 +997,10 @@ optional_policy(` @@ -644,6 +998,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79365,7 +79382,7 @@ index 5fb9683..0721079 100644
gpm_setattr_gpmctl(initrc_t) gpm_setattr_gpmctl(initrc_t)
') ')
@@ -661,6 +1018,15 @@ optional_policy(` @@ -661,6 +1019,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79381,7 +79398,7 @@ index 5fb9683..0721079 100644
inn_exec_config(initrc_t) inn_exec_config(initrc_t)
') ')
@@ -701,6 +1067,7 @@ optional_policy(` @@ -701,6 +1068,7 @@ optional_policy(`
lpd_list_spool(initrc_t) lpd_list_spool(initrc_t)
lpd_read_config(initrc_t) lpd_read_config(initrc_t)
@ -79389,7 +79406,7 @@ index 5fb9683..0721079 100644
') ')
optional_policy(` optional_policy(`
@@ -718,7 +1085,13 @@ optional_policy(` @@ -718,7 +1086,13 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79403,7 +79420,7 @@ index 5fb9683..0721079 100644
mta_dontaudit_read_spool_symlinks(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t)
') ')
@@ -741,6 +1114,10 @@ optional_policy(` @@ -741,6 +1115,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79414,7 +79431,7 @@ index 5fb9683..0721079 100644
postgresql_manage_db(initrc_t) postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t) postgresql_read_config(initrc_t)
') ')
@@ -750,10 +1127,20 @@ optional_policy(` @@ -750,10 +1128,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79435,7 +79452,7 @@ index 5fb9683..0721079 100644
quota_manage_flags(initrc_t) quota_manage_flags(initrc_t)
') ')
@@ -762,6 +1149,10 @@ optional_policy(` @@ -762,6 +1150,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79446,7 +79463,7 @@ index 5fb9683..0721079 100644
fs_write_ramfs_sockets(initrc_t) fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t) fs_search_ramfs(initrc_t)
@@ -783,8 +1174,6 @@ optional_policy(` @@ -783,8 +1175,6 @@ optional_policy(`
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -79455,7 +79472,7 @@ index 5fb9683..0721079 100644
') ')
optional_policy(` optional_policy(`
@@ -793,6 +1182,10 @@ optional_policy(` @@ -793,6 +1183,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79466,7 +79483,7 @@ index 5fb9683..0721079 100644
# shorewall-init script run /var/lib/shorewall/firewall # shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t) shorewall_lib_domtrans(initrc_t)
') ')
@@ -802,10 +1195,12 @@ optional_policy(` @@ -802,10 +1196,12 @@ optional_policy(`
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -79479,7 +79496,7 @@ index 5fb9683..0721079 100644
optional_policy(` optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
@@ -817,7 +1212,6 @@ optional_policy(` @@ -817,7 +1213,6 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79487,7 +79504,7 @@ index 5fb9683..0721079 100644
udev_manage_pid_files(initrc_t) udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t) udev_manage_rules_files(initrc_t)
') ')
@@ -827,12 +1221,30 @@ optional_policy(` @@ -827,12 +1222,30 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79520,7 +79537,7 @@ index 5fb9683..0721079 100644
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited # system-config-services causes avc messages that should be dontaudited
@@ -842,6 +1254,18 @@ optional_policy(` @@ -842,6 +1255,18 @@ optional_policy(`
optional_policy(` optional_policy(`
mono_domtrans(initrc_t) mono_domtrans(initrc_t)
') ')
@ -79539,7 +79556,7 @@ index 5fb9683..0721079 100644
') ')
optional_policy(` optional_policy(`
@@ -857,6 +1281,10 @@ optional_policy(` @@ -857,6 +1282,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -79550,7 +79567,7 @@ index 5fb9683..0721079 100644
# Set device ownerships/modes. # Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t) xserver_setattr_console_pipes(initrc_t)
@@ -867,3 +1295,165 @@ optional_policy(` @@ -867,3 +1296,165 @@ optional_policy(`
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.11.0 Version: 3.11.0
Release: 7%{?dist} Release: 8%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -491,6 +491,21 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
- Fixes for passenger running within openshift.
- Add labeling for all tomcat6 dirs
- Add support for tomcat6
- Allow cobblerd to read /etc/passwd
- Allow jockey to read sysfs and and execute binaries with bin_t
- Allow thum to use user terminals
- Allow cgclear to read cgconfig config files
- Fix bcf2g.fc
- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains
- Allow dbomatic to execute ruby
- abrt_watch_log should be abrt_domain
- Allow mozilla_plugin to connect to gatekeeper port
* Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7 * Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7
- add ptrace_child access to process - add ptrace_child access to process
- remove files_read_etc_files() calling from all policies which have auth_use_nsswith() - remove files_read_etc_files() calling from all policies which have auth_use_nsswith()