rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7 

- mount.glusterfs executes glusterfsd binary
- Allow systemd_hostnamed_t to stream connect to systemd
- Dontaudit any user doing a access check
- Allow obex-data-server to request the kernel to load a modul
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
- Add new types for antivirus.pp policy module
- Allow gnomesystemmm_t caps because of ioprio_set
- Make sure if mozilla_plugin creates files while in permissiv
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- files_relabel_non_security_files can not be used with boolea
- Add interface to thumb_t dbus_chat to allow it to read remot
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
This commit is contained in:
Miroslav Grepl 2013-01-25 14:24:33 +01:00
parent 4c3676d47a
commit 1802bef984
3 changed files with 779 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
policy-rawhide-base.patch
View File

@ -232022,7 +232022,7 @@ index 4584457..300c3f7 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 6a50270..1e98d92 100644
index 6a50270..b78f6a9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@ -232290,7 +232290,7 @@ index 6a50270..1e98d92 100644
')
optional_policy(`
@@ -186,6 +259,28 @@ optional_policy(`
@@ -186,6 +259,32 @@ optional_policy(`
')
optional_policy(`
@ -232302,6 +232302,10 @@ index 6a50270..1e98d92 100644
+')
+
+optional_policy(`
+ glusterd_domtrans(mount_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mount_t)
+
+ optional_policy(`
@ -232319,7 +232323,7 @@ index 6a50270..1e98d92 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
@@ -194,24 +289,124 @@ optional_policy(`
@@ -194,24 +293,124 @@ optional_policy(`
')
optional_policy(`
@ -232375,12 +232379,10 @@ index 6a50270..1e98d92 100644
+optional_policy(`
+ ssh_exec(mount_t)
+')
optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
+
+optional_policy(`
+ usbmuxd_stream_connect(mount_t)
')
+')
+
+optional_policy(`
+ userhelper_exec_console(mount_t)
@ -232389,10 +232391,12 @@ index 6a50270..1e98d92 100644
+optional_policy(`
+ virt_read_blk_images(mount_t)
+')
+
+optional_policy(`
optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
+ vmware_exec_host(mount_t)
+')
')
+
+######################################
+#
@ -235682,10 +235686,10 @@ index 0000000..a4b0917
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..42af592
index 0000000..26a2c8a
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,589 @@
@@ -0,0 +1,590 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -236186,6 +236190,7 @@ index 0000000..42af592
+
+init_status(systemd_hostnamed_t)
+init_read_state(systemd_hostnamed_t)
+init_stream_connect(systemd_hostnamed_t)
+
+logging_stream_connect_syslog(systemd_hostnamed_t)
+
@ -237646,7 +237651,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3c5dba7..f3ab128 100644
index 3c5dba7..0bb7b4d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -237759,7 +237764,7 @@ index 3c5dba7..f3ab128 100644
+ files_list_mnt($1_usertype)
+ files_list_var($1_usertype)
+ files_read_mnt_files($1_usertype)
+ files_dontaudit_access_check_mnt($1_usertype)
+ files_dontaudit_all_access_check($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype)
+ files_read_usr_src_files($1_usertype)

874
policy-rawhide-contrib.patch
View File

File diff suppressed because it is too large Load Diff

19
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 6%{?dist}
Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -524,6 +524,23 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7
- mount.glusterfs executes glusterfsd binary
- Allow systemd_hostnamed_t to stream connect to systemd
- Dontaudit any user doing a access check
- Allow obex-data-server to request the kernel to load a module
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info)
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
- Add new types for antivirus.pp policy module
- Allow gnomesystemmm_t caps because of ioprio_set
- Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- files_relabel_non_security_files can not be used with boolean
- Add interface to thumb_t dbus_chat to allow it to read remote process state
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
* Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6
- kde gnomeclock wants to write content to /tmp
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde