* Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7

- mount.glusterfs executes glusterfsd binary - Allow systemd_hostnamed_t to stream connect to systemd - Dontaudit any user doing a access check - Allow obex-data-server to request the kernel to load a modul - Allow gpg-agent to manage gnome content (~/.cache/gpg-agent- - Allow gpg-agent to read /proc/sys/crypto/fips_enabled - Add new types for antivirus.pp policy module - Allow gnomesystemmm_t caps because of ioprio_set - Make sure if mozilla_plugin creates files while in permissiv - Allow gnomesystemmm_t caps because of ioprio_set - Allow NM rawip socket - files_relabel_non_security_files can not be used with boolea - Add interface to thumb_t dbus_chat to allow it to read remot - ALlow logrotate to domtrans to mdadm_t - kde gnomeclock wants to write content to /tmp
2013-01-25 14:24:33 +01:00 · 2013-01-25 14:24:33 +01:00 · 1802bef984
commit 1802bef984
parent 4c3676d47a
3 changed files with 779 additions and 149 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -232022,7 +232022,7 @@ index 4584457..300c3f7 100644
 +        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
 ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..1e98d92 100644
+index 6a50270..b78f6a9 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@ -232290,7 +232290,7 @@ index 6a50270..1e98d92 100644
 ')
 
 optional_policy(`
-@@ -186,6 +259,28 @@ optional_policy(`
+@@ -186,6 +259,32 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -232302,6 +232302,10 @@ index 6a50270..1e98d92 100644
 +')
 +
 +optional_policy(`
+	glusterd_domtrans(mount_t)
+')
+
+optional_policy(`
 +	dbus_system_bus_client(mount_t)
 +
 +	optional_policy(`
@ -232319,7 +232323,7 @@ index 6a50270..1e98d92 100644
 	ifdef(`hide_broken_symptoms',`
 		# for a bug in the X server
 		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +289,124 @@ optional_policy(`
+@@ -194,24 +293,124 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -232375,12 +232379,10 @@ index 6a50270..1e98d92 100644
 +optional_policy(`
 +	ssh_exec(mount_t)
 +')
- 
- optional_policy(`
-	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-	unconfined_domain(unconfined_mount_t)
+
+optional_policy(`
 +	usbmuxd_stream_connect(mount_t)
- ')
+')
 +
 +optional_policy(`
 +	userhelper_exec_console(mount_t)
@ -232389,10 +232391,12 @@ index 6a50270..1e98d92 100644
 +optional_policy(`
 +	virt_read_blk_images(mount_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+-	unconfined_domain(unconfined_mount_t)
 +	vmware_exec_host(mount_t)
-+')
+ ')
 +
 +######################################
 +#
@ -235682,10 +235686,10 @@ index 0000000..a4b0917
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..42af592
+index 0000000..26a2c8a
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,589 @@
+@@ -0,0 +1,590 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -236186,6 +236190,7 @@ index 0000000..42af592
 +
 +init_status(systemd_hostnamed_t)
 +init_read_state(systemd_hostnamed_t)
+init_stream_connect(systemd_hostnamed_t)
 +
 +logging_stream_connect_syslog(systemd_hostnamed_t)
 +
@ -237646,7 +237651,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..f3ab128 100644
+index 3c5dba7..0bb7b4d 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -237759,7 +237764,7 @@ index 3c5dba7..f3ab128 100644
 +	files_list_mnt($1_usertype)
 +	files_list_var($1_usertype)
 +	files_read_mnt_files($1_usertype)
-+	files_dontaudit_access_check_mnt($1_usertype)
+	files_dontaudit_all_access_check($1_usertype)
 +	files_read_etc_runtime_files($1_usertype)
 +	files_read_usr_files($1_usertype)
 +	files_read_usr_src_files($1_usertype)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -524,6 +524,23 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7
+- mount.glusterfs executes glusterfsd binary
+- Allow systemd_hostnamed_t to stream connect to systemd
+- Dontaudit any user doing a access check
+- Allow obex-data-server to request the kernel to load a module
+- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info)
+- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
+- Add new types for antivirus.pp policy module
+- Allow gnomesystemmm_t caps because of ioprio_set
+- Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t
+- Allow gnomesystemmm_t caps because of ioprio_set
+- Allow NM rawip socket
+- files_relabel_non_security_files can not be used with boolean
+- Add interface to thumb_t dbus_chat to allow it to read remote process state
+- ALlow logrotate to domtrans to mdadm_t
+- kde gnomeclock wants to write content to /tmp
+
 * Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6
 - kde gnomeclock wants to write content to /tmp
 - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde