* Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7

- mount.glusterfs executes glusterfsd binary
- Allow systemd_hostnamed_t to stream connect to systemd
- Dontaudit any user doing a access check
- Allow obex-data-server to request the kernel to load a modul
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
- Add new types for antivirus.pp policy module
- Allow gnomesystemmm_t caps because of ioprio_set
- Make sure if mozilla_plugin creates files while in permissiv
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- files_relabel_non_security_files can not be used with boolea
- Add interface to thumb_t dbus_chat to allow it to read remot
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
This commit is contained in:
Miroslav Grepl 2013-01-25 14:24:33 +01:00
parent 4c3676d47a
commit 1802bef984
3 changed files with 779 additions and 149 deletions

View File

@ -232022,7 +232022,7 @@ index 4584457..300c3f7 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
') ')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 6a50270..1e98d92 100644 index 6a50270..b78f6a9 100644
--- a/policy/modules/system/mount.te --- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@ -232290,7 +232290,7 @@ index 6a50270..1e98d92 100644
') ')
optional_policy(` optional_policy(`
@@ -186,6 +259,28 @@ optional_policy(` @@ -186,6 +259,32 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -232302,6 +232302,10 @@ index 6a50270..1e98d92 100644
+') +')
+ +
+optional_policy(` +optional_policy(`
+ glusterd_domtrans(mount_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(mount_t) + dbus_system_bus_client(mount_t)
+ +
+ optional_policy(` + optional_policy(`
@ -232319,7 +232323,7 @@ index 6a50270..1e98d92 100644
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
# for a bug in the X server # for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t) rhgb_dontaudit_rw_stream_sockets(mount_t)
@@ -194,24 +289,124 @@ optional_policy(` @@ -194,24 +293,124 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -232375,12 +232379,10 @@ index 6a50270..1e98d92 100644
+optional_policy(` +optional_policy(`
+ ssh_exec(mount_t) + ssh_exec(mount_t)
+') +')
+
optional_policy(` +optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
+ usbmuxd_stream_connect(mount_t) + usbmuxd_stream_connect(mount_t)
') +')
+ +
+optional_policy(` +optional_policy(`
+ userhelper_exec_console(mount_t) + userhelper_exec_console(mount_t)
@ -232389,10 +232391,12 @@ index 6a50270..1e98d92 100644
+optional_policy(` +optional_policy(`
+ virt_read_blk_images(mount_t) + virt_read_blk_images(mount_t)
+') +')
+
+optional_policy(` optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
+ vmware_exec_host(mount_t) + vmware_exec_host(mount_t)
+') ')
+ +
+###################################### +######################################
+# +#
@ -235682,10 +235686,10 @@ index 0000000..a4b0917
+ +
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..42af592 index 0000000..26a2c8a
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,589 @@ @@ -0,0 +1,590 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -236186,6 +236190,7 @@ index 0000000..42af592
+ +
+init_status(systemd_hostnamed_t) +init_status(systemd_hostnamed_t)
+init_read_state(systemd_hostnamed_t) +init_read_state(systemd_hostnamed_t)
+init_stream_connect(systemd_hostnamed_t)
+ +
+logging_stream_connect_syslog(systemd_hostnamed_t) +logging_stream_connect_syslog(systemd_hostnamed_t)
+ +
@ -237646,7 +237651,7 @@ index db75976..65191bd 100644
+ +
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3c5dba7..f3ab128 100644 index 3c5dba7..0bb7b4d 100644
--- a/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -237759,7 +237764,7 @@ index 3c5dba7..f3ab128 100644
+ files_list_mnt($1_usertype) + files_list_mnt($1_usertype)
+ files_list_var($1_usertype) + files_list_var($1_usertype)
+ files_read_mnt_files($1_usertype) + files_read_mnt_files($1_usertype)
+ files_dontaudit_access_check_mnt($1_usertype) + files_dontaudit_all_access_check($1_usertype)
+ files_read_etc_runtime_files($1_usertype) + files_read_etc_runtime_files($1_usertype)
+ files_read_usr_files($1_usertype) + files_read_usr_files($1_usertype)
+ files_read_usr_src_files($1_usertype) + files_read_usr_src_files($1_usertype)

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 6%{?dist} Release: 7%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -524,6 +524,23 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Fri Jan 25 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-7
- mount.glusterfs executes glusterfsd binary
- Allow systemd_hostnamed_t to stream connect to systemd
- Dontaudit any user doing a access check
- Allow obex-data-server to request the kernel to load a module
- Allow gpg-agent to manage gnome content (~/.cache/gpg-agent-info)
- Allow gpg-agent to read /proc/sys/crypto/fips_enabled
- Add new types for antivirus.pp policy module
- Allow gnomesystemmm_t caps because of ioprio_set
- Make sure if mozilla_plugin creates files while in permissive mode, they get created with the correct label, user_home_t
- Allow gnomesystemmm_t caps because of ioprio_set
- Allow NM rawip socket
- files_relabel_non_security_files can not be used with boolean
- Add interface to thumb_t dbus_chat to allow it to read remote process state
- ALlow logrotate to domtrans to mdadm_t
- kde gnomeclock wants to write content to /tmp
* Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6 * Wed Jan 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-6
- kde gnomeclock wants to write content to /tmp - kde gnomeclock wants to write content to /tmp
- /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde - /usr/libexec/kde4/kcmdatetimehelper attempts to create /root/.kde