rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126

Browse Source 
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Add nagios_read_lib() interface.
- Additional fix for mongod_unit_file_t in mongodb.te.
- Fix decl of mongod_unit_file to mongod_unit_file_t.
- Fix mongodb unit file declaration.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Add support for mongod/mongos systemd unit files.
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate  specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
This commit is contained in:
Lukas Vrabec 2015-04-30 20:10:17 +02:00
parent c4df3c09b1
commit 229bf3d017
3 changed files with 181 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
policy-rawhide-base.patch
View File

@ -17591,7 +17591,7 @@ index e100d88..991e1a5 100644
+') +')
+ +
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..15c063c 100644 index 8dbab4c..46d7f18 100644
--- a/policy/modules/kernel/kernel.te --- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -17612,15 +17612,16 @@ index 8dbab4c..15c063c 100644
role system_r types kernel_t; role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
type debugfs_t; type debugfs_t;
files_mountpoint(debugfs_t) files_mountpoint(debugfs_t)
fs_type(debugfs_t) fs_type(debugfs_t)
+dev_associate_sysfs(debugfs_t)
+ +
allow debugfs_t self:filesystem associate; allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) @@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type; type proc_mdstat_t, proc_type;
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@ -17653,7 +17654,7 @@ index 8dbab4c..15c063c 100644
type proc_xen_t, proc_type; type proc_xen_t, proc_type;
files_mountpoint(proc_xen_t) files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) @@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
type sysctl_kernel_t, sysctl_type; type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
@ -17668,7 +17669,7 @@ index 8dbab4c..15c063c 100644
# /proc/sys/net directory and files # /proc/sys/net directory and files
type sysctl_net_t, sysctl_type; type sysctl_net_t, sysctl_type;
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) @@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
type sysctl_vm_t, sysctl_type; type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@ -17679,7 +17680,7 @@ index 8dbab4c..15c063c 100644
# /proc/sys/dev directory and files # /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type; type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) @@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t; type unlabeled_t;
fs_associate(unlabeled_t) fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@ -17694,7 +17695,7 @@ index 8dbab4c..15c063c 100644
# These initial sids are no longer used, and can be removed: # These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -189,6 +221,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -189,6 +222,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy # kernel local policy
# #
@ -17702,7 +17703,7 @@ index 8dbab4c..15c063c 100644
allow kernel_t self:capability ~sys_module; allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms; allow kernel_t self:shm create_shm_perms;
@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; @@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t) corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t) corenet_in_generic_node(unlabeled_t)
@ -17710,7 +17711,7 @@ index 8dbab4c..15c063c 100644
corenet_all_recvfrom_netlabel(kernel_t) corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies: # Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t) corenet_raw_sendrecv_all_if(kernel_t)
@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) @@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t) corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t) corenet_send_all_packets(kernel_t)
@ -17736,7 +17737,7 @@ index 8dbab4c..15c063c 100644
# Mount root file system. Used when loading a policy # Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem # from initrd, then mounting the root filesystem
@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t) @@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t) selinux_load_policy(kernel_t)
@ -17746,7 +17747,7 @@ index 8dbab4c..15c063c 100644
corecmd_exec_shell(kernel_t) corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t) corecmd_list_bin(kernel_t)
@@ -277,25 +314,53 @@ files_list_root(kernel_t) @@ -277,25 +315,53 @@ files_list_root(kernel_t)
files_list_etc(kernel_t) files_list_etc(kernel_t)
files_list_home(kernel_t) files_list_home(kernel_t)
files_read_usr_files(kernel_t) files_read_usr_files(kernel_t)
@ -17800,7 +17801,7 @@ index 8dbab4c..15c063c 100644
') ')
optional_policy(` optional_policy(`
@@ -305,6 +370,19 @@ optional_policy(` @@ -305,6 +371,19 @@ optional_policy(`
optional_policy(` optional_policy(`
logging_send_syslog_msg(kernel_t) logging_send_syslog_msg(kernel_t)
@ -17820,7 +17821,7 @@ index 8dbab4c..15c063c 100644
') ')
optional_policy(` optional_policy(`
@@ -312,6 +390,11 @@ optional_policy(` @@ -312,6 +391,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -17832,7 +17833,7 @@ index 8dbab4c..15c063c 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful # nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything. # to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms; allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -332,9 +415,6 @@ optional_policy(` @@ -332,9 +416,6 @@ optional_policy(`
sysnet_read_config(kernel_t) sysnet_read_config(kernel_t)
@ -17842,7 +17843,7 @@ index 8dbab4c..15c063c 100644
rpc_udp_rw_nfs_sockets(kernel_t) rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',` tunable_policy(`nfs_export_all_ro',`
@@ -343,9 +423,7 @@ optional_policy(` @@ -343,9 +424,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t)
@ -17853,7 +17854,7 @@ index 8dbab4c..15c063c 100644
') ')
tunable_policy(`nfs_export_all_rw',` tunable_policy(`nfs_export_all_rw',`
@@ -354,7 +432,7 @@ optional_policy(` @@ -354,7 +433,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t)
@ -17862,7 +17863,7 @@ index 8dbab4c..15c063c 100644
') ')
') ')
@@ -367,6 +445,15 @@ optional_policy(` @@ -367,6 +446,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t) unconfined_domain_noaudit(kernel_t)
') ')
@ -17878,7 +17879,7 @@ index 8dbab4c..15c063c 100644
######################################## ########################################
# #
# Unlabeled process local policy # Unlabeled process local policy
@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) { @@ -399,14 +487,39 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module # Rules for unconfined acccess to this module
# #
@ -36486,7 +36487,7 @@ index 79048c4..c3a255a 100644
udev_read_pid_files(lvm_t) udev_read_pid_files(lvm_t)
') ')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9fe8e01..3d71062 100644 index 9fe8e01..ce00ccb 100644
--- a/policy/modules/system/miscfiles.fc --- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',` @@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
@ -36497,7 +36498,7 @@ index 9fe8e01..3d71062 100644
-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/localtime gen_context(system_u:object_r:locale_t,s0) +/etc/localtime -l gen_context(system_u:object_r:locale_t,s0)
+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0) +/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
@ -42364,10 +42365,10 @@ index 0000000..d2a8fc7
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..f3a8fe7 index 0000000..c19260b
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,713 @@ @@ -0,0 +1,714 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -42626,6 +42627,7 @@ index 0000000..f3a8fe7
+ +
+kernel_dgram_send(systemd_networkd_t) +kernel_dgram_send(systemd_networkd_t)
+kernel_request_load_module(systemd_networkd_t) +kernel_request_load_module(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+ +
+dev_read_sysfs(systemd_networkd_t) +dev_read_sysfs(systemd_networkd_t)
+ +

211
policy-rawhide-contrib.patch
View File

@ -5157,7 +5157,7 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
') ')
diff --git a/apache.te b/apache.te diff --git a/apache.te b/apache.te
index 6649962..9c06038 100644 index 6649962..d671bf8 100644
--- a/apache.te --- a/apache.te
+++ b/apache.te +++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2) @@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@ -6477,15 +6477,16 @@ index 6649962..9c06038 100644
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t) mysql_tcp_connect(httpd_t)
@@ -832,6 +1029,7 @@ optional_policy(` @@ -832,6 +1029,8 @@ optional_policy(`
optional_policy(` optional_policy(`
nagios_read_config(httpd_t) nagios_read_config(httpd_t)
+ nagios_read_lib(httpd_t)
+ nagios_read_log(httpd_t) + nagios_read_log(httpd_t)
') ')
optional_policy(` optional_policy(`
@@ -842,20 +1040,40 @@ optional_policy(` @@ -842,20 +1041,40 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6532,7 +6533,7 @@ index 6649962..9c06038 100644
') ')
optional_policy(` optional_policy(`
@@ -863,19 +1081,35 @@ optional_policy(` @@ -863,19 +1082,35 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -6568,7 +6569,7 @@ index 6649962..9c06038 100644
udev_read_db(httpd_t) udev_read_db(httpd_t)
') ')
@@ -883,65 +1117,189 @@ optional_policy(` @@ -883,65 +1118,189 @@ optional_policy(`
yam_read_content(httpd_t) yam_read_content(httpd_t)
') ')
@ -6780,7 +6781,7 @@ index 6649962..9c06038 100644
files_dontaudit_search_pids(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t) files_search_home(httpd_suexec_t)
@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t) @@ -950,123 +1309,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t) logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t)
@ -6935,7 +6936,7 @@ index 6649962..9c06038 100644
mysql_read_config(httpd_suexec_t) mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',` tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1392,107 @@ optional_policy(` @@ -1083,172 +1393,107 @@ optional_policy(`
') ')
') ')
@ -7173,7 +7174,7 @@ index 6649962..9c06038 100644
') ')
tunable_policy(`httpd_read_user_content',` tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',` @@ -1256,64 +1501,74 @@ tunable_policy(`httpd_read_user_content',`
') ')
tunable_policy(`httpd_use_cifs',` tunable_policy(`httpd_use_cifs',`
@ -7270,7 +7271,7 @@ index 6649962..9c06038 100644
######################################## ########################################
# #
@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) @@ -1321,8 +1576,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
# #
optional_policy(` optional_policy(`
@ -7287,7 +7288,7 @@ index 6649962..9c06038 100644
') ')
######################################## ########################################
@@ -1330,49 +1591,38 @@ optional_policy(` @@ -1330,49 +1592,38 @@ optional_policy(`
# User content local policy # User content local policy
# #
@ -7352,7 +7353,7 @@ index 6649962..9c06038 100644
kernel_read_system_state(httpd_passwd_t) kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1632,101 @@ dev_read_urand(httpd_passwd_t) @@ -1382,38 +1633,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t)
@ -24751,11 +24752,14 @@ index 37a3b7b..921056a 100644
+') +')
diff --git a/dnssec.fc b/dnssec.fc diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644 new file mode 100644
index 0000000..9e231a8 index 0000000..1714fa6
--- /dev/null --- /dev/null
+++ b/dnssec.fc +++ b/dnssec.fc
@@ -0,0 +1,3 @@ @@ -0,0 +1,6 @@
+/usr/lib/systemd/system/dnssec-triggerd.* -- gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0)
+
+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0) +/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+/usr/libexec/dnssec-trigger-script -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+ +
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) +/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if diff --git a/dnssec.if b/dnssec.if
@ -24851,10 +24855,10 @@ index 0000000..457d4dd
+') +')
diff --git a/dnssec.te b/dnssec.te diff --git a/dnssec.te b/dnssec.te
new file mode 100644 new file mode 100644
index 0000000..46f4d2c index 0000000..64f1a64
--- /dev/null --- /dev/null
+++ b/dnssec.te +++ b/dnssec.te
@@ -0,0 +1,63 @@ @@ -0,0 +1,68 @@
+policy_module(dnssec, 1.0.0) +policy_module(dnssec, 1.0.0)
+ +
+######################################## +########################################
@ -24866,6 +24870,9 @@ index 0000000..46f4d2c
+type dnssec_trigger_exec_t; +type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t) +init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+ +
+type dnssec_trigger_unit_file_t;
+systemd_unit_file(dnssec_trigger_unit_file_t)
+
+type dnssec_trigger_var_run_t; +type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t) +files_pid_file(dnssec_trigger_var_run_t)
+ +
@ -24917,6 +24924,8 @@ index 0000000..46f4d2c
+ +
+optional_policy(` +optional_policy(`
+ networkmanager_stream_connect(dnssec_trigger_t) + networkmanager_stream_connect(dnssec_trigger_t)
+ networkmanager_sigchld(dnssec_trigger_t)
+
+') +')
diff --git a/dnssectrigger.te b/dnssectrigger.te diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e7..e6fe2f40 100644 index c7bb4e7..e6fe2f40 100644
@ -46851,16 +46860,22 @@ index 0000000..e7220a5
+logging_send_syslog_msg(mon_procd_t) +logging_send_syslog_msg(mon_procd_t)
+ +
diff --git a/mongodb.fc b/mongodb.fc diff --git a/mongodb.fc b/mongodb.fc
index 6fcfc31..91adcaf 100644 index 6fcfc31..e9e6bc5 100644
--- a/mongodb.fc --- a/mongodb.fc
+++ b/mongodb.fc +++ b/mongodb.fc
@@ -1,9 +1,13 @@ @@ -1,9 +1,19 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) /etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) -/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0) /var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
@ -46872,10 +46887,20 @@ index 6fcfc31..91adcaf 100644
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te diff --git a/mongodb.te b/mongodb.te
index 169f236..571da1a 100644 index 169f236..608c584 100644
--- a/mongodb.te --- a/mongodb.te
+++ b/mongodb.te +++ b/mongodb.te
@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t) @@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
type mongod_initrc_exec_t;
init_script_file(mongod_initrc_exec_t)
+type mongod_unit_file_t;
+systemd_unit_file(mongod_unit_file_t)
+
type mongod_log_t;
logging_log_file(mongod_log_t)
@@ -21,19 +24,25 @@ files_type(mongod_var_lib_t)
type mongod_var_run_t; type mongod_var_run_t;
files_pid_file(mongod_var_run_t) files_pid_file(mongod_var_run_t)
@ -46907,7 +46932,7 @@ index 169f236..571da1a 100644
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
@@ -41,21 +47,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) @@ -41,21 +50,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
@ -51970,10 +51995,10 @@ index b708708..dd6e04b 100644
+ apache_search_sys_content(munin_t) + apache_search_sys_content(munin_t)
+') +')
diff --git a/mysql.fc b/mysql.fc diff --git a/mysql.fc b/mysql.fc
index 06f8666..d813d8a 100644 index 06f8666..c2c13aa 100644
--- a/mysql.fc --- a/mysql.fc
+++ b/mysql.fc +++ b/mysql.fc
@@ -1,12 +1,26 @@ @@ -1,27 +1,46 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) -HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
- -
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) -/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
@ -52009,7 +52034,9 @@ index 06f8666..d813d8a 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
@@ -14,14 +28,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@ -53678,7 +53705,7 @@ index d78dfc3..40e1c77 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if diff --git a/nagios.if b/nagios.if
index 0641e97..cad402c 100644 index 0641e97..ed3394e 100644
--- a/nagios.if --- a/nagios.if
+++ b/nagios.if +++ b/nagios.if
@@ -1,12 +1,13 @@ @@ -1,12 +1,13 @@
@ -53755,7 +53782,7 @@ index 0641e97..cad402c 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -73,15 +68,14 @@ interface(`nagios_read_config',` @@ -73,15 +68,33 @@ interface(`nagios_read_config',`
type nagios_etc_t; type nagios_etc_t;
') ')
@ -53764,6 +53791,25 @@ index 0641e97..cad402c 100644
allow $1 nagios_etc_t:file read_file_perms; allow $1 nagios_etc_t:file read_file_perms;
- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms; - allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1) + files_search_etc($1)
+')
+######################################
+## <summary>
+## Read nagios lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_read_lib',`
+ gen_require(`
+ type nagios_var_lib_t;
+ ')
+
+ files_search_var($1)
+ list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
+ read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
') ')
###################################### ######################################
@ -53773,7 +53819,7 @@ index 0641e97..cad402c 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -100,8 +94,7 @@ interface(`nagios_read_log',` @@ -100,8 +113,7 @@ interface(`nagios_read_log',`
######################################## ########################################
## <summary> ## <summary>
@ -53783,17 +53829,18 @@ index 0641e97..cad402c 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -132,13 +125,33 @@ interface(`nagios_search_spool',` @@ -132,13 +144,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t; type nagios_spool_t;
') ')
- files_search_spool($1) - files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms; allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1) + files_search_spool($1)
+') ')
+
+######################################## ########################################
+## <summary> ## <summary>
-## Read nagios temporary files.
+## Append nagios spool files. +## Append nagios spool files.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -53809,17 +53856,16 @@ index 0641e97..cad402c 100644
+ +
+ allow $1 nagios_spool_t:file append_file_perms; + allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1) + files_search_spool($1)
') +')
+
######################################## +########################################
## <summary> +## <summary>
-## Read nagios temporary files.
+## Allow the specified domain to read +## Allow the specified domain to read
+## nagios temporary files. +## nagios temporary files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',` @@ -151,13 +183,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t; type nagios_tmp_t;
') ')
@ -53856,7 +53902,7 @@ index 0641e97..cad402c 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',` @@ -170,14 +223,13 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t; type nrpe_t, nrpe_exec_t;
') ')
@ -53873,7 +53919,7 @@ index 0641e97..cad402c 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',` @@ -186,44 +238,43 @@ interface(`nagios_domtrans_nrpe',`
## </param> ## </param>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -54558,7 +54604,7 @@ index 94b9734..448a7e8 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if diff --git a/networkmanager.if b/networkmanager.if
index 86dc29d..219892b 100644 index 86dc29d..0c72c4d 100644
--- a/networkmanager.if --- a/networkmanager.if
+++ b/networkmanager.if +++ b/networkmanager.if
@@ -2,7 +2,7 @@ @@ -2,7 +2,7 @@
@ -54789,12 +54835,11 @@ index 86dc29d..219892b 100644
# #
-interface(`networkmanager_read_pid_files',` -interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',` +interface(`networkmanager_manage_pid_files',`
gen_require(` + gen_require(`
type NetworkManager_var_run_t; + type NetworkManager_var_run_t;
') + ')
+
files_search_pids($1) + files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) + manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+') +')
+ +
@ -54809,11 +54854,12 @@ index 86dc29d..219892b 100644
+## </param> +## </param>
+# +#
+interface(`networkmanager_manage_pid_sock_files',` +interface(`networkmanager_manage_pid_sock_files',`
+ gen_require(` gen_require(`
+ type NetworkManager_var_run_t; type NetworkManager_var_run_t;
+ ') ')
+
+ files_search_pids($1) files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) + manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+') +')
+ +
@ -54888,7 +54934,7 @@ index 86dc29d..219892b 100644
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
## Role allowed access. ## Role allowed access.
@@ -287,33 +425,132 @@ interface(`networkmanager_stream_connect',` @@ -287,33 +425,150 @@ interface(`networkmanager_stream_connect',`
## </param> ## </param>
## <rolecap/> ## <rolecap/>
# #
@ -54999,6 +55045,24 @@ index 86dc29d..219892b 100644
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Send sigchld to networkmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`networkmanager_sigchld',`
+ gen_require(`
+ type networkmanager_t;
+ ')
+
+ allow $1 networkmanager_t:process sigchld;
+')
+########################################
+## <summary>
+## Transition to networkmanager named content +## Transition to networkmanager named content
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -91721,7 +91785,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1) files_search_pids($1)
admin_pattern($1, sblim_var_run_t) admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te diff --git a/sblim.te b/sblim.te
index 299756b..8ce51cb 100644 index 299756b..7d15afd 100644
--- a/sblim.te --- a/sblim.te
+++ b/sblim.te +++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0) @@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@ -91803,7 +91867,7 @@ index 299756b..8ce51cb 100644
-allow sblim_gatherd_t self:capability dac_override; -allow sblim_gatherd_t self:capability dac_override;
-allow sblim_gatherd_t self:process signal; -allow sblim_gatherd_t self:process signal;
+allow sblim_gatherd_t self:capability { dac_override sys_nice }; +allow sblim_gatherd_t self:capability { dac_override sys_nice sys_ptrace };
+allow sblim_gatherd_t self:process { setsched signal }; +allow sblim_gatherd_t self:process { setsched signal };
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen }; allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@ -104221,7 +104285,7 @@ index a4f20bc..b3bd64f 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if diff --git a/virt.if b/virt.if
index facdee8..c930866 100644 index facdee8..814626a 100644
--- a/virt.if --- a/virt.if
+++ b/virt.if +++ b/virt.if
@@ -1,318 +1,226 @@ @@ -1,318 +1,226 @@
@ -104822,7 +104886,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -495,53 +398,37 @@ interface(`virt_manage_virt_content',` @@ -495,53 +398,38 @@ interface(`virt_manage_virt_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -104876,6 +104940,7 @@ index facdee8..c930866 100644
- virt_home_filetrans($1, virt_content_t, $2, $3) - virt_home_filetrans($1, virt_content_t, $2, $3)
+ files_search_pids($1) + files_search_pids($1)
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t) + read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
') ')
######################################## ########################################
@ -104886,7 +104951,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -549,34 +436,21 @@ interface(`virt_home_filetrans_virt_content',` @@ -549,34 +437,21 @@ interface(`virt_home_filetrans_virt_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -104929,7 +104994,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -584,32 +458,36 @@ interface(`virt_manage_svirt_home_content',` @@ -584,32 +459,36 @@ interface(`virt_manage_svirt_home_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -104978,7 +105043,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## </param> ## </param>
## <param name="name" optional="true"> ## <param name="name" optional="true">
@@ -618,54 +496,36 @@ interface(`virt_relabel_svirt_home_content',` @@ -618,54 +497,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105042,7 +105107,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -673,107 +533,136 @@ interface(`virt_home_filetrans',` @@ -673,107 +534,136 @@ interface(`virt_home_filetrans',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105223,7 +105288,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -781,19 +670,18 @@ interface(`virt_home_filetrans_virt_home',` @@ -781,19 +671,18 @@ interface(`virt_home_filetrans_virt_home',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105248,7 +105313,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -801,18 +689,36 @@ interface(`virt_read_pid_files',` @@ -801,18 +690,36 @@ interface(`virt_read_pid_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105290,7 +105355,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -820,18 +726,17 @@ interface(`virt_manage_pid_files',` @@ -820,18 +727,17 @@ interface(`virt_manage_pid_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105313,7 +105378,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -839,20 +744,18 @@ interface(`virt_search_lib',` @@ -839,20 +745,18 @@ interface(`virt_search_lib',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105338,7 +105403,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -860,94 +763,267 @@ interface(`virt_read_lib_files',` @@ -860,94 +764,267 @@ interface(`virt_read_lib_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105635,7 +105700,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -955,20 +1031,17 @@ interface(`virt_append_log',` @@ -955,20 +1032,17 @@ interface(`virt_append_log',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105660,7 +105725,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -976,18 +1049,17 @@ interface(`virt_manage_log',` @@ -976,18 +1050,17 @@ interface(`virt_manage_log',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105683,7 +105748,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -995,36 +1067,35 @@ interface(`virt_search_images',` @@ -995,36 +1068,35 @@ interface(`virt_search_images',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105739,7 +105804,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1032,20 +1103,17 @@ interface(`virt_read_images',` @@ -1032,20 +1104,17 @@ interface(`virt_read_images',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105764,7 +105829,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1053,15 +1121,57 @@ interface(`virt_rw_all_image_chr_files',` @@ -1053,15 +1122,57 @@ interface(`virt_rw_all_image_chr_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105827,7 +105892,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1069,21 +1179,28 @@ interface(`virt_manage_svirt_cache',` @@ -1069,21 +1180,28 @@ interface(`virt_manage_svirt_cache',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -105864,7 +105929,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1091,36 +1208,188 @@ interface(`virt_manage_virt_cache',` @@ -1091,36 +1209,188 @@ interface(`virt_manage_virt_cache',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -106071,7 +106136,7 @@ index facdee8..c930866 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1136,50 +1405,53 @@ interface(`virt_manage_images',` @@ -1136,50 +1406,53 @@ interface(`virt_manage_images',`
# #
interface(`virt_admin',` interface(`virt_admin',`
gen_require(` gen_require(`

20
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 125%{?dist} Release: 126%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -602,6 +602,24 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Add nagios_read_lib() interface.
- Additional fix for mongod_unit_file_t in mongodb.te.
- Fix decl of mongod_unit_file to mongod_unit_file_t.
- Fix mongodb unit file declaration.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Add support for mongod/mongos systemd unit files.
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
* Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125 * Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
- Define ipa_var_run_t type - Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256) - Allow certmonger to manage renewal.lock. BZ(1213256)