* Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126

- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Add nagios_read_lib() interface.
- Additional fix for mongod_unit_file_t in mongodb.te.
- Fix decl of mongod_unit_file to mongod_unit_file_t.
- Fix mongodb unit file declaration.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Add support for mongod/mongos systemd unit files.
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate  specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
This commit is contained in:
Lukas Vrabec 2015-04-30 20:10:17 +02:00
parent c4df3c09b1
commit 229bf3d017
3 changed files with 181 additions and 96 deletions

View File

@ -17591,7 +17591,7 @@ index e100d88..991e1a5 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..15c063c 100644
index 8dbab4c..46d7f18 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -17612,15 +17612,16 @@ index 8dbab4c..15c063c 100644
role system_r types kernel_t;
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
type debugfs_t;
files_mountpoint(debugfs_t)
fs_type(debugfs_t)
+dev_associate_sysfs(debugfs_t)
+
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
@@ -95,9 +101,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
type proc_mdstat_t, proc_type;
genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
@ -17653,7 +17654,7 @@ index 8dbab4c..15c063c 100644
type proc_xen_t, proc_type;
files_mountpoint(proc_xen_t)
genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0)
@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
@@ -133,14 +162,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
type sysctl_kernel_t, sysctl_type;
genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
@ -17668,7 +17669,7 @@ index 8dbab4c..15c063c 100644
# /proc/sys/net directory and files
type sysctl_net_t, sysctl_type;
genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
@@ -153,6 +174,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
type sysctl_vm_t, sysctl_type;
genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
@ -17679,7 +17680,7 @@ index 8dbab4c..15c063c 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
@@ -165,6 +190,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@ -17694,7 +17695,7 @@ index 8dbab4c..15c063c 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -189,6 +221,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -189,6 +222,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
@ -17702,7 +17703,7 @@ index 8dbab4c..15c063c 100644
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
@@ -233,7 +267,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@ -17710,7 +17711,7 @@ index 8dbab4c..15c063c 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
@@ -244,17 +277,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@ -17736,7 +17737,7 @@ index 8dbab4c..15c063c 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t)
@@ -263,7 +300,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@ -17746,7 +17747,7 @@ index 8dbab4c..15c063c 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
@@ -277,25 +314,53 @@ files_list_root(kernel_t)
@@ -277,25 +315,53 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@ -17800,7 +17801,7 @@ index 8dbab4c..15c063c 100644
')
optional_policy(`
@@ -305,6 +370,19 @@ optional_policy(`
@@ -305,6 +371,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@ -17820,7 +17821,7 @@ index 8dbab4c..15c063c 100644
')
optional_policy(`
@@ -312,6 +390,11 @@ optional_policy(`
@@ -312,6 +391,11 @@ optional_policy(`
')
optional_policy(`
@ -17832,7 +17833,7 @@ index 8dbab4c..15c063c 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -332,9 +415,6 @@ optional_policy(`
@@ -332,9 +416,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@ -17842,7 +17843,7 @@ index 8dbab4c..15c063c 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
@@ -343,9 +423,7 @@ optional_policy(`
@@ -343,9 +424,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@ -17853,7 +17854,7 @@ index 8dbab4c..15c063c 100644
')
tunable_policy(`nfs_export_all_rw',`
@@ -354,7 +432,7 @@ optional_policy(`
@@ -354,7 +433,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@ -17862,7 +17863,7 @@ index 8dbab4c..15c063c 100644
')
')
@@ -367,6 +445,15 @@ optional_policy(`
@@ -367,6 +446,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@ -17878,7 +17879,7 @@ index 8dbab4c..15c063c 100644
########################################
#
# Unlabeled process local policy
@@ -399,14 +486,39 @@ if( ! secure_mode_insmod ) {
@@ -399,14 +487,39 @@ if( ! secure_mode_insmod ) {
# Rules for unconfined acccess to this module
#
@ -36486,7 +36487,7 @@ index 79048c4..c3a255a 100644
udev_read_pid_files(lvm_t)
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9fe8e01..3d71062 100644
index 9fe8e01..ce00ccb 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,14 @@ ifdef(`distro_gentoo',`
@ -36497,7 +36498,7 @@ index 9fe8e01..3d71062 100644
-/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/etc/docker/certs\.d(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/localtime gen_context(system_u:object_r:locale_t,s0)
+/etc/localtime -l gen_context(system_u:object_r:locale_t,s0)
+/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
@ -42364,10 +42365,10 @@ index 0000000..d2a8fc7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..f3a8fe7
index 0000000..c19260b
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,713 @@
@@ -0,0 +1,714 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -42626,6 +42627,7 @@ index 0000000..f3a8fe7
+
+kernel_dgram_send(systemd_networkd_t)
+kernel_request_load_module(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+
+dev_read_sysfs(systemd_networkd_t)
+

View File

@ -5157,7 +5157,7 @@ index f6eb485..164501c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
index 6649962..9c06038 100644
index 6649962..d671bf8 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,339 @@ policy_module(apache, 2.7.2)
@ -6477,15 +6477,16 @@ index 6649962..9c06038 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
@@ -832,6 +1029,7 @@ optional_policy(`
@@ -832,6 +1029,8 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
+ nagios_read_lib(httpd_t)
+ nagios_read_log(httpd_t)
')
optional_policy(`
@@ -842,20 +1040,40 @@ optional_policy(`
@@ -842,20 +1041,40 @@ optional_policy(`
')
optional_policy(`
@ -6532,7 +6533,7 @@ index 6649962..9c06038 100644
')
optional_policy(`
@@ -863,19 +1081,35 @@ optional_policy(`
@@ -863,19 +1082,35 @@ optional_policy(`
')
optional_policy(`
@ -6568,7 +6569,7 @@ index 6649962..9c06038 100644
udev_read_db(httpd_t)
')
@@ -883,65 +1117,189 @@ optional_policy(`
@@ -883,65 +1118,189 @@ optional_policy(`
yam_read_content(httpd_t)
')
@ -6780,7 +6781,7 @@ index 6649962..9c06038 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
@@ -950,123 +1308,74 @@ auth_use_nsswitch(httpd_suexec_t)
@@ -950,123 +1309,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@ -6935,7 +6936,7 @@ index 6649962..9c06038 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -1083,172 +1392,107 @@ optional_policy(`
@@ -1083,172 +1393,107 @@ optional_policy(`
')
')
@ -7173,7 +7174,7 @@ index 6649962..9c06038 100644
')
tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1500,74 @@ tunable_policy(`httpd_read_user_content',`
@@ -1256,64 +1501,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@ -7270,7 +7271,7 @@ index 6649962..9c06038 100644
########################################
#
@@ -1321,8 +1575,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
@@ -1321,8 +1576,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@ -7287,7 +7288,7 @@ index 6649962..9c06038 100644
')
########################################
@@ -1330,49 +1591,38 @@ optional_policy(`
@@ -1330,49 +1592,38 @@ optional_policy(`
# User content local policy
#
@ -7352,7 +7353,7 @@ index 6649962..9c06038 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
@@ -1382,38 +1632,101 @@ dev_read_urand(httpd_passwd_t)
@@ -1382,38 +1633,101 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@ -24751,11 +24752,14 @@ index 37a3b7b..921056a 100644
+')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 0000000..9e231a8
index 0000000..1714fa6
--- /dev/null
+++ b/dnssec.fc
@@ -0,0 +1,3 @@
@@ -0,0 +1,6 @@
+/usr/lib/systemd/system/dnssec-triggerd.* -- gen_context(system_u:object_r:dnssec_trigger_unit_file_t,s0)
+
+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+/usr/libexec/dnssec-trigger-script -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/dnssec.if b/dnssec.if
@ -24851,10 +24855,10 @@ index 0000000..457d4dd
+')
diff --git a/dnssec.te b/dnssec.te
new file mode 100644
index 0000000..46f4d2c
index 0000000..64f1a64
--- /dev/null
+++ b/dnssec.te
@@ -0,0 +1,63 @@
@@ -0,0 +1,68 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@ -24866,6 +24870,9 @@ index 0000000..46f4d2c
+type dnssec_trigger_exec_t;
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
+
+type dnssec_trigger_unit_file_t;
+systemd_unit_file(dnssec_trigger_unit_file_t)
+
+type dnssec_trigger_var_run_t;
+files_pid_file(dnssec_trigger_var_run_t)
+
@ -24917,6 +24924,8 @@ index 0000000..46f4d2c
+
+optional_policy(`
+ networkmanager_stream_connect(dnssec_trigger_t)
+ networkmanager_sigchld(dnssec_trigger_t)
+
+')
diff --git a/dnssectrigger.te b/dnssectrigger.te
index c7bb4e7..e6fe2f40 100644
@ -46851,16 +46860,22 @@ index 0000000..e7220a5
+logging_send_syslog_msg(mon_procd_t)
+
diff --git a/mongodb.fc b/mongodb.fc
index 6fcfc31..91adcaf 100644
index 6fcfc31..e9e6bc5 100644
--- a/mongodb.fc
+++ b/mongodb.fc
@@ -1,9 +1,13 @@
@@ -1,9 +1,19 @@
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongos -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/lib/systemd/system/mongod.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+/usr/lib/systemd/system/mongos.* -- gen_context(system_u:object_r:mongod_unit_file_t,s0)
+
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
@ -46872,10 +46887,20 @@ index 6fcfc31..91adcaf 100644
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
diff --git a/mongodb.te b/mongodb.te
index 169f236..571da1a 100644
index 169f236..608c584 100644
--- a/mongodb.te
+++ b/mongodb.te
@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t)
@@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t)
type mongod_initrc_exec_t;
init_script_file(mongod_initrc_exec_t)
+type mongod_unit_file_t;
+systemd_unit_file(mongod_unit_file_t)
+
type mongod_log_t;
logging_log_file(mongod_log_t)
@@ -21,19 +24,25 @@ files_type(mongod_var_lib_t)
type mongod_var_run_t;
files_pid_file(mongod_var_run_t)
@ -46907,7 +46932,7 @@ index 169f236..571da1a 100644
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
@@ -41,21 +47,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
@@ -41,21 +50,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir)
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
@ -51970,10 +51995,10 @@ index b708708..dd6e04b 100644
+ apache_search_sys_content(munin_t)
+')
diff --git a/mysql.fc b/mysql.fc
index 06f8666..d813d8a 100644
index 06f8666..c2c13aa 100644
--- a/mysql.fc
+++ b/mysql.fc
@@ -1,12 +1,26 @@
@@ -1,27 +1,46 @@
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
-
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
@ -52009,7 +52034,9 @@ index 06f8666..d813d8a 100644
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
@@ -14,14 +28,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/libexec/mysqld_safe-scl-helper -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@ -53678,7 +53705,7 @@ index d78dfc3..40e1c77 100644
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
diff --git a/nagios.if b/nagios.if
index 0641e97..cad402c 100644
index 0641e97..ed3394e 100644
--- a/nagios.if
+++ b/nagios.if
@@ -1,12 +1,13 @@
@ -53755,7 +53782,7 @@ index 0641e97..cad402c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -73,15 +68,14 @@ interface(`nagios_read_config',`
@@ -73,15 +68,33 @@ interface(`nagios_read_config',`
type nagios_etc_t;
')
@ -53764,6 +53791,25 @@ index 0641e97..cad402c 100644
allow $1 nagios_etc_t:file read_file_perms;
- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
+')
+######################################
+## <summary>
+## Read nagios lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nagios_read_lib',`
+ gen_require(`
+ type nagios_var_lib_t;
+ ')
+
+ files_search_var($1)
+ list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
+ read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t)
')
######################################
@ -53773,7 +53819,7 @@ index 0641e97..cad402c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -100,8 +94,7 @@ interface(`nagios_read_log',`
@@ -100,8 +113,7 @@ interface(`nagios_read_log',`
########################################
## <summary>
@ -53783,17 +53829,18 @@ index 0641e97..cad402c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -132,13 +125,33 @@ interface(`nagios_search_spool',`
@@ -132,13 +144,33 @@ interface(`nagios_search_spool',`
type nagios_spool_t;
')
- files_search_spool($1)
allow $1 nagios_spool_t:dir search_dir_perms;
+ files_search_spool($1)
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Read nagios temporary files.
+## Append nagios spool files.
+## </summary>
+## <param name="domain">
@ -53809,17 +53856,16 @@ index 0641e97..cad402c 100644
+
+ allow $1 nagios_spool_t:file append_file_perms;
+ files_search_spool($1)
')
########################################
## <summary>
-## Read nagios temporary files.
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## nagios temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -151,13 +164,34 @@ interface(`nagios_read_tmp_files',`
@@ -151,13 +183,34 @@ interface(`nagios_read_tmp_files',`
type nagios_tmp_t;
')
@ -53856,7 +53902,7 @@ index 0641e97..cad402c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -170,14 +204,13 @@ interface(`nagios_domtrans_nrpe',`
@@ -170,14 +223,13 @@ interface(`nagios_domtrans_nrpe',`
type nrpe_t, nrpe_exec_t;
')
@ -53873,7 +53919,7 @@ index 0641e97..cad402c 100644
## </summary>
## <param name="domain">
## <summary>
@@ -186,44 +219,43 @@ interface(`nagios_domtrans_nrpe',`
@@ -186,44 +238,43 @@ interface(`nagios_domtrans_nrpe',`
## </param>
## <param name="role">
## <summary>
@ -54558,7 +54604,7 @@ index 94b9734..448a7e8 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
index 86dc29d..219892b 100644
index 86dc29d..0c72c4d 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@ -54789,12 +54835,11 @@ index 86dc29d..219892b 100644
#
-interface(`networkmanager_read_pid_files',`
+interface(`networkmanager_manage_pid_files',`
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
@ -54809,11 +54854,12 @@ index 86dc29d..219892b 100644
+## </param>
+#
+interface(`networkmanager_manage_pid_sock_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
gen_require(`
type NetworkManager_var_run_t;
')
files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
@ -54888,7 +54934,7 @@ index 86dc29d..219892b 100644
## <param name="role">
## <summary>
## Role allowed access.
@@ -287,33 +425,132 @@ interface(`networkmanager_stream_connect',`
@@ -287,33 +425,150 @@ interface(`networkmanager_stream_connect',`
## </param>
## <rolecap/>
#
@ -54999,6 +55045,24 @@ index 86dc29d..219892b 100644
+
+########################################
+## <summary>
+## Send sigchld to networkmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`networkmanager_sigchld',`
+ gen_require(`
+ type networkmanager_t;
+ ')
+
+ allow $1 networkmanager_t:process sigchld;
+')
+########################################
+## <summary>
+## Transition to networkmanager named content
+## </summary>
+## <param name="domain">
@ -91721,7 +91785,7 @@ index 98c9e0a..562666e 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
index 299756b..8ce51cb 100644
index 299756b..7d15afd 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@ -91803,7 +91867,7 @@ index 299756b..8ce51cb 100644
-allow sblim_gatherd_t self:capability dac_override;
-allow sblim_gatherd_t self:process signal;
+allow sblim_gatherd_t self:capability { dac_override sys_nice };
+allow sblim_gatherd_t self:capability { dac_override sys_nice sys_ptrace };
+allow sblim_gatherd_t self:process { setsched signal };
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@ -104221,7 +104285,7 @@ index a4f20bc..b3bd64f 100644
+/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
index facdee8..c930866 100644
index facdee8..814626a 100644
--- a/virt.if
+++ b/virt.if
@@ -1,318 +1,226 @@
@ -104822,7 +104886,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -495,53 +398,37 @@ interface(`virt_manage_virt_content',`
@@ -495,53 +398,38 @@ interface(`virt_manage_virt_content',`
## </summary>
## </param>
#
@ -104876,6 +104940,7 @@ index facdee8..c930866 100644
- virt_home_filetrans($1, virt_content_t, $2, $3)
+ files_search_pids($1)
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
@ -104886,7 +104951,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -549,34 +436,21 @@ interface(`virt_home_filetrans_virt_content',`
@@ -549,34 +437,21 @@ interface(`virt_home_filetrans_virt_content',`
## </summary>
## </param>
#
@ -104929,7 +104994,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -584,32 +458,36 @@ interface(`virt_manage_svirt_home_content',`
@@ -584,32 +459,36 @@ interface(`virt_manage_svirt_home_content',`
## </summary>
## </param>
#
@ -104978,7 +105043,7 @@ index facdee8..c930866 100644
## </summary>
## </param>
## <param name="name" optional="true">
@@ -618,54 +496,36 @@ interface(`virt_relabel_svirt_home_content',`
@@ -618,54 +497,36 @@ interface(`virt_relabel_svirt_home_content',`
## </summary>
## </param>
#
@ -105042,7 +105107,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -673,107 +533,136 @@ interface(`virt_home_filetrans',`
@@ -673,107 +534,136 @@ interface(`virt_home_filetrans',`
## </summary>
## </param>
#
@ -105223,7 +105288,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -781,19 +670,18 @@ interface(`virt_home_filetrans_virt_home',`
@@ -781,19 +671,18 @@ interface(`virt_home_filetrans_virt_home',`
## </summary>
## </param>
#
@ -105248,7 +105313,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -801,18 +689,36 @@ interface(`virt_read_pid_files',`
@@ -801,18 +690,36 @@ interface(`virt_read_pid_files',`
## </summary>
## </param>
#
@ -105290,7 +105355,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -820,18 +726,17 @@ interface(`virt_manage_pid_files',`
@@ -820,18 +727,17 @@ interface(`virt_manage_pid_files',`
## </summary>
## </param>
#
@ -105313,7 +105378,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -839,20 +744,18 @@ interface(`virt_search_lib',`
@@ -839,20 +745,18 @@ interface(`virt_search_lib',`
## </summary>
## </param>
#
@ -105338,7 +105403,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -860,94 +763,267 @@ interface(`virt_read_lib_files',`
@@ -860,94 +764,267 @@ interface(`virt_read_lib_files',`
## </summary>
## </param>
#
@ -105635,7 +105700,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -955,20 +1031,17 @@ interface(`virt_append_log',`
@@ -955,20 +1032,17 @@ interface(`virt_append_log',`
## </summary>
## </param>
#
@ -105660,7 +105725,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -976,18 +1049,17 @@ interface(`virt_manage_log',`
@@ -976,18 +1050,17 @@ interface(`virt_manage_log',`
## </summary>
## </param>
#
@ -105683,7 +105748,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -995,36 +1067,35 @@ interface(`virt_search_images',`
@@ -995,36 +1068,35 @@ interface(`virt_search_images',`
## </summary>
## </param>
#
@ -105739,7 +105804,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1032,20 +1103,17 @@ interface(`virt_read_images',`
@@ -1032,20 +1104,17 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@ -105764,7 +105829,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1053,15 +1121,57 @@ interface(`virt_rw_all_image_chr_files',`
@@ -1053,15 +1122,57 @@ interface(`virt_rw_all_image_chr_files',`
## </summary>
## </param>
#
@ -105827,7 +105892,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1069,21 +1179,28 @@ interface(`virt_manage_svirt_cache',`
@@ -1069,21 +1180,28 @@ interface(`virt_manage_svirt_cache',`
## </summary>
## </param>
#
@ -105864,7 +105929,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1091,36 +1208,188 @@ interface(`virt_manage_virt_cache',`
@@ -1091,36 +1209,188 @@ interface(`virt_manage_virt_cache',`
## </summary>
## </param>
#
@ -106071,7 +106136,7 @@ index facdee8..c930866 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1136,50 +1405,53 @@ interface(`virt_manage_images',`
@@ -1136,50 +1406,53 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 125%{?dist}
Release: 126%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -602,6 +602,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Apr 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-126
- allow httpd_t to read nagios lib_var_lib_t to allow rddtool generate graphs which will be shown by httpd .
- Add nagios_read_lib() interface.
- Additional fix for mongod_unit_file_t in mongodb.te.
- Fix decl of mongod_unit_file to mongod_unit_file_t.
- Fix mongodb unit file declaration.
- Update virt_read_pid_files() interface to allow read also symlinks with virt_var_run_t type.
- Fix labeling for /usr/libexec/mysqld_safe-scl-helper.
- Add support for mysqld_safe-scl-helper which is needed for RHSCL daemons.
- Allow sys_ptrace cap for sblim-gatherd caused by ps.
- Add support for /usr/libexec/mongodb-scl-helper RHSCL helper script.
- Add support for mongod/mongos systemd unit files.
- Allow dnssec-trigger to send sigchld to networkmanager
- add interface networkmanager_sigchld
- Add dnssec-trigger unit file Label dnssec-trigger script in libexec
- Remove duplicate specification for /etc/localtime.
- Add default labeling for /etc/localtime symlink.
* Mon Apr 20 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-125
- Define ipa_var_run_t type
- Allow certmonger to manage renewal.lock. BZ(1213256)