* Tue Sep 30 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-84

- Allow all domains to read fonts - Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028) - Allow pki-tomcat to change SELinux object identity. - Allow radious to connect to apache ports to do OCSP check - Allow git cgi scripts to create content in /tmp - Allow cockpit-session to do GSSAPI logins.
2014-09-30 09:38:06 +02:00 · 2014-09-30 09:38:06 +02:00 · 245c83ebf9
parent 3430335564
commit 245c83ebf9
3 changed files with 60 additions and 32 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -8827,7 +8827,7 @@ index 6a1e4d1..1b9b0b5 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
 ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..8fd98fc 100644
+index cf04cb5..16c88de 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@ -8926,7 +8926,7 @@ index cf04cb5..8fd98fc 100644
 
 ifdef(`hide_broken_symptoms',`
 	# This check is in the general socket
-@@ -121,8 +173,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +173,19 @@ tunable_policy(`global_ssp',`
 ')
 
 optional_policy(`
@ -8942,10 +8942,11 @@ index cf04cb5..8fd98fc 100644
 +optional_policy(`
 +	miscfiles_read_localization(domain)
 +	miscfiles_read_man_pages(domain)
+	miscfiles_read_fonts(domain)
 ')
 
 optional_policy(`
-@@ -133,6 +195,9 @@ optional_policy(`
+@@ -133,6 +196,9 @@ optional_policy(`
 optional_policy(`
 	xserver_dontaudit_use_xdm_fds(domain)
 	xserver_dontaudit_rw_xdm_pipes(domain)
@ -8955,7 +8956,7 @@ index cf04cb5..8fd98fc 100644
 ')
 
 ########################################
-@@ -147,12 +212,18 @@ optional_policy(`
+@@ -147,12 +213,18 @@ optional_policy(`
 # Use/sendto/connectto sockets created by any domain.
 allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
 
@ -8975,7 +8976,7 @@ index cf04cb5..8fd98fc 100644
 
 # Create/access any System V IPC objects.
 allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +237,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +238,348 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
 
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -3623,7 +3623,7 @@ index 7caefc3..7e70f67 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index f6eb485..918ae86 100644
+index f6eb485..f6d065e 100644
 --- a/apache.if
 +++ b/apache.if
@@ -1,9 +1,9 @@
@ -3772,7 +3772,7 @@ index f6eb485..918ae86 100644
 +	manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
 +	manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t)
 +
-+	allow $1_script_t httpd_t:unix_stream_socket { accept getattr read write };
+	allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write };
 +
 +	# Allow the web server to run scripts and serve pages
 	tunable_policy(`httpd_builtin_scripting',`
@ -13887,10 +13887,10 @@ index 0000000..573dcae
 +')
 diff --git a/cockpit.te b/cockpit.te
 new file mode 100644
-index 0000000..2b8cac8
+index 0000000..4d89495
 --- /dev/null
 +++ b/cockpit.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,98 @@
 +policy_module(cockpit, 1.0.0)
 +
 +########################################
@ -13946,6 +13946,8 @@ index 0000000..2b8cac8
 +
 +auth_use_nsswitch(cockpit_ws_t)
 +
+init_stream_connect(cockpit_ws_t)
+
 +logging_send_syslog_msg(cockpit_ws_t)
 +
 +# cockpit-ws launches cockpit-session
@ -13956,6 +13958,11 @@ index 0000000..2b8cac8
 +allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms;
 +
 +optional_policy(`
+    kerberos_use(cockpit_ws_t)
+    kerberos_etc_filetrans_keytab(cockpit_ws_t)
+')
+
+optional_policy(`
 +	ssh_read_user_home_files(cockpit_ws_t)
 +')
 +
@ -29646,7 +29653,7 @@ index 1e29af1..6c64f55 100644
 +		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
 +')
 diff --git a/git.te b/git.te
-index dc49c71..3ef1e93 100644
+index dc49c71..54df5e3 100644
 --- a/git.te
 +++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@ -29672,7 +29679,7 @@ index dc49c71..3ef1e93 100644
 
 type git_system_t, git_daemon;
 type gitd_exec_t;
-@@ -93,10 +86,10 @@ type git_session_t, git_daemon;
+@@ -93,12 +86,15 @@ type git_session_t, git_daemon;
 userdom_user_application_domain(git_session_t, gitd_exec_t)
 role git_session_roles types git_session_t;
 
@ -29684,8 +29691,13 @@ index dc49c71..3ef1e93 100644
 +type git_user_content_t alias git_session_content_t;
 userdom_user_home_content(git_user_content_t)
 
+type git_script_tmp_t;
+files_tmp_file(git_script_tmp_t)
+
 ########################################
-@@ -110,6 +103,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+ #
+ # Session policy
+@@ -110,6 +106,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
 read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
 userdom_search_user_home_dirs(git_session_t)
 
@ -29694,7 +29706,7 @@ index dc49c71..3ef1e93 100644
 corenet_all_recvfrom_netlabel(git_session_t)
 corenet_all_recvfrom_unlabeled(git_session_t)
 corenet_tcp_bind_generic_node(git_session_t)
-@@ -130,9 +125,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -130,9 +128,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
 	corenet_tcp_sendrecv_all_ports(git_session_t)
 ')
 
@ -29705,7 +29717,7 @@ index dc49c71..3ef1e93 100644
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_getattr_nfs(git_session_t)
-@@ -158,6 +151,9 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -158,6 +154,9 @@ tunable_policy(`use_samba_home_dirs',`
 list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
 read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
 
@ -29715,31 +29727,34 @@ index dc49c71..3ef1e93 100644
 corenet_all_recvfrom_unlabeled(git_system_t)
 corenet_all_recvfrom_netlabel(git_system_t)
 corenet_tcp_sendrecv_generic_if(git_system_t)
-@@ -176,6 +172,10 @@ logging_send_syslog_msg(git_system_t)
+@@ -176,6 +175,10 @@ logging_send_syslog_msg(git_system_t)
 
 tunable_policy(`git_system_enable_homedirs',`
 	userdom_search_user_home_dirs(git_system_t)
-+	list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
+	list_dirs_pattern(git_script_t, git_user_content_t, git_user_content_t)
 +	list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
 +	read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
 +
 ')
 
 tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -215,48 +215,48 @@ tunable_policy(`git_system_use_nfs',`
+@@ -215,48 +218,52 @@ tunable_policy(`git_system_use_nfs',`
 # CGI policy
 #
 
 -list_dirs_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
 -read_files_pattern(httpd_git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
 -files_search_var_lib(httpd_git_script_t)
+manage_dirs_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+manage_lnk_files_pattern(git_script_t, git_script_tmp_t, git_script_tmp_t)
+files_tmp_filetrans(git_script_t, git_script_tmp_t, { file dir })
+ 
+-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
 +list_dirs_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
 +read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
 +files_search_var_lib(git_script_t)
 
-files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
-+files_dontaudit_getattr_tmp_dirs(git_script_t)
- 
 -auth_use_nsswitch(httpd_git_script_t)
 +auth_use_nsswitch(git_script_t)
 
@ -29748,6 +29763,7 @@ index dc49c71..3ef1e93 100644
 +	userdom_search_user_home_dirs(git_script_t)
 ')
 
+fs_getattr_tmpfs(git_script_t)
 tunable_policy(`git_cgi_enable_homedirs && use_nfs_home_dirs',`
 -	fs_getattr_nfs(httpd_git_script_t)
 -	fs_list_nfs(httpd_git_script_t)
@ -29797,7 +29813,7 @@ index dc49c71..3ef1e93 100644
 ')
 
 ########################################
-@@ -266,12 +266,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -266,12 +273,9 @@ tunable_policy(`git_cgi_use_nfs',`
 
 allow git_daemon self:fifo_file rw_fifo_file_perms;
 
@ -65027,10 +65043,10 @@ index 0000000..798efb6
 +')
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..0cb8f0a
+index 0000000..995cc23
 --- /dev/null
 +++ b/pki.te
-@@ -0,0 +1,280 @@
+@@ -0,0 +1,281 @@
 +policy_module(pki,10.0.11)
 +
 +########################################
@ -65063,6 +65079,7 @@ index 0000000..0cb8f0a
 +miscfiles_cert_type(pki_tomcat_cert_t)
 +
 +tomcat_domain_template(pki_tomcat)
+domain_obj_id_change_exemption(pki_tomcat_t)
 +
 +type pki_tomcat_unit_file_t;
 +systemd_unit_file(pki_tomcat_unit_file_t)
@ -76560,7 +76577,7 @@ index 2c3d338..7d49554 100644
 	init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
 	domain_system_change_exemption($1)
 diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..8c4255e 100644
+index dc3b0ed..42203ed 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.2)
@ -76594,7 +76611,7 @@ index dc3b0ed..8c4255e 100644
 type rabbitmq_var_log_t;
 logging_log_file(rabbitmq_var_log_t)
 
-@@ -27,98 +31,81 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,98 +31,82 @@ files_pid_file(rabbitmq_var_run_t)
 
 ######################################
 #
@ -76700,6 +76717,7 @@ index dc3b0ed..8c4255e 100644
 +
 +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
 +manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
 +files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
 +
 +manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@ -76845,7 +76863,7 @@ index 4460582..60cf556 100644
 +
 ')
 diff --git a/radius.te b/radius.te
-index 403a4fe..de6f803 100644
+index 403a4fe..8fc3712 100644
 --- a/radius.te
 +++ b/radius.te
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@ -76871,16 +76889,17 @@ index 403a4fe..de6f803 100644
 corenet_all_recvfrom_netlabel(radiusd_t)
 corenet_tcp_sendrecv_generic_if(radiusd_t)
 corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -74,6 +77,8 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
+@@ -74,6 +77,9 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
 corenet_udp_sendrecv_all_ports(radiusd_t)
 corenet_udp_bind_generic_node(radiusd_t)
 
 +corenet_tcp_connect_postgresql_port(radiusd_t)
+corenet_tcp_connect_http_port(radiusd_t)
 +
 corenet_sendrecv_radacct_server_packets(radiusd_t)
 corenet_udp_bind_radacct_port(radiusd_t)
 
-@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t)
+@@ -97,7 +103,6 @@ domain_use_interactive_fds(radiusd_t)
 fs_getattr_all_fs(radiusd_t)
 fs_search_auto_mountpoints(radiusd_t)
 
@ -76888,7 +76907,7 @@ index 403a4fe..de6f803 100644
 files_read_etc_runtime_files(radiusd_t)
 files_dontaudit_list_tmp(radiusd_t)
 
-@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -109,7 +114,6 @@ libs_exec_lib_files(radiusd_t)
 
 logging_send_syslog_msg(radiusd_t)
 
@ -76896,7 +76915,7 @@ index 403a4fe..de6f803 100644
 miscfiles_read_generic_certs(radiusd_t)
 
 sysnet_use_ldap(radiusd_t)
-@@ -122,6 +125,11 @@ optional_policy(`
+@@ -122,6 +126,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -76908,7 +76927,7 @@ index 403a4fe..de6f803 100644
 	logrotate_exec(radiusd_t)
 ')
 
-@@ -140,5 +148,10 @@ optional_policy(`
+@@ -140,5 +149,10 @@ optional_policy(`
 ')
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 83%{?dist}
+Release: 84%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,14 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue Sep 30 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-84
+- Allow all domains to read fonts
+- Allow rabbitmq_t read rabbitmq_var_lib_t lnk files. BZ (#1147028)
+- Allow pki-tomcat to change SELinux object identity.
+- Allow radious to connect to apache ports to do OCSP check
+- Allow git cgi scripts to create content in /tmp
+- Allow cockpit-session to do GSSAPI logins.
+
 * Mon Sep 22 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-83
 - Make sure /run/systemd/generator and system is labeled correctly on creation.
 - Additional access required by usbmuxd