From 24a25f20cc8ca48a39d8811aa4cd263d00c0c231 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 10 Mar 2014 11:51:20 +0100 Subject: [PATCH] - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default - Allow cgred to read /etc/cgconfig.conf because it contains templates used togeth - Allow lscpu running as rhsmcertd_t to read /proc/sysinfo - Fix label on irclogs in the homedir --- policy-rawhide-base.patch | 131 ++++++++++++++++++++--------------- policy-rawhide-contrib.patch | 48 ++++++++----- selinux-policy.spec | 13 +++- 3 files changed, 118 insertions(+), 74 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 77cec624..3f61fe12 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..aa16691 100644 +index b191055..136b78e 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5667,7 +5667,7 @@ index b191055..aa16691 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,39 +267,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -215,52 +267,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5720,7 +5720,12 @@ index b191055..aa16691 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -259,8 +317,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) + network_port(svrloc, tcp,427,s0, udp,427,s0) + network_port(swat, tcp,901,s0) + network_port(sype_transport, tcp,9911,s0, udp,9911,s0) +-network_port(syslogd, udp,514,s0) ++network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0) + network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -20975,7 +20980,7 @@ index 9d2f311..9e87525 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 0306134..bf53ec7 100644 +index 0306134..68598c7 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -21067,15 +21072,19 @@ index 0306134..bf53ec7 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) -@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t) +@@ -354,20 +361,28 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) -miscfiles_read_localization(postgresql_t) - +- seutil_libselinux_linked(postgresql_t) seutil_read_default_contexts(postgresql_t) -@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t) + ++sysnet_use_ldap(postgresql_t) ++ + userdom_dontaudit_use_unpriv_user_fds(postgresql_t) + userdom_dontaudit_search_user_home_dirs(postgresql_t) userdom_dontaudit_use_user_terminals(postgresql_t) optional_policy(` @@ -21095,7 +21104,7 @@ index 0306134..bf53ec7 100644 allow postgresql_t self:process execmem; ') -@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin +@@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin # It is always allowed to operate temporary objects for any database client. allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; @@ -21152,7 +21161,7 @@ index 0306134..bf53ec7 100644 allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') -@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; +@@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) @@ -21161,7 +21170,7 @@ index 0306134..bf53ec7 100644 allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +@@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) @@ -29510,7 +29519,7 @@ index 79a45f6..89b43aa 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..e8e4114 100644 +index 17eda24..9f7264a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29612,7 +29621,15 @@ index 17eda24..e8e4114 100644 type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) -@@ -98,7 +144,9 @@ ifdef(`enable_mls',` +@@ -66,6 +112,7 @@ role system_r types initrc_t; + # of the below init_upstart tunable + # but this has a typeattribute in it + corecmd_shell_entry_type(initrc_t) ++corecmd_bin_entry_type(initrc_t) + + type initrc_devpts_t; + term_pty(initrc_devpts_t) +@@ -98,7 +145,9 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -29623,7 +29640,7 @@ index 17eda24..e8e4114 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +156,42 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +157,42 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -29672,7 +29689,7 @@ index 17eda24..e8e4114 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +202,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -29692,7 +29709,7 @@ index 17eda24..e8e4114 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +220,22 @@ domain_signal_all_domains(init_t) +@@ -139,14 +221,22 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -29715,7 +29732,7 @@ index 17eda24..e8e4114 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +245,52 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +246,52 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -29771,7 +29788,7 @@ index 17eda24..e8e4114 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +299,229 @@ ifdef(`distro_gentoo',` +@@ -186,29 +300,229 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -30009,7 +30026,7 @@ index 17eda24..e8e4114 100644 ') optional_policy(` -@@ -216,7 +529,31 @@ optional_policy(` +@@ -216,7 +530,31 @@ optional_policy(` ') optional_policy(` @@ -30041,7 +30058,7 @@ index 17eda24..e8e4114 100644 ') ######################################## -@@ -225,9 +562,9 @@ optional_policy(` +@@ -225,9 +563,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -30053,7 +30070,7 @@ index 17eda24..e8e4114 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +595,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +596,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -30070,7 +30087,7 @@ index 17eda24..e8e4114 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +620,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +621,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30113,7 +30130,7 @@ index 17eda24..e8e4114 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +657,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +658,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -30125,7 +30142,7 @@ index 17eda24..e8e4114 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +669,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +670,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -30136,7 +30153,7 @@ index 17eda24..e8e4114 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +680,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +681,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30146,7 +30163,7 @@ index 17eda24..e8e4114 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +689,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +690,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -30154,7 +30171,7 @@ index 17eda24..e8e4114 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +696,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +697,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -30162,7 +30179,7 @@ index 17eda24..e8e4114 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +704,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +705,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30180,7 +30197,7 @@ index 17eda24..e8e4114 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +722,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +723,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30194,7 +30211,7 @@ index 17eda24..e8e4114 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +737,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +738,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30208,7 +30225,7 @@ index 17eda24..e8e4114 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +750,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +751,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30219,7 +30236,7 @@ index 17eda24..e8e4114 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +763,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +764,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30227,7 +30244,7 @@ index 17eda24..e8e4114 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +782,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +783,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30251,7 +30268,7 @@ index 17eda24..e8e4114 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +815,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +816,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30259,7 +30276,7 @@ index 17eda24..e8e4114 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +849,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +850,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30270,7 +30287,7 @@ index 17eda24..e8e4114 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +873,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +874,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30279,7 +30296,7 @@ index 17eda24..e8e4114 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +888,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +889,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30287,7 +30304,7 @@ index 17eda24..e8e4114 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +909,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +910,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30295,7 +30312,7 @@ index 17eda24..e8e4114 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +919,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +920,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30340,7 +30357,7 @@ index 17eda24..e8e4114 100644 ') optional_policy(` -@@ -559,14 +964,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +965,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30372,7 +30389,7 @@ index 17eda24..e8e4114 100644 ') ') -@@ -577,6 +999,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1000,39 @@ ifdef(`distro_suse',` ') ') @@ -30412,7 +30429,7 @@ index 17eda24..e8e4114 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1044,8 @@ optional_policy(` +@@ -589,6 +1045,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30421,7 +30438,7 @@ index 17eda24..e8e4114 100644 ') optional_policy(` -@@ -610,6 +1067,7 @@ optional_policy(` +@@ -610,6 +1068,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30429,7 +30446,7 @@ index 17eda24..e8e4114 100644 ') optional_policy(` -@@ -626,6 +1084,17 @@ optional_policy(` +@@ -626,6 +1085,17 @@ optional_policy(` ') optional_policy(` @@ -30447,7 +30464,7 @@ index 17eda24..e8e4114 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1111,13 @@ optional_policy(` +@@ -642,9 +1112,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30461,7 +30478,7 @@ index 17eda24..e8e4114 100644 ') optional_policy(` -@@ -657,15 +1130,11 @@ optional_policy(` +@@ -657,15 +1131,11 @@ optional_policy(` ') optional_policy(` @@ -30479,7 +30496,7 @@ index 17eda24..e8e4114 100644 ') optional_policy(` -@@ -686,6 +1155,15 @@ optional_policy(` +@@ -686,6 +1156,15 @@ optional_policy(` ') optional_policy(` @@ -30495,7 +30512,7 @@ index 17eda24..e8e4114 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1204,7 @@ optional_policy(` +@@ -726,6 +1205,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30503,7 +30520,7 @@ index 17eda24..e8e4114 100644 ') optional_policy(` -@@ -743,7 +1222,13 @@ optional_policy(` +@@ -743,7 +1223,13 @@ optional_policy(` ') optional_policy(` @@ -30518,7 +30535,7 @@ index 17eda24..e8e4114 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1251,10 @@ optional_policy(` +@@ -766,6 +1252,10 @@ optional_policy(` ') optional_policy(` @@ -30529,7 +30546,7 @@ index 17eda24..e8e4114 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1264,20 @@ optional_policy(` +@@ -775,10 +1265,20 @@ optional_policy(` ') optional_policy(` @@ -30550,7 +30567,7 @@ index 17eda24..e8e4114 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1286,10 @@ optional_policy(` +@@ -787,6 +1287,10 @@ optional_policy(` ') optional_policy(` @@ -30561,7 +30578,7 @@ index 17eda24..e8e4114 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1311,6 @@ optional_policy(` +@@ -808,8 +1312,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30570,7 +30587,7 @@ index 17eda24..e8e4114 100644 ') optional_policy(` -@@ -818,6 +1319,10 @@ optional_policy(` +@@ -818,6 +1320,10 @@ optional_policy(` ') optional_policy(` @@ -30581,7 +30598,7 @@ index 17eda24..e8e4114 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1332,12 @@ optional_policy(` +@@ -827,10 +1333,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30594,7 +30611,7 @@ index 17eda24..e8e4114 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1364,60 @@ optional_policy(` +@@ -857,21 +1365,60 @@ optional_policy(` ') optional_policy(` @@ -30656,7 +30673,7 @@ index 17eda24..e8e4114 100644 ') optional_policy(` -@@ -887,6 +1433,10 @@ optional_policy(` +@@ -887,6 +1434,10 @@ optional_policy(` ') optional_policy(` @@ -30667,7 +30684,7 @@ index 17eda24..e8e4114 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1447,218 @@ optional_policy(` +@@ -897,3 +1448,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e13a95b5..68db24dd 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -11109,7 +11109,7 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 80a88a2..f947039 100644 +index 80a88a2..7cebead 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -11137,7 +11137,7 @@ index 80a88a2..f947039 100644 domain_setpriority_all_domains(cgclear_t) fs_manage_cgroup_dirs(cgclear_t) -@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms; +@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms; kernel_list_unlabeled(cgconfig_t) kernel_read_system_state(cgconfig_t) @@ -11162,7 +11162,11 @@ index 80a88a2..f947039 100644 allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; -@@ -99,10 +102,11 @@ domain_setpriority_all_domains(cgred_t) ++allow cgred_t cgconfig_t:file read_file_perms; + allow cgred_t cgrules_etc_t:file read_file_perms; + + allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms }; +@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t) files_getattr_all_files(cgred_t) files_getattr_all_sockets(cgred_t) files_read_all_symlinks(cgred_t) @@ -24972,9 +24976,18 @@ index ef62363..1ec4d89 100644 + procmail_domtrans(dspam_t) +') diff --git a/entropyd.te b/entropyd.te -index b8b8328..4608c0c 100644 +index b8b8328..111084c 100644 --- a/entropyd.te +++ b/entropyd.te +@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0) + ## the entropy feeds. + ##

+ ## +-gen_tunable(entropyd_use_audio, false) ++gen_tunable(entropyd_use_audio, true) + + type entropyd_t; + type entropyd_exec_t; @@ -45,9 +45,6 @@ dev_write_urand(entropyd_t) dev_read_rand(entropyd_t) dev_write_rand(entropyd_t) @@ -33211,14 +33224,14 @@ index 0000000..0fd2678 + kerberos_use(ipa_otpd_t) +') diff --git a/irc.fc b/irc.fc -index 48e7739..c3285c2 100644 +index 48e7739..1bf0326 100644 --- a/irc.fc +++ b/irc.fc @@ -1,6 +1,6 @@ HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0) -HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0) -+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0) ++HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:irc_home_t,s0) /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) @@ -54147,10 +54160,10 @@ index 0d3c270..709dda1 100644 + ') ') diff --git a/numad.te b/numad.te -index b0a1be4..239f27a 100644 +index b0a1be4..303a927 100644 --- a/numad.te +++ b/numad.te -@@ -8,29 +8,29 @@ policy_module(numad, 1.1.0) +@@ -8,37 +8,44 @@ policy_module(numad, 1.1.0) type numad_t; type numad_exec_t; init_daemon_domain(numad_t, numad_exec_t) @@ -54189,15 +54202,17 @@ index b0a1be4..239f27a 100644 manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t) files_pid_filetrans(numad_t, numad_var_run_t, file) -@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t) - dev_read_sysfs(numad_t) + kernel_read_system_state(numad_t) --files_read_etc_files(numad_t) +-dev_read_sysfs(numad_t) ++dev_rw_sysfs(numad_t) ++ +domain_use_interactive_fds(numad_t) +domain_read_all_domains_state(numad_t) +domain_setpriority_all_domains(numad_t) -+ + +-files_read_etc_files(numad_t) +fs_manage_cgroup_dirs(numad_t) +fs_rw_cgroup_files(numad_t) @@ -77725,7 +77740,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..c4cf8a7 100644 +index d32e1a2..c820b6f 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) @@ -77746,16 +77761,17 @@ index d32e1a2..c4cf8a7 100644 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) -@@ -50,25 +49,48 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +49,49 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) +kernel_read_sysctl(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) - ++kernel_read_sysctl(rhsmcertd_t) ++ +corenet_tcp_connect_http_port(rhsmcertd_t) +corenet_tcp_connect_squid_port(rhsmcertd_t) -+ + corecmd_exec_bin(rhsmcertd_t) +corecmd_exec_shell(rhsmcertd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 3953ed2a..2315ee83 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 30%{?dist} +Release: 31%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -580,6 +580,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Mar 10 2014 Miroslav Grepl 3.13.1-32 +- Allow numad to write scan_sleep_millisecs +- Turn on entropyd_use_audio boolean by default +- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. +- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo +- Allow numad to write scan_sleep_millisecs +- Turn on entropyd_use_audio boolean by default +- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf. +- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo +- Fix label on irclogs in the homedir + * Fri Mar 7 2014 Miroslav Grepl 3.13.1-31 - Modify xdm_write_home to allow create files/links in /root with xdm_home_t - Add more fixes for https://fedoraproject.org/wiki/Changes/XorgWithoutRootRights