* Fri Nov 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-93

- Allow bumblebee to use nsswitch. BZ(1155339) - Allow openvpn to stream connect to networkmanager. BZ(1164182) - Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS. - Allow cpuplug rw virtual memory sysctl. BZ (1077831) - Docker needs to write to sysfs, needs back port to F20,F21, RHEL7
2014-11-14 16:06:50 +01:00 · 2014-11-14 16:06:50 +01:00 · 24d43eb10d
commit 24d43eb10d
parent b6161d4177
2 changed files with 66 additions and 41 deletions
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -10820,7 +10820,7 @@ index 0000000..de66654
 +')
 diff --git a/bumblebee.te b/bumblebee.te
 new file mode 100644
-index 0000000..cccf2f7
+index 0000000..23a4606
 --- /dev/null
 +++ b/bumblebee.te
@@ -0,0 +1,61 @@
@ -10867,7 +10867,7 @@ index 0000000..cccf2f7
 +
 +dev_read_sysfs(bumblebee_t)
 +
-+auth_read_passwd(bumblebee_t)
+auth_use_nsswitch(bumblebee_t)
 +
 +logging_send_syslog_msg(bumblebee_t)
 +
@ -16738,10 +16738,10 @@ index 0000000..c68d1d3
 +')
 diff --git a/cpuplug.te b/cpuplug.te
 new file mode 100644
-index 0000000..11361fc
+index 0000000..074f3e0
 --- /dev/null
 +++ b/cpuplug.te
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,40 @@
 +policy_module(cpuplug, 1.0.0)
 +
 +########################################
@ -16776,6 +16776,7 @@ index 0000000..11361fc
 +files_pid_filetrans(cpuplug_t, cpuplug_var_run_t, { file })
 +
 +kernel_read_system_state(cpuplug_t)
 +kernel_rw_vm_sysctls(cpuplug_t)
 +
 +dev_rw_sysfs(cpuplug_t)
 +
@ -25061,7 +25062,7 @@ index 0000000..2a614ed
 +')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..a1ed007
+index 0000000..17a2829
 --- /dev/null
 +++ b/docker.te
@@ -0,0 +1,285 @@
@ -25269,7 +25270,7 @@ index 0000000..a1ed007
 +dev_getattr_sysfs_fs(docker_t)
 +dev_read_urand(docker_t)
 +dev_read_lvm_control(docker_t)
-+dev_read_sysfs(docker_t)
+dev_rw_sysfs(docker_t)
 +dev_rw_loop_control(docker_t)
 +dev_rw_lvm_control(docker_t)
 +
@ -61914,7 +61915,7 @@ index 6837e9a..21e6dae 100644
 	domain_system_change_exemption($1)
 	role_transition $2 openvpn_initrc_exec_t system_r;
 diff --git a/openvpn.te b/openvpn.te
-index 63957a3..e059df5 100644
+index 63957a3..3eb9dc1 100644
 --- a/openvpn.te
 +++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@ -62050,8 +62051,11 @@ index 63957a3..e059df5 100644
 	daemontools_service_domain(openvpn_t, openvpn_exec_t)
 ')
-@@ -175,3 +203,27 @@ optional_policy(`
+@@ -173,5 +201,30 @@ optional_policy(`
 	optional_policy(`
 		networkmanager_dbus_chat(openvpn_t)
 +        networkmanager_stream_connect(openvpn_t)
 	')
 ')
 +
@ -88291,7 +88295,7 @@ index 50d07fb..bada62f 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
 ')
 diff --git a/samba.te b/samba.te
-index 2b7c441..fdfd40f 100644
+index 2b7c441..3fb8192 100644
 --- a/samba.te
 +++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@ -88863,7 +88867,21 @@ index 2b7c441..fdfd40f 100644
 ')
 optional_policy(`
-@@ -479,6 +484,11 @@ optional_policy(`
+@@ -474,11 +479,25 @@ optional_policy(`
 ')
 optional_policy(`
 +    dbus_system_bus_client(smbd_t)
 +
 +    optional_policy(`
 +        oddjob_dbus_chat(smbd_t)
 +        oddjob_domtrans_mkhomedir(smbd_t)
 +    ')
 +')
 +
 +optional_policy(`
 	kerberos_read_keytab(smbd_t)
 	kerberos_use(smbd_t)
 ')
 optional_policy(`
@ -88875,7 +88893,7 @@ index 2b7c441..fdfd40f 100644
 	lpd_exec_lpr(smbd_t)
 ')
-@@ -488,6 +498,10 @@ optional_policy(`
+@@ -488,6 +507,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -88886,7 +88904,7 @@ index 2b7c441..fdfd40f 100644
 	rpc_search_nfs_state_data(smbd_t)
 ')
-@@ -499,9 +513,44 @@ optional_policy(`
+@@ -499,9 +522,44 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
@ -88932,7 +88950,7 @@ index 2b7c441..fdfd40f 100644
 #
 dontaudit nmbd_t self:capability sys_tty_config;
-@@ -512,9 +561,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +570,11 @@ allow nmbd_t self:msg { send receive };
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
@ -88947,7 +88965,7 @@ index 2b7c441..fdfd40f 100644
 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
 manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +577,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +586,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -88971,7 +88989,7 @@ index 2b7c441..fdfd40f 100644
 kernel_getattr_core_if(nmbd_t)
 kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +593,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +602,44 @@ kernel_read_kernel_sysctls(nmbd_t)
 kernel_read_network_state(nmbd_t)
 kernel_read_software_raid_state(nmbd_t)
 kernel_read_system_state(nmbd_t)
@ -89022,14 +89040,14 @@ index 2b7c441..fdfd40f 100644
 -
 userdom_use_unpriv_users_fds(nmbd_t)
 -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
+-
 -tunable_policy(`samba_export_all_ro',`
 -	fs_read_noxattr_fs_files(nmbd_t)
 -	files_list_non_auth_dirs(nmbd_t)
 -	files_read_non_auth_files(nmbd_t)
 -')
-
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
 -tunable_policy(`samba_export_all_rw',`
 -	fs_read_noxattr_fs_files(nmbd_t)
 -	files_manage_non_auth_files(nmbd_t)
@ -89040,7 +89058,7 @@ index 2b7c441..fdfd40f 100644
 ')
 optional_policy(`
-@@ -606,16 +643,22 @@ optional_policy(`
+@@ -606,16 +652,22 @@ optional_policy(`
 ########################################
 #
@ -89067,7 +89085,7 @@ index 2b7c441..fdfd40f 100644
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
-@@ -627,16 +670,11 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +679,11 @@ domain_use_interactive_fds(smbcontrol_t)
 dev_read_urand(smbcontrol_t)
@ -89085,7 +89103,7 @@ index 2b7c441..fdfd40f 100644
 optional_policy(`
 	ctdbd_stream_connect(smbcontrol_t)
-@@ -644,22 +682,23 @@ optional_policy(`
+@@ -644,22 +691,23 @@ optional_policy(`
 ########################################
 #
@ -89117,7 +89135,7 @@ index 2b7c441..fdfd40f 100644
 allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -668,26 +707,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +716,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@ -89153,19 +89171,19 @@ index 2b7c441..fdfd40f 100644
 fs_getattr_cifs(smbmount_t)
 fs_mount_cifs(smbmount_t)
-@@ -699,58 +734,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +743,77 @@ fs_read_cifs_files(smbmount_t)
 storage_raw_read_fixed_disk(smbmount_t)
 storage_raw_write_fixed_disk(smbmount_t)
 -auth_use_nsswitch(smbmount_t)
 +corecmd_list_bin(smbmount_t)
- 
+
 -miscfiles_read_localization(smbmount_t)
 +files_list_mnt(smbmount_t)
 +files_mounton_mnt(smbmount_t)
 +files_manage_etc_runtime_files(smbmount_t)
 +files_etc_filetrans_etc_runtime(smbmount_t, file)
-+
+ 
 -miscfiles_read_localization(smbmount_t)
 +auth_use_nsswitch(smbmount_t)
 -mount_use_fds(smbmount_t)
@ -89205,13 +89223,13 @@ index 2b7c441..fdfd40f 100644
 -allow swat_t { nmbd_t smbd_t }:process { signal signull };
 +samba_domtrans_smbd(swat_t)
 +allow swat_t smbd_t:process { signal signull };
 +
 +samba_domtrans_nmbd(swat_t)
 +allow swat_t nmbd_t:process { signal signull };
 +allow nmbd_t swat_t:process signal;
 -allow swat_t smbd_var_run_t:file read_file_perms;
 -allow swat_t smbd_var_run_t:file { lock delete_file_perms };
 +samba_domtrans_nmbd(swat_t)
 +allow swat_t nmbd_t:process { signal signull };
 +allow nmbd_t swat_t:process signal;
 +
 +read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
 +stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
 +
@ -89245,7 +89263,7 @@ index 2b7c441..fdfd40f 100644
 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
 manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +813,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +822,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
 manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
 files_pid_filetrans(swat_t, swat_var_run_t, file)
@ -89269,7 +89287,7 @@ index 2b7c441..fdfd40f 100644
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -777,36 +827,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +836,25 @@ kernel_read_network_state(swat_t)
 corecmd_search_bin(swat_t)
@ -89312,7 +89330,7 @@ index 2b7c441..fdfd40f 100644
 auth_domtrans_chk_passwd(swat_t)
 auth_use_nsswitch(swat_t)
-@@ -818,10 +857,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +866,11 @@ logging_send_syslog_msg(swat_t)
 logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
@ -89326,7 +89344,7 @@ index 2b7c441..fdfd40f 100644
 optional_policy(`
 	cups_read_rw_config(swat_t)
 	cups_stream_connect(swat_t)
-@@ -840,17 +880,20 @@ optional_policy(`
+@@ -840,17 +889,20 @@ optional_policy(`
 # Winbind local policy
 #
@ -89352,7 +89370,7 @@ index 2b7c441..fdfd40f 100644
 allow winbind_t samba_etc_t:dir list_dir_perms;
 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +903,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +912,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
 manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@ -89363,7 +89381,7 @@ index 2b7c441..fdfd40f 100644
 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
 manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -873,38 +914,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,38 +923,41 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
 rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@ -89416,7 +89434,7 @@ index 2b7c441..fdfd40f 100644
 corenet_tcp_connect_smbd_port(winbind_t)
 corenet_tcp_connect_epmap_port(winbind_t)
 corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +956,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +965,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
 dev_read_sysfs(winbind_t)
 dev_read_urand(winbind_t)
@ -89475,7 +89493,7 @@ index 2b7c441..fdfd40f 100644
 ')
 optional_policy(`
-@@ -959,31 +1017,35 @@ optional_policy(`
+@@ -959,31 +1026,35 @@ optional_policy(`
 # Winbind helper local policy
 #
@ -89518,7 +89536,7 @@ index 2b7c441..fdfd40f 100644
 optional_policy(`
 	apache_append_log(winbind_helper_t)
-@@ -997,25 +1059,38 @@ optional_policy(`
+@@ -997,25 +1068,38 @@ optional_policy(`
 ########################################
 #
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 92%{?dist}
+Release: 93%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -604,7 +604,14 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
-* Mon Nov 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-92
+* Fri Nov 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-93
 - Allow bumblebee to use nsswitch. BZ(1155339)
 - Allow openvpn to stream connect to networkmanager. BZ(1164182)
 - Allow smbd to create HOMEDIRS is pam_oddjob_mkhomedir in MLS.
 - Allow cpuplug rw virtual memory sysctl. BZ (1077831)
 - Docker needs to write to sysfs, needs back port to F20,F21, RHEL7
 * Mon Nov 10 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-92
 - Add kdump_rw_inherited_kdumpctl_tmp_pipes()
 - Added fixes related to linuxptp. BZ (1149693)
 - Label keystone cgi files as keystone_cgi_script_exec_t. BZ(1138424