* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193

- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)
- Allow ipa_dnskey_t search httpd config files.
- Dontaudit certmonger to write to etc_runtime_t
- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.
- Add interface ipa_delete_tmp()
- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.
- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
This commit is contained in:
Lukas Vrabec 2016-05-30 22:14:40 +02:00
parent 3289d158c4
commit 2506c08574
4 changed files with 342 additions and 219 deletions

Binary file not shown.

File diff suppressed because it is too large Load Diff

View File

@ -12236,7 +12236,7 @@ index 008f8ef..144c074 100644
admin_pattern($1, certmonger_var_run_t) admin_pattern($1, certmonger_var_run_t)
') ')
diff --git a/certmonger.te b/certmonger.te diff --git a/certmonger.te b/certmonger.te
index 550b287..943af3b 100644 index 550b287..ea704c2 100644
--- a/certmonger.te --- a/certmonger.te
+++ b/certmonger.te +++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@ -12273,7 +12273,7 @@ index 550b287..943af3b 100644
corenet_all_recvfrom_unlabeled(certmonger_t) corenet_all_recvfrom_unlabeled(certmonger_t)
corenet_all_recvfrom_netlabel(certmonger_t) corenet_all_recvfrom_netlabel(certmonger_t)
@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) @@ -49,17 +55,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
corenet_sendrecv_certmaster_client_packets(certmonger_t) corenet_sendrecv_certmaster_client_packets(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t) corenet_tcp_connect_certmaster_port(certmonger_t)
@ -12297,10 +12297,11 @@ index 550b287..943af3b 100644
-files_read_usr_files(certmonger_t) -files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t) files_list_tmp(certmonger_t)
+files_list_home(certmonger_t) +files_list_home(certmonger_t)
+files_dontaudit_write_etc_runtime_files(certmonger_t)
fs_search_cgroup_dirs(certmonger_t) fs_search_cgroup_dirs(certmonger_t)
@@ -68,18 +82,21 @@ auth_rw_cache(certmonger_t) @@ -68,18 +83,21 @@ auth_rw_cache(certmonger_t)
init_getattr_all_script_files(certmonger_t) init_getattr_all_script_files(certmonger_t)
@ -12325,7 +12326,7 @@ index 550b287..943af3b 100644
') ')
optional_policy(` optional_policy(`
@@ -92,11 +109,58 @@ optional_policy(` @@ -92,11 +110,58 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -25086,10 +25087,10 @@ index 0000000..b214253
+') +')
diff --git a/dirsrv.te b/dirsrv.te diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644 new file mode 100644
index 0000000..73d1b46 index 0000000..aa290b1
--- /dev/null --- /dev/null
+++ b/dirsrv.te +++ b/dirsrv.te
@@ -0,0 +1,196 @@ @@ -0,0 +1,200 @@
+policy_module(dirsrv,1.0.0) +policy_module(dirsrv,1.0.0)
+ +
+######################################## +########################################
@ -25243,6 +25244,10 @@ index 0000000..73d1b46
+ uuidd_stream_connect_manager(dirsrv_t) + uuidd_stream_connect_manager(dirsrv_t)
+') +')
+ +
+optional_policy(`
+ systemd_manage_passwd_run(dirsrv_t)
+')
+
+######################################## +########################################
+# +#
+# dirsrv-snmp local policy +# dirsrv-snmp local policy
@ -29623,7 +29628,7 @@ index 4498143..84a4858 100644
ftp_run_ftpdctl($1, $2) ftp_run_ftpdctl($1, $2)
') ')
diff --git a/ftp.te b/ftp.te diff --git a/ftp.te b/ftp.te
index 36838c2..2812a63 100644 index 36838c2..0a8b621 100644
--- a/ftp.te --- a/ftp.te
+++ b/ftp.te +++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@ -29669,10 +29674,12 @@ index 36838c2..2812a63 100644
## <desc> ## <desc>
## <p> ## <p>
@@ -66,14 +73,6 @@ gen_tunable(ftpd_connect_all_unreserved, false) @@ -64,49 +71,6 @@ gen_tunable(ftpd_use_passive_mode, false)
## </desc>
gen_tunable(ftpd_connect_all_unreserved, false)
## <desc> -## <desc>
## <p> -## <p>
-## Determine whether ftpd can read and write -## Determine whether ftpd can read and write
-## files in user home directories. -## files in user home directories.
-## </p> -## </p>
@ -29681,10 +29688,43 @@ index 36838c2..2812a63 100644
- -
-## <desc> -## <desc>
-## <p> -## <p>
## Determine whether sftpd can modify -## Determine whether sftpd can modify
## public files used for public file -## public files used for public file
## transfer services. Directories/Files must -## transfer services. Directories/Files must
@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t) -## be labeled public_content_rw_t.
-## </p>
-## </desc>
-gen_tunable(sftpd_anon_write, false)
-
-## <desc>
-## <p>
-## Determine whether sftpd-can read and write
-## files in user home directories.
-## </p>
-## </desc>
-gen_tunable(sftpd_enable_homedirs, false)
-
-## <desc>
-## <p>
-## Determine whether sftpd-can login to
-## local users and read and write all
-## files on the system, governed by DAC.
-## </p>
-## </desc>
-gen_tunable(sftpd_full_access, false)
-
-## <desc>
-## <p>
-## Determine whether sftpd can read and write
-## files in user ssh home directories.
-## </p>
-## </desc>
-gen_tunable(sftpd_write_ssh_home, false)
-
attribute_role ftpdctl_roles;
type anon_sftpd_t;
@@ -124,6 +88,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t; type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t) init_script_file(ftpd_initrc_exec_t)
@ -29694,7 +29734,7 @@ index 36838c2..2812a63 100644
type ftpd_keytab_t; type ftpd_keytab_t;
files_type(ftpd_keytab_t) files_type(ftpd_keytab_t)
@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; @@ -184,6 +151,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file) files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@ -29704,7 +29744,7 @@ index 36838c2..2812a63 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) @@ -198,22 +168,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
@ -29731,7 +29771,7 @@ index 36838c2..2812a63 100644
corenet_all_recvfrom_netlabel(ftpd_t) corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t)
@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) @@ -229,9 +196,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t)
@ -29745,7 +29785,7 @@ index 36838c2..2812a63 100644
files_read_etc_runtime_files(ftpd_t) files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t) files_search_var_lib(ftpd_t)
@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t) @@ -250,7 +220,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t) logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t) logging_set_loginuid(ftpd_t)
@ -29753,7 +29793,7 @@ index 36838c2..2812a63 100644
miscfiles_read_public_files(ftpd_t) miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t) seutil_dontaudit_search_config(ftpd_t)
@@ -259,32 +263,50 @@ sysnet_use_ldap(ftpd_t) @@ -259,32 +228,50 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t)
@ -29811,7 +29851,7 @@ index 36838c2..2812a63 100644
') ')
tunable_policy(`ftpd_use_passive_mode',` tunable_policy(`ftpd_use_passive_mode',`
@@ -304,44 +326,24 @@ tunable_policy(`ftpd_connect_db',` @@ -304,44 +291,24 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t)
@ -29861,7 +29901,7 @@ index 36838c2..2812a63 100644
corecmd_exec_shell(ftpd_t) corecmd_exec_shell(ftpd_t)
files_read_usr_files(ftpd_t) files_read_usr_files(ftpd_t)
@@ -363,9 +365,8 @@ optional_policy(` @@ -363,9 +330,8 @@ optional_policy(`
optional_policy(` optional_policy(`
selinux_validate_context(ftpd_t) selinux_validate_context(ftpd_t)
@ -29872,7 +29912,7 @@ index 36838c2..2812a63 100644
kerberos_use(ftpd_t) kerberos_use(ftpd_t)
') ')
@@ -416,21 +417,20 @@ optional_policy(` @@ -416,86 +382,39 @@ optional_policy(`
# #
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -29893,10 +29933,15 @@ index 36838c2..2812a63 100644
# #
-files_read_etc_files(anon_sftpd_t) -files_read_etc_files(anon_sftpd_t)
-
miscfiles_read_public_files(anon_sftpd_t) miscfiles_read_public_files(anon_sftpd_t)
@@ -443,23 +443,34 @@ tunable_policy(`sftpd_anon_write',` -tunable_policy(`sftpd_anon_write',`
- miscfiles_manage_public_files(anon_sftpd_t)
-')
-
########################################
#
# Sftpd local policy # Sftpd local policy
# #
@ -29905,26 +29950,12 @@ index 36838c2..2812a63 100644
userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t) +userdom_dontaudit_list_admin_dir(sftpd_t)
+
+tunable_policy(`sftpd_full_access',` -tunable_policy(`sftpd_enable_homedirs',`
+ allow sftpd_t self:capability { dac_override dac_read_search }; - allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
+ files_manage_non_security_dirs(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
+')
+
+optional_policy(`
+ tunable_policy(`sftpd_write_ssh_home',`
+ ssh_manage_home_files(sftpd_t)
+ ')
+')
+
+userdom_filetrans_home_content(sftpd_t) +userdom_filetrans_home_content(sftpd_t)
+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) +userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
tunable_policy(`sftpd_enable_homedirs',`
allow sftpd_t self:capability { dac_override dac_read_search };
userdom_manage_user_home_content_dirs(sftpd_t) userdom_manage_user_home_content_dirs(sftpd_t)
userdom_manage_user_home_content_files(sftpd_t) userdom_manage_user_home_content_files(sftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
@ -29934,22 +29965,35 @@ index 36838c2..2812a63 100644
-',` -',`
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) - userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
') -')
-
-tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
- fs_manage_nfs_dirs(sftpd_t)
- fs_manage_nfs_files(sftpd_t)
- fs_manage_nfs_symlinks(sftpd_t)
-')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
@@ -481,21 +492,8 @@ tunable_policy(`sftpd_anon_write',` - fs_manage_cifs_dirs(sftpd_t)
tunable_policy(`sftpd_full_access',` - fs_manage_cifs_files(sftpd_t)
allow sftpd_t self:capability { dac_override dac_read_search }; - fs_manage_cifs_symlinks(sftpd_t)
fs_read_noxattr_fs_files(sftpd_t)
- files_manage_non_auth_files(sftpd_t)
+ files_manage_non_security_files(sftpd_t)
')
-tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
-') -')
+userdom_home_reader(sftpd_t) +userdom_home_reader(sftpd_t)
-tunable_policy(`sftpd_anon_write',`
- miscfiles_manage_public_files(sftpd_t)
-')
-
-tunable_policy(`sftpd_full_access',`
- allow sftpd_t self:capability { dac_override dac_read_search };
- fs_read_noxattr_fs_files(sftpd_t)
- files_manage_non_auth_files(sftpd_t)
-')
-
-tunable_policy(`sftpd_write_ssh_home',`
- ssh_manage_home_files(sftpd_t)
-')
-
-tunable_policy(`use_samba_home_dirs',` -tunable_policy(`use_samba_home_dirs',`
- fs_list_cifs(sftpd_t) - fs_list_cifs(sftpd_t)
- fs_read_cifs_files(sftpd_t) - fs_read_cifs_files(sftpd_t)
@ -36215,10 +36259,10 @@ index 0000000..2277038
+') +')
diff --git a/gssproxy.te b/gssproxy.te diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644 new file mode 100644
index 0000000..bbd5979 index 0000000..dc1385d
--- /dev/null --- /dev/null
+++ b/gssproxy.te +++ b/gssproxy.te
@@ -0,0 +1,68 @@ @@ -0,0 +1,70 @@
+policy_module(gssproxy, 1.0.0) +policy_module(gssproxy, 1.0.0)
+ +
+######################################## +########################################
@ -36266,6 +36310,8 @@ index 0000000..bbd5979
+ +
+files_read_etc_files(gssproxy_t) +files_read_etc_files(gssproxy_t)
+ +
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t) +auth_use_nsswitch(gssproxy_t)
+ +
+dev_read_urand(gssproxy_t) +dev_read_urand(gssproxy_t)
@ -38026,10 +38072,10 @@ index 0000000..e1ddda0
+ +
diff --git a/ipa.if b/ipa.if diff --git a/ipa.if b/ipa.if
new file mode 100644 new file mode 100644
index 0000000..904782d index 0000000..ee3a606
--- /dev/null --- /dev/null
+++ b/ipa.if +++ b/ipa.if
@@ -0,0 +1,178 @@ @@ -0,0 +1,197 @@
+## <summary>Policy for IPA services.</summary> +## <summary>Policy for IPA services.</summary>
+ +
+######################################## +########################################
@ -38208,12 +38254,31 @@ index 0000000..904782d
+ +
+ files_pid_filetrans($1, ipa_var_run_t, file, $2) + files_pid_filetrans($1, ipa_var_run_t, file, $2)
+') +')
+
+########################################
+## <summary>
+## Allow domain to manage ipa tmp files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_delete_tmp',`
+ gen_require(`
+ type ipa_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 ipa_tmp_t:file unlink;
+')
diff --git a/ipa.te b/ipa.te diff --git a/ipa.te b/ipa.te
new file mode 100644 new file mode 100644
index 0000000..5fad85e index 0000000..3ca42f7
--- /dev/null --- /dev/null
+++ b/ipa.te +++ b/ipa.te
@@ -0,0 +1,195 @@ @@ -0,0 +1,199 @@
+policy_module(ipa, 1.0.0) +policy_module(ipa, 1.0.0)
+ +
+######################################## +########################################
@ -38393,6 +38458,10 @@ index 0000000..5fad85e
+sysnet_read_config(ipa_dnskey_t) +sysnet_read_config(ipa_dnskey_t)
+ +
+optional_policy(` +optional_policy(`
+ apache_search_config(ipa_dnskey_t)
+')
+
+optional_policy(`
+ bind_domtrans_ndc(ipa_dnskey_t) + bind_domtrans_ndc(ipa_dnskey_t)
+ bind_read_dnssec_keys(ipa_dnskey_t) + bind_read_dnssec_keys(ipa_dnskey_t)
+ bind_manage_zone(ipa_dnskey_t) + bind_manage_zone(ipa_dnskey_t)
@ -63471,10 +63540,10 @@ index 0000000..08d0e79
+/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0) +/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0)
diff --git a/opendnssec.if b/opendnssec.if diff --git a/opendnssec.if b/opendnssec.if
new file mode 100644 new file mode 100644
index 0000000..fb0141d index 0000000..eac3932
--- /dev/null --- /dev/null
+++ b/opendnssec.if +++ b/opendnssec.if
@@ -0,0 +1,206 @@ @@ -0,0 +1,208 @@
+ +
+## <summary>policy for opendnssec</summary> +## <summary>policy for opendnssec</summary>
+ +
@ -63533,6 +63602,7 @@ index 0000000..fb0141d
+ ') + ')
+ +
+ files_search_etc($1) + files_search_etc($1)
+ allow $1 opendnssec_conf_t:dir list_dir_perms;
+ allow $1 opendnssec_conf_t:file read_file_perms; + allow $1 opendnssec_conf_t:file read_file_perms;
+') +')
+ +
@ -63553,6 +63623,7 @@ index 0000000..fb0141d
+ ') + ')
+ +
+ files_search_etc($1) + files_search_etc($1)
+ allow $1 opendnssec_conf_t:dir manage_dir_perms;
+ allow $1 opendnssec_conf_t:file manage_file_perms; + allow $1 opendnssec_conf_t:file manage_file_perms;
+') +')
+ +
@ -96494,7 +96565,7 @@ index cd6c213..372c7bb 100644
+ ') + ')
') ')
diff --git a/sanlock.te b/sanlock.te diff --git a/sanlock.te b/sanlock.te
index 0045465..7afb413 100644 index 0045465..5080a66 100644
--- a/sanlock.te --- a/sanlock.te
+++ b/sanlock.te +++ b/sanlock.te
@@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0) @@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0)
@ -96581,7 +96652,7 @@ index 0045465..7afb413 100644
logging_log_filetrans(sanlock_t, sanlock_log_t, file) logging_log_filetrans(sanlock_t, sanlock_log_t, file)
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
@@ -65,13 +84,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) @@ -65,13 +84,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t) kernel_read_system_state(sanlock_t)
kernel_read_kernel_sysctls(sanlock_t) kernel_read_kernel_sysctls(sanlock_t)
@ -96591,6 +96662,8 @@ index 0045465..7afb413 100644
domain_use_interactive_fds(sanlock_t) domain_use_interactive_fds(sanlock_t)
+files_read_mnt_symlinks(sanlock_t) +files_read_mnt_symlinks(sanlock_t)
+
+fs_rw_cephfs_files(sanlock_t)
+ +
storage_raw_rw_fixed_disk(sanlock_t) storage_raw_rw_fixed_disk(sanlock_t)
@ -96601,7 +96674,7 @@ index 0045465..7afb413 100644
auth_use_nsswitch(sanlock_t) auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t) init_read_utmp(sanlock_t)
@@ -79,20 +101,29 @@ init_dontaudit_write_utmp(sanlock_t) @@ -79,20 +103,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t) logging_send_syslog_msg(sanlock_t)
@ -96640,7 +96713,7 @@ index 0045465..7afb413 100644
') ')
optional_policy(` optional_policy(`
@@ -100,7 +131,34 @@ optional_policy(` @@ -100,7 +133,34 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 192%{?dist} Release: 193%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -647,6 +647,17 @@ exit 0
%endif %endif
%changelog %changelog
* Mon May 30 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-193
- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te
- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs
- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778)
- Allow ipa_dnskey_t search httpd config files.
- Dontaudit certmonger to write to etc_runtime_t
- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs.
- Add interface ipa_delete_tmp()
- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t.
- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106)
* Wed May 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-192 * Wed May 25 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-192
- Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106) - Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106)
- Add SELinux policy for opendnssec service. BZ(1333106) - Add SELinux policy for opendnssec service. BZ(1333106)