- Make unconfined_service_t valid in enforcing

- Remove transition for temp dirs created by init_t - gdm-simple-slave uses use setsockopt - Treat usermodehelper_t as a sysctl_type - xdm communicates with geo - Add lvm_read_metadata() - Allow rabbitmq_beam to connect to jabber_interserver_port - Allow logwatch_mail_t to transition to qmail_inject and queueu - Added new rules to pcp policy - Allow vmtools_helper_t to change role to system_r - Allow NM to dbus chat with vmtools
2014-02-24 20:13:11 +01:00 · 2014-02-24 20:13:11 +01:00 · 3e0039f065
parent 74ec503d1c
commit 3e0039f065
3 changed files with 315 additions and 269 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -2335,10 +2335,10 @@ index aa44abf..16a6342 100644
 	rpm_domtrans(anaconda_t)
 diff --git a/antivirus.fc b/antivirus.fc
 new file mode 100644
-index 0000000..9d5214b
+index 0000000..219f32d
 --- /dev/null
 +++ b/antivirus.fc
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,44 @@
 +/etc/amavis(d)?\.conf			--	gen_context(system_u:object_r:antivirus_conf_t,s0)
 +/etc/amavisd(/.*)?					gen_context(system_u:object_r:antivirus_conf_t,s0)
 +
@ -2350,6 +2350,7 @@ index 0000000..9d5214b
 +
 +/usr/lib/AntiVir/antivir		--	gen_context(system_u:object_r:antivirus_exec_t,s0)
 +
+/usr/sbin/amavi 				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
 +/usr/sbin/amavisd.*				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
 +/usr/bin/clamscan				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
 +/usr/bin/clamdscan				--	gen_context(system_u:object_r:antivirus_exec_t,s0)
@ -14439,10 +14440,10 @@ index 5b830ec..0647a3b 100644
 +	ps_process_pattern($1, consolekit_t)
 +')
 diff --git a/consolekit.te b/consolekit.te
-index bd18063..0957efc 100644
+index bd18063..47c8fd0 100644
 --- a/consolekit.te
 +++ b/consolekit.te
-@@ -19,12 +19,16 @@ type consolekit_var_run_t;
+@@ -19,21 +19,23 @@ type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
 init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
 
@ -14459,16 +14460,19 @@ index bd18063..0957efc 100644
 allow consolekit_t self:process { getsched signal };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -33,7 +37,7 @@ create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
- append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
- read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
- setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+ 
+-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
 -logging_log_filetrans(consolekit_t, consolekit_log_t, file)
+manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
 +logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
 
 manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
-@@ -54,38 +58,37 @@ dev_read_sysfs(consolekit_t)
+@@ -54,38 +56,37 @@ dev_read_sysfs(consolekit_t)
 
 domain_read_all_domains_state(consolekit_t)
 domain_use_interactive_fds(consolekit_t)
@ -14517,7 +14521,7 @@ index bd18063..0957efc 100644
 ')
 
 optional_policy(`
-@@ -109,13 +112,6 @@ optional_policy(`
+@@ -109,13 +110,6 @@ optional_policy(`
 	')
 ')
 
@ -14747,7 +14751,7 @@ index c086302..4f33119 100644
 
 /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 diff --git a/couchdb.if b/couchdb.if
-index 715a826..36d5a7d 100644
+index 715a826..3f0c0dc 100644
 --- a/couchdb.if
 +++ b/couchdb.if
@@ -2,7 +2,7 @@
@ -14848,7 +14852,7 @@ index 715a826..36d5a7d 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -73,19 +112,85 @@ interface(`couchdb_read_pid_files',`
+@@ -73,19 +112,87 @@ interface(`couchdb_read_pid_files',`
 	')
 
 	files_search_pids($1)
@ -14890,11 +14894,13 @@ index 715a826..36d5a7d 100644
 +                type couchdb_var_run_t;
 +                type couchdb_log_t;
 +                type couchdb_var_lib_t;
+                type couchdb_conf_t;
 +        ')
 +
 +    manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
 +    manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
 +    manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
+    manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
 ')
 
 ########################################
@ -14938,7 +14944,7 @@ index 715a826..36d5a7d 100644
 ## <param name="role">
 ##	<summary>
 ##	Role allowed access.
-@@ -95,14 +200,19 @@ interface(`couchdb_read_pid_files',`
+@@ -95,14 +202,19 @@ interface(`couchdb_read_pid_files',`
 #
 interface(`couchdb_admin',`
 	gen_require(`
@ -14959,7 +14965,7 @@ index 715a826..36d5a7d 100644
 	init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -122,4 +232,13 @@ interface(`couchdb_admin',`
+@@ -122,4 +234,13 @@ interface(`couchdb_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, couchdb_var_run_t)
@ -31415,7 +31421,7 @@ index 180f1b7..3c8757e 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 0e97e82..0a158ad 100644
+index 0e97e82..695e8fa 100644
 --- a/gpg.te
 +++ b/gpg.te
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
@ -31488,7 +31494,7 @@ index 0e97e82..0a158ad 100644
 +allow gpgdomain self:process { getsched setsched };
 +#at setrlimit is for ulimit -c 0
 +allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
-+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
+dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
 +
 +allow gpgdomain self:fifo_file rw_fifo_file_perms;
 +allow gpgdomain self:tcp_socket create_stream_socket_perms;
@ -39059,7 +39065,7 @@ index be0ab84..1859690 100644
 logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 diff --git a/logwatch.te b/logwatch.te
-index ab65034..ed34956 100644
+index ab65034..c76dbda 100644
 --- a/logwatch.te
 +++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
@ -39144,7 +39150,7 @@ index ab65034..ed34956 100644
 	rpc_search_nfs_state_data(logwatch_t)
 ')
 
-@@ -187,6 +192,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +192,17 @@ dev_read_sysfs(logwatch_mail_t)
 
 logging_read_all_logs(logwatch_mail_t)
 
@ -39157,6 +39163,11 @@ index ab65034..ed34956 100644
 +optional_policy(`
 +	courier_stream_connect_authdaemon(logwatch_mail_t)
 +')
+
+optional_policy(`
+	qmail_domtrans_inject(logwatch_mail_t)
+	qmail_domtrans_queue(logwatch_mail_t)
+')
 diff --git a/lpd.fc b/lpd.fc
 index 2fb9b2e..08974e3 100644
 --- a/lpd.fc
@ -58980,10 +58991,10 @@ index 0000000..ba24b40
 +
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..d21c5d7
+index 0000000..3bd4aa3
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,192 @@
+@@ -0,0 +1,196 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@ -59090,6 +59101,7 @@ index 0000000..d21c5d7
 +fs_getattr_all_fs(pcp_pmcd_t)
 +fs_getattr_all_dirs(pcp_pmcd_t)
 +fs_list_cgroup_dirs(pcp_pmcd_t)
+fs_read_cgroup_files(pcp_pmcd_t)
 +
 +logging_send_syslog_msg(pcp_pmcd_t)
 +
@ -59158,11 +59170,14 @@ index 0000000..d21c5d7
 +#
 +
 +allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
 +
 +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
 +
 +corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
 +
+logging_send_syslog_msg(pcp_pmie_t)
+
 +########################################
 +#
 +# pcp_pmlogger local  policy
@ -72386,7 +72401,7 @@ index 2c3d338..cf3e5ad 100644
 
 ########################################
 diff --git a/rabbitmq.te b/rabbitmq.te
-index dc3b0ed..0d48e31 100644
+index dc3b0ed..c77c09c 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@ -72429,7 +72444,7 @@ index dc3b0ed..0d48e31 100644
 can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
 
 domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -55,51 +64,67 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
+@@ -55,51 +64,63 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
 corecmd_exec_bin(rabbitmq_beam_t)
 corecmd_exec_shell(rabbitmq_beam_t)
 
@ -72443,25 +72458,28 @@ index dc3b0ed..0d48e31 100644
 +corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
 
 corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
- corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-+corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
- corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
 
 corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
+corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
+corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
 corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
+corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
 corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
 
 -corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
- corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
+-corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
 -corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
+domain_read_all_domains_state(rabbitmq_beam_t)
 
 -dev_read_sysfs(rabbitmq_beam_t)
 -dev_read_urand(rabbitmq_beam_t)
-+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
-+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-+
-+domain_read_all_domains_state(rabbitmq_beam_t)
-+
 +files_getattr_all_mountpoints(rabbitmq_beam_t)
 
 fs_getattr_all_fs(rabbitmq_beam_t)
@ -72470,8 +72488,6 @@ index dc3b0ed..0d48e31 100644
 fs_search_cgroup_dirs(rabbitmq_beam_t)
 
 -files_read_etc_files(rabbitmq_beam_t)
-+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
-+
 +dev_read_sysfs(rabbitmq_beam_t)
 +dev_read_urand(rabbitmq_beam_t)
 
@ -72493,8 +72509,6 @@ index dc3b0ed..0d48e31 100644
 +
 +optional_policy(`
 +    couchdb_manage_files(rabbitmq_beam_t)
-+    couchdb_manage_lib_files(rabbitmq_beam_t)
-+    couchdb_read_conf_files(rabbitmq_beam_t)
 +')
 +
 +optional_policy(`
@ -72510,7 +72524,7 @@ index dc3b0ed..0d48e31 100644
 allow rabbitmq_epmd_t self:process signal;
 allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
 allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -107,6 +132,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+@@ -107,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
 
 allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
 
@ -72519,7 +72533,7 @@ index dc3b0ed..0d48e31 100644
 corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
 corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
 corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-@@ -117,8 +144,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -117,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
 corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
 corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
 
@ -101472,10 +101486,10 @@ index 0000000..7933d80
 +')
 diff --git a/vmtools.te b/vmtools.te
 new file mode 100644
-index 0000000..c47cb0e
+index 0000000..ab589a9
 --- /dev/null
 +++ b/vmtools.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,87 @@
 +policy_module(vmtools, 1.0.0)
 +
 +########################################
@ -101495,6 +101509,7 @@ index 0000000..c47cb0e
 +type vmtools_helper_t;
 +type vmtools_helper_exec_t;
 +application_domain(vmtools_helper_t, vmtools_helper_exec_t)
+domain_system_change_exemption(vmtools_helper_t)
 +role vmtools_helper_roles types vmtools_helper_t;
 +
 +type vmtools_unit_file_t;
@ -101546,6 +101561,10 @@ index 0000000..c47cb0e
 +xserver_stream_connect(vmtools_t)
 +
 +optional_policy(`
+    networkmanager_dbus_chat(vmtools_t)
+')
+
+optional_policy(`
 +    unconfined_domain(vmtools_t)
 +')
 +
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -580,6 +580,19 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Feb 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-27
+- Make unconfined_service_t valid in enforcing
+- Remove transition for temp dirs created by init_t
+- gdm-simple-slave uses use setsockopt
+- Treat usermodehelper_t as a sysctl_type
+- xdm communicates with geo
+- Add lvm_read_metadata()
+- Allow rabbitmq_beam to connect to jabber_interserver_port
+- Allow logwatch_mail_t to transition to qmail_inject and queueu
+- Added new rules to pcp policy
+- Allow vmtools_helper_t to change role to system_r
+- Allow NM to dbus chat with vmtools
+
 * Fri Feb 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-26
 - Add labeling for /usr/sbin/amavi
 - Colin asked for this program to be treated as cloud-init