Allow named to connect to dirsrv by default

add ldapmap1_0 as a krb5_host_rcache_t file
Google chrome developers asked me to add bootstrap policy for nacl stuff
Allow rhev_agentd_t to getattr on mountpoints
Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
This commit is contained in:
Dan Walsh 2011-10-25 09:12:49 -04:00
parent 3dcddab74d
commit 44066bd77a
2 changed files with 114 additions and 39 deletions

View File

@ -4642,13 +4642,16 @@ index 46ea44f..f7183ef 100644
# Handle nfs home dirs # Handle nfs home dirs
diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
new file mode 100644 new file mode 100644
index 0000000..1f468aa index 0000000..4401c36
--- /dev/null --- /dev/null
+++ b/policy/modules/apps/chrome.fc +++ b/policy/modules/apps/chrome.fc
@@ -0,0 +1,3 @@ @@ -0,0 +1,6 @@
+ /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) + /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+ +
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_bootstrap_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_bootstrap_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644 new file mode 100644
index 0000000..bacc639 index 0000000..bacc639
@ -4784,10 +4787,10 @@ index 0000000..bacc639
+') +')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644 new file mode 100644
index 0000000..df2b2a9 index 0000000..e4b3381
--- /dev/null --- /dev/null
+++ b/policy/modules/apps/chrome.te +++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,125 @@ @@ -0,0 +1,152 @@
+policy_module(chrome,1.0.0) +policy_module(chrome,1.0.0)
+ +
+######################################## +########################################
@ -4807,6 +4810,13 @@ index 0000000..df2b2a9
+files_tmpfs_file(chrome_sandbox_tmpfs_t) +files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t) +ubac_constrained(chrome_sandbox_tmpfs_t)
+ +
+type chrome_sandbox_bootstrap_t;
+type chrome_sandbox_bootstrap_exec_t;
+application_domain(chrome_sandbox_bootstrap_t, chrome_sandbox_bootstrap_exec_t)
+role system_r types chrome_sandbox_bootstrap_t;
+
+permissive chrome_sandbox_bootstrap_t;
+
+######################################## +########################################
+# +#
+# chrome_sandbox local policy +# chrome_sandbox local policy
@ -4819,6 +4829,7 @@ index 0000000..df2b2a9
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; +allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms; +allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms; +allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+ +
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) +manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
@ -4913,6 +4924,25 @@ index 0000000..df2b2a9
+optional_policy(` +optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t) + sandbox_use_ptys(chrome_sandbox_t)
+') +')
+
+
+########################################
+#
+# chrome_sandbox_bootstrap local policy
+#
+
+allow chrome_sandbox_bootstrap_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_bootstrap_t self:unix_stream_socket create_stream_socket_perms;
+domain_use_interactive_fds(chrome_sandbox_bootstrap_t)
+allow chrome_sandbox_t chrome_sandbox_bootstrap_t:process share;
+
+dontaudit chrome_sandbox_bootstrap_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_bootstrap_exec_t, chrome_sandbox_bootstrap_t)
+
+files_read_etc_files(chrome_sandbox_bootstrap_t)
+
+miscfiles_read_localization(chrome_sandbox_bootstrap_t)
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index 37475dd..7db4a01 100644 index 37475dd..7db4a01 100644
--- a/policy/modules/apps/cpufreqselector.te --- a/policy/modules/apps/cpufreqselector.te
@ -23022,7 +23052,7 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index 0b827c5..46e3aa9 100644 index 0b827c5..6b739e6 100644
--- a/policy/modules/services/abrt.if --- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',` @@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@ -23043,7 +23073,7 @@ index 0b827c5..46e3aa9 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -169,7 +169,45 @@ interface(`abrt_run_helper',` @@ -169,12 +169,51 @@ interface(`abrt_run_helper',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -23090,7 +23120,13 @@ index 0b827c5..46e3aa9 100644
gen_require(` gen_require(`
type abrt_var_cache_t; type abrt_var_cache_t;
') ')
@@ -253,6 +291,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
')
####################################
@@ -253,6 +292,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
') ')
@ -23115,7 +23151,7 @@ index 0b827c5..46e3aa9 100644
##################################### #####################################
## <summary> ## <summary>
## All of the rules required to administrate ## All of the rules required to administrate
@@ -286,18 +342,116 @@ interface(`abrt_admin',` @@ -286,18 +343,116 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r; role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r; allow $2 system_r;
@ -26497,7 +26533,7 @@ index 44a1e3d..7802b7b 100644
+ named_systemctl($1) + named_systemctl($1)
') ')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 4deca04..8d81308 100644 index 4deca04..fc86505 100644
--- a/policy/modules/services/bind.te --- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0) @@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
@ -26571,7 +26607,18 @@ index 4deca04..8d81308 100644
tunable_policy(`named_write_master_zones',` tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t) manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t) manage_files_pattern(named_t, named_zone_t, named_zone_t)
@@ -198,18 +214,18 @@ allow ndc_t self:process { fork signal_perms }; @@ -154,6 +170,10 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
+ dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
init_dbus_chat_script(named_t)
sysnet_dbus_chat_dhcpc(named_t)
@@ -198,18 +218,18 @@ allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms; allow ndc_t self:tcp_socket create_socket_perms;
@ -26593,7 +26640,7 @@ index 4deca04..8d81308 100644
kernel_read_kernel_sysctls(ndc_t) kernel_read_kernel_sysctls(ndc_t)
corenet_all_recvfrom_unlabeled(ndc_t) corenet_all_recvfrom_unlabeled(ndc_t)
@@ -228,6 +244,8 @@ files_search_pids(ndc_t) @@ -228,6 +248,8 @@ files_search_pids(ndc_t)
fs_getattr_xattr_fs(ndc_t) fs_getattr_xattr_fs(ndc_t)
@ -26602,7 +26649,7 @@ index 4deca04..8d81308 100644
init_use_fds(ndc_t) init_use_fds(ndc_t)
init_use_script_ptys(ndc_t) init_use_script_ptys(ndc_t)
@@ -235,24 +253,13 @@ logging_send_syslog_msg(ndc_t) @@ -235,24 +257,13 @@ logging_send_syslog_msg(ndc_t)
miscfiles_read_localization(ndc_t) miscfiles_read_localization(ndc_t)
@ -40010,7 +40057,7 @@ index da2127e..a666df2 100644
+ +
+sysnet_read_config(jabberd_domain) +sysnet_read_config(jabberd_domain)
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 3525d24..e065744 100644 index 3525d24..033de90 100644
--- a/policy/modules/services/kerberos.fc --- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc +++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@ -40022,7 +40069,7 @@ index 3525d24..e065744 100644
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
@@ -30,4 +30,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
@ -40030,8 +40077,9 @@ index 3525d24..e065744 100644
+ +
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 604f67b..e515121 100644 index 604f67b..1b608a7 100644
--- a/policy/modules/services/kerberos.if --- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@ @@ -26,9 +26,9 @@
@ -40162,7 +40210,7 @@ index 604f67b..e515121 100644
') ')
allow $1 kadmind_t:process { ptrace signal_perms }; allow $1 kadmind_t:process { ptrace signal_perms };
@@ -378,3 +375,108 @@ interface(`kerberos_admin',` @@ -378,3 +375,109 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t) admin_pattern($1, krb5kdc_var_run_t)
') ')
@ -40270,6 +40318,7 @@ index 604f67b..e515121 100644
+ +
+ kerberos_tmp_filetrans_host_rcache($1, "host_0") + kerberos_tmp_filetrans_host_rcache($1, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
+') +')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8edc29b..92dde2c 100644 index 8edc29b..92dde2c 100644
@ -49319,7 +49368,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t; + role $2 types postfix_postdrop_t;
+') +')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index a32c4b3..318ef45 100644 index a32c4b3..3a59bac 100644
--- a/policy/modules/services/postfix.te --- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@ -49466,7 +49515,14 @@ index a32c4b3..318ef45 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
@@ -249,6 +274,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) @@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
@ -49477,7 +49533,7 @@ index a32c4b3..318ef45 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t) corecmd_exec_bin(postfix_cleanup_t)
@@ -264,8 +293,8 @@ optional_policy(` @@ -264,8 +294,8 @@ optional_policy(`
# Postfix local local policy # Postfix local local policy
# #
@ -49487,7 +49543,7 @@ index a32c4b3..318ef45 100644
# connect to master process # connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post @@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it? # for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@ -49496,7 +49552,7 @@ index a32c4b3..318ef45 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms; allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t) corecmd_exec_shell(postfix_local_t)
@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t) @@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t) mta_delete_spool(postfix_local_t)
# For reading spamassasin # For reading spamassasin
mta_read_config(postfix_local_t) mta_read_config(postfix_local_t)
@ -49515,7 +49571,7 @@ index a32c4b3..318ef45 100644
optional_policy(` optional_policy(`
clamav_search_lib(postfix_local_t) clamav_search_lib(postfix_local_t)
@@ -297,6 +333,10 @@ optional_policy(` @@ -297,6 +334,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -49526,7 +49582,7 @@ index a32c4b3..318ef45 100644
# for postalias # for postalias
mailman_manage_data_files(postfix_local_t) mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t) mailman_append_log(postfix_local_t)
@@ -304,9 +344,22 @@ optional_policy(` @@ -304,9 +345,22 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -49549,7 +49605,7 @@ index a32c4b3..318ef45 100644
######################################## ########################################
# #
# Postfix map local policy # Postfix map local policy
@@ -372,6 +425,7 @@ optional_policy(` @@ -372,6 +426,7 @@ optional_policy(`
# Postfix pickup local policy # Postfix pickup local policy
# #
@ -49557,7 +49613,7 @@ index a32c4b3..318ef45 100644
allow postfix_pickup_t self:tcp_socket create_socket_perms; allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
@@ -379,19 +433,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p @@ -379,19 +434,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@ -49585,7 +49641,7 @@ index a32c4b3..318ef45 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@ -49594,7 +49650,7 @@ index a32c4b3..318ef45 100644
optional_policy(` optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t) dovecot_domtrans_deliver(postfix_pipe_t)
') ')
@@ -420,6 +483,7 @@ optional_policy(` @@ -420,6 +484,7 @@ optional_policy(`
optional_policy(` optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t) spamassassin_domtrans_client(postfix_pipe_t)
@ -49602,7 +49658,7 @@ index a32c4b3..318ef45 100644
') ')
optional_policy(` optional_policy(`
@@ -436,11 +500,17 @@ allow postfix_postdrop_t self:capability sys_resource; @@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms; allow postfix_postdrop_t self:udp_socket create_socket_perms;
@ -49620,7 +49676,7 @@ index a32c4b3..318ef45 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
@@ -487,8 +557,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t @@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access! # to write the mailq output, it really should not need read access!
@ -49631,7 +49687,7 @@ index a32c4b3..318ef45 100644
init_sigchld_script(postfix_postqueue_t) init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t)
@@ -507,6 +577,8 @@ optional_policy(` @@ -507,6 +578,8 @@ optional_policy(`
# Postfix qmgr local policy # Postfix qmgr local policy
# #
@ -49640,7 +49696,7 @@ index a32c4b3..318ef45 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) @@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@ -49653,7 +49709,7 @@ index a32c4b3..318ef45 100644
corecmd_exec_bin(postfix_qmgr_t) corecmd_exec_bin(postfix_qmgr_t)
@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t) @@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@ -49664,7 +49720,7 @@ index a32c4b3..318ef45 100644
# to write the mailq output, it really should not need read access! # to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t) term_use_all_ptys(postfix_showq_t)
@@ -565,6 +643,14 @@ optional_policy(` @@ -565,6 +644,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -49679,7 +49735,7 @@ index a32c4b3..318ef45 100644
milter_stream_connect_all(postfix_smtp_t) milter_stream_connect_all(postfix_smtp_t)
') ')
@@ -588,10 +674,16 @@ corecmd_exec_bin(postfix_smtpd_t) @@ -588,10 +675,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates # for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t) files_read_usr_files(postfix_smtpd_t)
@ -49696,7 +49752,18 @@ index a32c4b3..318ef45 100644
') ')
optional_policy(` optional_policy(`
@@ -611,8 +703,8 @@ optional_policy(` @@ -599,6 +692,10 @@ optional_policy(`
')
optional_policy(`
+ milter_stream_connect_all(postfix_smtpd_t)
+')
+
+optional_policy(`
postgrey_stream_connect(postfix_smtpd_t)
')
@@ -611,8 +708,8 @@ optional_policy(`
# Postfix virtual local policy # Postfix virtual local policy
# #
@ -49706,7 +49773,7 @@ index a32c4b3..318ef45 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms; allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
@@ -630,3 +722,8 @@ mta_delete_spool(postfix_virtual_t) @@ -630,3 +727,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin # For reading spamassasin
mta_read_config(postfix_virtual_t) mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t) mta_manage_spool(postfix_virtual_t)
@ -53413,10 +53480,10 @@ index 0000000..bf11e25
+') +')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644 new file mode 100644
index 0000000..23ba402 index 0000000..1ec5e7c
--- /dev/null --- /dev/null
+++ b/policy/modules/services/rhev.te +++ b/policy/modules/services/rhev.te
@@ -0,0 +1,82 @@ @@ -0,0 +1,83 @@
+policy_module(rhev,1.0) +policy_module(rhev,1.0)
+ +
+######################################## +########################################
@ -53466,6 +53533,7 @@ index 0000000..23ba402
+ +
+term_use_virtio_console(rhev_agentd_t) +term_use_virtio_console(rhev_agentd_t)
+ +
+files_getattr_all_mountpoints(rhev_agentd_t)
+files_read_usr_files(rhev_agentd_t) +files_read_usr_files(rhev_agentd_t)
+ +
+auth_use_nsswitch(rhev_agentd_t) +auth_use_nsswitch(rhev_agentd_t)

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.10.0 Version: 3.10.0
Release: 47.1%{?dist} Release: 48%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -480,6 +480,13 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Mon Oct 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-48
- Allow named to connect to dirsrv by default
- add ldapmap1_0 as a krb5_host_rcache_t file
- Google chrome developers asked me to add bootstrap policy for nacl stuff
- Allow rhev_agentd_t to getattr on mountpoints
- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
* Mon Oct 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-47 * Mon Oct 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-47
- Fixes for cloudform policies which need to connect to random ports - Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label - Make sure if an admin creates modules content it creates them with the correct label