Sync master with F17
This commit is contained in:
parent
05c3d969d7
commit
4a27edfbeb
@ -1,5 +1,5 @@
|
|||||||
# Turn off the ability for one process to read/modify another processes memory
|
# Turn off the ability for one process to read/modify another processes memory
|
||||||
deny_ptrace = true
|
deny_ptrace = false
|
||||||
|
|
||||||
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
|
||||||
deny_execmem = false
|
deny_execmem = false
|
||||||
@ -11,7 +11,7 @@ allow_execmod = true
|
|||||||
|
|
||||||
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
# Allow making the stack executable via mprotect.Also requires allow_execmem.
|
||||||
#
|
#
|
||||||
allow_execstack = false
|
allow_execstack = true
|
||||||
|
|
||||||
# Allow ftpd to read cifs directories.
|
# Allow ftpd to read cifs directories.
|
||||||
#
|
#
|
||||||
@ -33,6 +33,10 @@ allow_gssd_read_tmp = true
|
|||||||
#
|
#
|
||||||
allow_httpd_anon_write = false
|
allow_httpd_anon_write = false
|
||||||
|
|
||||||
|
# Allow Apache to connect to port 80 for graceful shutdown
|
||||||
|
#
|
||||||
|
httpd_graceful_shutdown = true
|
||||||
|
|
||||||
# Allow Apache to use mod_auth_pam module
|
# Allow Apache to use mod_auth_pam module
|
||||||
#
|
#
|
||||||
allow_httpd_mod_auth_pam = false
|
allow_httpd_mod_auth_pam = false
|
||||||
@ -232,7 +236,9 @@ allow_xserver_execmem = false
|
|||||||
# disallow guest accounts to execute files that they can create
|
# disallow guest accounts to execute files that they can create
|
||||||
#
|
#
|
||||||
allow_guest_exec_content = false
|
allow_guest_exec_content = false
|
||||||
allow_xguest_exec_content = false
|
|
||||||
|
# xguest now requires to execute content in homedir to allow gnome-shell to work# properly.
|
||||||
|
allow_xguest_exec_content = true
|
||||||
|
|
||||||
# Only allow browser to use the web
|
# Only allow browser to use the web
|
||||||
#
|
#
|
||||||
@ -264,7 +270,7 @@ unconfined_mozilla_plugin_transition=true
|
|||||||
|
|
||||||
# Allow unconfined domain to transition to confined domain
|
# Allow unconfined domain to transition to confined domain
|
||||||
#
|
#
|
||||||
unconfined_telepathy_transition=true
|
unconfined_telepathy_transition=false
|
||||||
|
|
||||||
# Allow unconfined domain to transition to chrome_sandbox confined domain
|
# Allow unconfined domain to transition to chrome_sandbox confined domain
|
||||||
#
|
#
|
||||||
|
BIN
config.tgz
BIN
config.tgz
Binary file not shown.
74659
policy-F16.patch
74659
policy-F16.patch
File diff suppressed because it is too large
Load Diff
@ -15,16 +15,15 @@
|
|||||||
%endif
|
%endif
|
||||||
%define POLICYVER 27
|
%define POLICYVER 27
|
||||||
%define POLICYCOREUTILSVER 2.1.9-4
|
%define POLICYCOREUTILSVER 2.1.9-4
|
||||||
%define CHECKPOLICYVER 2.1.7-3
|
%define CHECKPOLICYVER 2.1.9-4
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.10.0
|
Version: 3.10.0
|
||||||
Release: 85%{?dist}
|
Release: 128%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
patch: policy-F16.patch
|
patch: policy-F16.patch
|
||||||
patch1: unconfined_permissive.patch
|
|
||||||
Source1: modules-targeted.conf
|
Source1: modules-targeted.conf
|
||||||
Source2: booleans-targeted.conf
|
Source2: booleans-targeted.conf
|
||||||
Source3: Makefile.devel
|
Source3: Makefile.devel
|
||||||
@ -45,39 +44,46 @@ Source23: users-targeted
|
|||||||
Source25: users-minimum
|
Source25: users-minimum
|
||||||
Source26: file_contexts.subs_dist
|
Source26: file_contexts.subs_dist
|
||||||
Source27: selinux-policy.conf
|
Source27: selinux-policy.conf
|
||||||
|
Source28: permissivedomains.pp
|
||||||
|
|
||||||
Url: http://oss.tresys.com/repos/refpolicy/
|
Url: http://oss.tresys.com/repos/refpolicy/
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
|
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
|
||||||
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.46-6
|
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.46-6
|
||||||
Requires(post): /bin/awk /usr/bin/md5sum
|
Requires(post): /bin/awk /usr/bin/sha512sum
|
||||||
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
|
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
|
||||||
Obsoletes: selinux-policy-devel <= %{version}-%{release}
|
|
||||||
Provides: selinux-policy-devel = %{version}-%{release}
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
SELinux Base package
|
SELinux Base package
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%{_mandir}/man*/*
|
|
||||||
# policycoreutils owns these manpage directories, we only own the files within them
|
|
||||||
%{_mandir}/ru/*/*
|
|
||||||
%dir %{_usr}/share/selinux
|
%dir %{_usr}/share/selinux
|
||||||
%dir %{_usr}/share/selinux/devel
|
|
||||||
%dir %{_usr}/share/selinux/devel/include
|
|
||||||
%dir %{_usr}/share/selinux/packages
|
%dir %{_usr}/share/selinux/packages
|
||||||
%dir %{_sysconfdir}/selinux
|
%dir %{_sysconfdir}/selinux
|
||||||
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
||||||
%ghost %{_sysconfdir}/sysconfig/selinux
|
%ghost %{_sysconfdir}/sysconfig/selinux
|
||||||
|
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: SELinux policy devel
|
||||||
|
Group: System Environment/Base
|
||||||
|
Requires(pre): selinux-policy = %{version}-%{release}
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
SELinux policy development and man page package
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%{_mandir}/man*/*
|
||||||
|
%{_mandir}/ru/*/*
|
||||||
|
%dir %{_usr}/share/selinux/devel
|
||||||
|
%dir %{_usr}/share/selinux/devel/include
|
||||||
%{_usr}/share/selinux/devel/include/*
|
%{_usr}/share/selinux/devel/include/*
|
||||||
%{_usr}/share/selinux/devel/Makefile
|
%{_usr}/share/selinux/devel/Makefile
|
||||||
%{_usr}/share/selinux/devel/example.*
|
%{_usr}/share/selinux/devel/example.*
|
||||||
%{_usr}/share/selinux/devel/policy.*
|
|
||||||
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
|
||||||
|
|
||||||
%if %{BUILD_DOC}
|
|
||||||
%package doc
|
%package doc
|
||||||
Summary: SELinux policy documentation
|
Summary: SELinux policy documentation
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
@ -91,7 +97,7 @@ SELinux policy documentation package
|
|||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%doc %{_usr}/share/doc/%{name}-%{version}
|
%doc %{_usr}/share/doc/%{name}-%{version}
|
||||||
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
|
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
|
||||||
%endif
|
%{_usr}/share/selinux/devel/policy.*
|
||||||
|
|
||||||
%define makeCmds() \
|
%define makeCmds() \
|
||||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
|
||||||
@ -105,6 +111,7 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
|
|||||||
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
|
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
|
||||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
|
||||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
||||||
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
|
||||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
|
||||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \
|
||||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
|
||||||
@ -127,8 +134,9 @@ rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \
|
|||||||
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
|
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
|
||||||
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
|
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
|
||||||
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
|
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
|
||||||
/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policymd5; \
|
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
||||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
|
||||||
|
rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern
|
||||||
%nil
|
%nil
|
||||||
|
|
||||||
%define fileList() \
|
%define fileList() \
|
||||||
@ -137,13 +145,14 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
|||||||
%dir %{_sysconfdir}/selinux/%1 \
|
%dir %{_sysconfdir}/selinux/%1 \
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
||||||
|
%dir %{_sysconfdir}/selinux/%1/logins \
|
||||||
%dir %{_sysconfdir}/selinux/%1/modules \
|
%dir %{_sysconfdir}/selinux/%1/modules \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
||||||
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
|
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
|
||||||
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \
|
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
||||||
%verify(not md5 size md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \
|
||||||
@ -157,7 +166,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
|||||||
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
|
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
|
||||||
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
||||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
||||||
%{_sysconfdir}/selinux/%1/.policymd5 \
|
%{_sysconfdir}/selinux/%1/.policy.sha512 \
|
||||||
%dir %{_sysconfdir}/selinux/%1/contexts \
|
%dir %{_sysconfdir}/selinux/%1/contexts \
|
||||||
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
||||||
@ -166,6 +175,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
|||||||
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
|
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
|
||||||
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
|
||||||
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
|
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
|
||||||
|
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
|
||||||
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
|
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
|
||||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
|
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
|
||||||
@ -191,8 +201,8 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
|
|||||||
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
||||||
/usr/sbin/selinuxenabled; \
|
/usr/sbin/selinuxenabled; \
|
||||||
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
||||||
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore; \
|
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
|
||||||
/sbin/restorecon -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
|
/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
|
||||||
rm -f ${FILE_CONTEXT}.pre; \
|
rm -f ${FILE_CONTEXT}.pre; \
|
||||||
fi;
|
fi;
|
||||||
|
|
||||||
@ -204,10 +214,10 @@ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
|
|||||||
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
||||||
fi; \
|
fi; \
|
||||||
touch /etc/selinux/%1/.rebuild; \
|
touch /etc/selinux/%1/.rebuild; \
|
||||||
if [ -e /etc/selinux/%1/.policymd5 ]; then \
|
if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
|
||||||
md5=`md5sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
|
sha512=`sha512sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
|
||||||
checkmd5=`cat /etc/selinux/%1/.policymd5`; \
|
checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
|
||||||
if [ "$md5" == "$checkmd5" ] ; then \
|
if [ "$sha512" == "$checksha512" ] ; then \
|
||||||
rm /etc/selinux/%1/.rebuild; \
|
rm /etc/selinux/%1/.rebuild; \
|
||||||
fi; \
|
fi; \
|
||||||
fi; \
|
fi; \
|
||||||
@ -218,7 +228,7 @@ fi;
|
|||||||
if [ -e /etc/selinux/%2/.rebuild ]; then \
|
if [ -e /etc/selinux/%2/.rebuild ]; then \
|
||||||
rm /etc/selinux/%2/.rebuild; \
|
rm /etc/selinux/%2/.rebuild; \
|
||||||
if [ %1 -ne 1 ]; then \
|
if [ %1 -ne 1 ]; then \
|
||||||
/usr/sbin/semodule -n -s %2 -r kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
|
/usr/sbin/semodule -n -s %2 -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
|
||||||
fi \
|
fi \
|
||||||
rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp \
|
rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp \
|
||||||
/usr/sbin/semodule -B -n -s %2; \
|
/usr/sbin/semodule -B -n -s %2; \
|
||||||
@ -242,7 +252,6 @@ Based off of reference policy: Checked out revision 2.20091117
|
|||||||
%prep
|
%prep
|
||||||
%setup -n serefpolicy-%{version} -q
|
%setup -n serefpolicy-%{version} -q
|
||||||
%patch -p1
|
%patch -p1
|
||||||
#%patch1 -p1 -b .unconfined
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
mkdir selinux_config
|
mkdir selinux_config
|
||||||
@ -252,8 +261,6 @@ done
|
|||||||
tar zxvf selinux_config/config.tgz
|
tar zxvf selinux_config/config.tgz
|
||||||
# Build targeted policy
|
# Build targeted policy
|
||||||
%{__rm} -fR %{buildroot}
|
%{__rm} -fR %{buildroot}
|
||||||
mkdir -p %{buildroot}%{_mandir}
|
|
||||||
cp -R man/* %{buildroot}%{_mandir}
|
|
||||||
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
||||||
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
||||||
touch %{buildroot}%{_sysconfdir}/selinux/config
|
touch %{buildroot}%{_sysconfdir}/selinux/config
|
||||||
@ -269,6 +276,8 @@ make clean
|
|||||||
%if %{BUILD_TARGETED}
|
%if %{BUILD_TARGETED}
|
||||||
# Build targeted policy
|
# Build targeted policy
|
||||||
# Commented out because only targeted ref policy currently builds
|
# Commented out because only targeted ref policy currently builds
|
||||||
|
mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
|
||||||
|
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted
|
||||||
%makeCmds targeted mcs n allow
|
%makeCmds targeted mcs n allow
|
||||||
%installCmds targeted mcs n allow
|
%installCmds targeted mcs n allow
|
||||||
%endif
|
%endif
|
||||||
@ -276,6 +285,8 @@ make clean
|
|||||||
%if %{BUILD_MINIMUM}
|
%if %{BUILD_MINIMUM}
|
||||||
# Build minimum policy
|
# Build minimum policy
|
||||||
# Commented out because only minimum ref policy currently builds
|
# Commented out because only minimum ref policy currently builds
|
||||||
|
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
|
||||||
|
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum
|
||||||
%makeCmds minimum mcs n allow
|
%makeCmds minimum mcs n allow
|
||||||
%installCmds minimum mcs n allow
|
%installCmds minimum mcs n allow
|
||||||
%modulesList minimum
|
%modulesList minimum
|
||||||
@ -287,22 +298,20 @@ make clean
|
|||||||
%installCmds mls mls n deny
|
%installCmds mls mls n deny
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{BUILD_DOC}
|
mkdir -p %{buildroot}%{_mandir}
|
||||||
|
cp -R man/* %{buildroot}%{_mandir}
|
||||||
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
|
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
|
||||||
%endif
|
|
||||||
|
|
||||||
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
|
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
|
||||||
|
|
||||||
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
mkdir %{buildroot}%{_usr}/share/selinux/devel/
|
||||||
mkdir %{buildroot}%{_usr}/share/selinux/packages/
|
|
||||||
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
|
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
|
||||||
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
|
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
|
||||||
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
|
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||||
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
|
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
|
||||||
%if %{BUILD_DOC}
|
|
||||||
echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
||||||
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
|
||||||
%endif
|
|
||||||
|
mkdir %{buildroot}%{_usr}/share/selinux/packages/
|
||||||
|
|
||||||
rm -rf selinux_config
|
rm -rf selinux_config
|
||||||
%clean
|
%clean
|
||||||
%{__rm} -fR %{buildroot}
|
%{__rm} -fR %{buildroot}
|
||||||
@ -321,6 +330,7 @@ echo "
|
|||||||
SELINUX=enforcing
|
SELINUX=enforcing
|
||||||
# SELINUXTYPE= can take one of these two values:
|
# SELINUXTYPE= can take one of these two values:
|
||||||
# targeted - Targeted processes are protected,
|
# targeted - Targeted processes are protected,
|
||||||
|
# minimum - Modification of targeted policy. Only selected processes are protected.
|
||||||
# mls - Multi Level Security protection.
|
# mls - Multi Level Security protection.
|
||||||
SELINUXTYPE=targeted
|
SELINUXTYPE=targeted
|
||||||
|
|
||||||
@ -483,7 +493,470 @@ SELinux Reference policy mls base module.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-85
|
* Wed May 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-128
|
||||||
|
- Fix description of authlogin_nsswitch_use_ldap
|
||||||
|
- Fix transition rule for rhsmcertd_t needed for RHEL7
|
||||||
|
- Allow useradd to list nfs state data
|
||||||
|
- Allow openvpn to manage its log file and directory
|
||||||
|
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
|
||||||
|
- Allow thumb to use nvidia devices
|
||||||
|
- Allow local_login to create user_tmp_t files for kerberos
|
||||||
|
- Pulseaudio needs to read systemd_login /var/run content
|
||||||
|
- virt should only transition named system_conf_t config files
|
||||||
|
- Allow munin to execute its plugins
|
||||||
|
- Allow nagios system plugin to read /etc/passwd
|
||||||
|
- Allow plugin to connect to soundd port
|
||||||
|
- Fix httpd_passwd to be able to ask passwords
|
||||||
|
- Radius servers can use ldap for backing store
|
||||||
|
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
|
||||||
|
- Allow systemd_logind to list the contents of gnome keyring
|
||||||
|
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
|
||||||
|
- Add policy for isns-utils
|
||||||
|
|
||||||
|
* Mon May 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-127
|
||||||
|
- Add policy for subversion daemon
|
||||||
|
- Allow boinc to read passwd
|
||||||
|
- Allow pads to read kernel network state
|
||||||
|
- Fix man2html interface for sepolgen-ifgen
|
||||||
|
- Remove extra /usr/lib/systemd/system/smb
|
||||||
|
- Remove all /lib/systemd and replace with /usr/lib/systemd
|
||||||
|
- Add policy for man2html
|
||||||
|
- Fix the label of kerberos_home_t to krb5_home_t
|
||||||
|
- Allow mozilla plugins to use Citrix
|
||||||
|
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
|
||||||
|
- Allow tune /sys options via systemd's tmpfiles.d "w" type
|
||||||
|
|
||||||
|
* Wed May 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-126
|
||||||
|
- Dontaudit lpr_t to read/write leaked mozilla tmp files
|
||||||
|
- Add file name transition for .grl-podcasts directory
|
||||||
|
- Allow corosync to read user tmp files
|
||||||
|
- Allow fenced to create snmp lib dirs/files
|
||||||
|
- More fixes for sge policy
|
||||||
|
- Allow mozilla_plugin_t to execute any application
|
||||||
|
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
|
||||||
|
- Allow mongod to read system state information
|
||||||
|
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
|
||||||
|
- Allow polipo to manage polipo_cache dirs
|
||||||
|
- Add jabbar_client port to mozilla_plugin_t
|
||||||
|
- Cleanup procmail policy
|
||||||
|
- system bus will pass around open file descriptors on files that do not have labels on them
|
||||||
|
- Allow l2tpd_t to read system state
|
||||||
|
- Allow tuned to run ls /dev
|
||||||
|
- Allow sudo domains to read usr_t files
|
||||||
|
- Add label to machine-id
|
||||||
|
- Fix corecmd_read_bin_symlinks cut and paste error
|
||||||
|
|
||||||
|
* Wed May 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-125
|
||||||
|
- Fix pulseaudio port definition
|
||||||
|
- Add labeling for condor_starter
|
||||||
|
- Allow chfn_t to creat user_tmp_files
|
||||||
|
- Allow chfn_t to execute bin_t
|
||||||
|
- Allow prelink_cron_system_t to getpw calls
|
||||||
|
- Allow sudo domains to manage kerberos rcache files
|
||||||
|
- Allow user_mail_domains to work with courie
|
||||||
|
- Port definitions necessary for running jboss apps within openshift
|
||||||
|
- Add support for openstack-nova-metadata-api
|
||||||
|
- Add support for nova-console*
|
||||||
|
- Add support for openstack-nova-xvpvncproxy
|
||||||
|
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
|
||||||
|
- Fix auth_role() interface
|
||||||
|
- Allow numad to read sysfs
|
||||||
|
- Allow matahari-rpcd to execute shell
|
||||||
|
- Add label for ~/.spicec
|
||||||
|
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
|
||||||
|
- Devicekit_disk wants to read the logind sessions file when writing a cd
|
||||||
|
- Add fixes for condor to make condor jobs working correctly
|
||||||
|
- Change label of /var/log/rpmpkgs to cron_log_t
|
||||||
|
- Access requires to allow systemd-tmpfiles --create to work.
|
||||||
|
- Fix obex to be a user application started by the session bus.
|
||||||
|
- Add additional filename trans rules for kerberos
|
||||||
|
- Fix /var/run/heartbeat labeling
|
||||||
|
- Allow apps that are managing rcache to file trans correctly
|
||||||
|
- Allow openvpn to authenticate against ldap server
|
||||||
|
- Containers need to listen to network starting and stopping events
|
||||||
|
|
||||||
|
* Wed May 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-124
|
||||||
|
- Make systemd unit files less specific
|
||||||
|
|
||||||
|
* Tue May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-123
|
||||||
|
- Fix zarafa labeling
|
||||||
|
- Allow guest_t to fix labeling
|
||||||
|
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
|
||||||
|
- add lxc_contexts
|
||||||
|
- Allow accountsd to read /proc
|
||||||
|
- Allow restorecond to getattr on all file sytems
|
||||||
|
- tmpwatch now calls getpw
|
||||||
|
- Allow apache daemon to transition to pwauth domain
|
||||||
|
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
|
||||||
|
- The obex socket seems to be a stream socket
|
||||||
|
- dd label for /var/run/nologin
|
||||||
|
|
||||||
|
* Mon May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-122
|
||||||
|
- Allow jetty running as httpd_t to read hugetlbfs files
|
||||||
|
- Allow sys_nice and setsched for rhsmcertd
|
||||||
|
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
|
||||||
|
- Allow setfiles to append to xdm_tmp_t
|
||||||
|
- Add labeling for /export as a usr_t directory
|
||||||
|
- Add labels for .grl files created by gstreamer
|
||||||
|
|
||||||
|
* Fri May 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-121
|
||||||
|
- Add labeling for /usr/share/jetty/bin/jetty.sh
|
||||||
|
- Add jetty policy which contains file type definitios
|
||||||
|
- Allow jockey to use its own fifo_file and make this the default for all domains
|
||||||
|
- Allow mozilla_plugins to use spice (vnc_port/couchdb)
|
||||||
|
- asterisk wants to read the network state
|
||||||
|
- Blueman now uses /var/lib/blueman- Add label for nodejs_debug
|
||||||
|
- Allow mozilla_plugin_t to create ~/.pki directory and content
|
||||||
|
|
||||||
|
* Wed May 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-120
|
||||||
|
- Add clamscan_can_scan_system boolean
|
||||||
|
- Allow mysqld to read kernel network state
|
||||||
|
- Allow sshd to read/write condor lib files
|
||||||
|
- Allow sshd to read/write condor-startd tcp socket
|
||||||
|
- Fix description on httpd_graceful_shutdown
|
||||||
|
- Allow glance_registry to communicate with mysql
|
||||||
|
- dbus_system_domain is using systemd to lauch applications
|
||||||
|
- add interfaces to allow domains to send kill signals to user mail agents
|
||||||
|
- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
|
||||||
|
- Lots of new access required for secure containers
|
||||||
|
- Corosync needs sys_admin capability
|
||||||
|
- ALlow colord to create shm
|
||||||
|
- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific
|
||||||
|
- Add boolean to control whether or not mozilla plugins can create random content in the users homedir
|
||||||
|
- Add new interface to allow domains to list msyql_db directories, needed for libra
|
||||||
|
- shutdown has to be allowed to delete etc_runtime_t
|
||||||
|
- Fail2ban needs to read /etc/passwd
|
||||||
|
- Allow ldconfig to create /var/cache/ldconfig
|
||||||
|
- Allow tgtd to read hardware state information
|
||||||
|
- Allow collectd to create packet socket
|
||||||
|
- Allow chronyd to send signal to itself
|
||||||
|
- Allow collectd to read /dev/random
|
||||||
|
- Allow collectd to send signal to itself
|
||||||
|
- firewalld needs to execute restorecon
|
||||||
|
- Allow restorecon and other login domains to execute restorecon
|
||||||
|
|
||||||
|
* Tue Apr 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-119
|
||||||
|
- Allow logrotate to getattr on systemd unit files
|
||||||
|
- Add support for tor systemd unit file
|
||||||
|
- Allow apmd to create /var/run/pm-utils with the correct label
|
||||||
|
- Allow l2tpd to send sigkill to pppd
|
||||||
|
- Allow pppd to stream connect to l2tpd
|
||||||
|
- Add label for scripts in /etc/gdm/
|
||||||
|
- Allow systemd_logind_t to ignore mcs constraints on sigkill
|
||||||
|
- Fix files_filetrans_system_conf_named_files() interface
|
||||||
|
- Add labels for /usr/share/wordpress/wp-includes/*.php
|
||||||
|
- Allow cobbler to get SELinux mode and booleans
|
||||||
|
|
||||||
|
* Mon Apr 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-118
|
||||||
|
- Add unconfined_execmem_exec_t as an alias to bin_t
|
||||||
|
- Allow fenced to read snmp var lib files, also allow it to read usr_t
|
||||||
|
- ontaudit access checks on all executables from mozilla_plugin
|
||||||
|
- Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode
|
||||||
|
- Allow systemd_tmpfiles_t to getattr all pipes and sockets
|
||||||
|
- Allow glance-registry to send system log messages
|
||||||
|
- semanage needs to manage mock lib files/dirs
|
||||||
|
|
||||||
|
* Sun Apr 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-117
|
||||||
|
- Add policy for abrt-watch-log
|
||||||
|
- Add definitions for jboss_messaging ports
|
||||||
|
- Allow systemd_tmpfiles to manage printer devices
|
||||||
|
- Allow oddjob to use nsswitch
|
||||||
|
- Fix labeling of log files for postgresql
|
||||||
|
- Allow mozilla_plugin_t to execmem and execstack by default
|
||||||
|
- Allow firewalld to execute shell
|
||||||
|
- Fix /etc/wicd content files to get created with the correct label
|
||||||
|
- Allow mcelog to exec shell
|
||||||
|
- Add ~/.orc as a gstreamer_home_t
|
||||||
|
- /var/spool/postfix/lib64 should be labeled lib_t
|
||||||
|
- mpreaper should be able to list all file system labeled directories
|
||||||
|
- Add support for apache to use openstack
|
||||||
|
- Add labeling for /etc/zipl.conf and zipl binary
|
||||||
|
- Turn on allow_execstack and turn off telepathy transition for final release
|
||||||
|
|
||||||
|
* Mon Apr 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-116
|
||||||
|
- More access required for virt_qmf_t
|
||||||
|
- Additional assess required for systemd-logind to support multi-seat
|
||||||
|
- Allow mozilla_plugin to setrlimit
|
||||||
|
- Revert changes to fuse file system to stop deadlock
|
||||||
|
|
||||||
|
* Mon Apr 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-115
|
||||||
|
- Allow condor domains to connect to ephemeral ports
|
||||||
|
- More fixes for condor policy
|
||||||
|
- Allow keystone to stream connect to mysqld
|
||||||
|
- Allow mozilla_plugin_t to read generic USB device to support GPS devices
|
||||||
|
- Allow thum to file name transition gstreamer home content
|
||||||
|
- Allow thum to read all non security files
|
||||||
|
- Allow glance_api_t to connect to ephemeral ports
|
||||||
|
- Allow nagios plugins to read /dev/urandom
|
||||||
|
- Allow syslogd to search postfix spool to support postfix chroot env
|
||||||
|
- Fix labeling for /var/spool/postfix/dev
|
||||||
|
- Allow wdmd chown
|
||||||
|
- Label .esd_auth as pulseaudio_home_t
|
||||||
|
- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now
|
||||||
|
|
||||||
|
* Fri Apr 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-114
|
||||||
|
- Add support for clamd+systemd
|
||||||
|
- Allow fresclam to execute systemctl to handle clamd
|
||||||
|
- Change labeling for /usr/sbin/rpc.ypasswd.env
|
||||||
|
- Allow yppaswd_t to execute yppaswd_exec_t
|
||||||
|
- Allow yppaswd_t to read /etc/passwd
|
||||||
|
- Gnomekeyring socket has been moved to /run/user/USER/
|
||||||
|
- Allow samba-net to connect to ldap port
|
||||||
|
- Allow signal for vhostmd
|
||||||
|
- allow mozilla_plugin_t to read user_home_t socket
|
||||||
|
- New access required for secure Linux Containers
|
||||||
|
- zfs now supports xattrs
|
||||||
|
- Allow quantum to execute sudo and list sysfs
|
||||||
|
- Allow init to dbus chat with the firewalld
|
||||||
|
- Allow zebra to read /etc/passwd
|
||||||
|
|
||||||
|
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-113
|
||||||
|
- Allow svirt_t to create content in the users homedir under ~/.libvirt
|
||||||
|
- Fix label on /var/lib/heartbeat
|
||||||
|
- Allow systemd_logind_t to send kill signals to all processes started by a user
|
||||||
|
- Fuse now supports Xattr Support
|
||||||
|
|
||||||
|
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-112
|
||||||
|
- upowered needs to setsched on the kernel
|
||||||
|
- Allow mpd_t to manage log files
|
||||||
|
- Allow xdm_t to create /var/run/systemd/multi-session-x
|
||||||
|
- Add rules for missedfont.log to be used by thumb.fc
|
||||||
|
- Additional access required for virt_qmf_t
|
||||||
|
- Allow dhclient to dbus chat with the firewalld
|
||||||
|
- Add label for lvmetad
|
||||||
|
- Allow systemd_logind_t to remove userdomain sock_files
|
||||||
|
- Allow cups to execute usr_t files
|
||||||
|
- Fix labeling on nvidia shared libraries
|
||||||
|
- wdmd_t needs access to sssd and /etc/passwd
|
||||||
|
- Add boolean to allow ftp servers to run in passive mode
|
||||||
|
- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with
|
||||||
|
- Fix using httpd_use_fusefs
|
||||||
|
- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox
|
||||||
|
|
||||||
|
* Fri Apr 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-111
|
||||||
|
- Rename rdate port to time port, and allow gnomeclock to connect to it
|
||||||
|
- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda
|
||||||
|
- /etc/auto.* should be labeled bin_t
|
||||||
|
- Add httpd_use_fusefs boolean
|
||||||
|
- Add fixes for heartbeat
|
||||||
|
- Allow sshd_t to signal processes that it transitions to
|
||||||
|
- Add condor policy
|
||||||
|
- Allow svirt to create monitors in ~/.libvirt
|
||||||
|
- Allow dovecot to domtrans sendmail to handle sieve scripts
|
||||||
|
- Lot of fixes for cfengine
|
||||||
|
|
||||||
|
* Tue Apr 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-110
|
||||||
|
- /var/run/postmaster.* labeling is no longer needed
|
||||||
|
- Alllow drbdadmin to read /dev/urandom
|
||||||
|
- l2tpd_t seems to use ptmx
|
||||||
|
- group+ and passwd+ should be labeled as /etc/passwd
|
||||||
|
- Zarafa-indexer is a socket
|
||||||
|
|
||||||
|
* Fri Mar 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-109
|
||||||
|
- Ensure lastlog is labeled correctly
|
||||||
|
- Allow accountsd to read /proc data about gdm
|
||||||
|
- Add fixes for tuned
|
||||||
|
- Add bcfg2 fixes which were discovered during RHEL6 testing
|
||||||
|
- More fixes for gnome-keyring socket being moved
|
||||||
|
- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown
|
||||||
|
- Fix description for files_dontaudit_read_security_files() interface
|
||||||
|
|
||||||
|
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-108
|
||||||
|
- Add new policy and man page for bcfg2
|
||||||
|
- cgconfig needs to use getpw calls
|
||||||
|
- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt
|
||||||
|
- gnome-keyring wants to create a directory in cache_home_t
|
||||||
|
- sanlock calls getpw
|
||||||
|
|
||||||
|
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-107
|
||||||
|
- Add numad policy and numad man page
|
||||||
|
- Add fixes for interface bugs discovered by SEWatch
|
||||||
|
- Add /tmp support for squid
|
||||||
|
- Add fix for #799102
|
||||||
|
* change default labeling for /var/run/slapd.* sockets
|
||||||
|
- Make thumb_t as userdom_home_reader
|
||||||
|
- label /var/lib/sss/mc same as pubconf, so getpw domains can read it
|
||||||
|
- Allow smbspool running as cups_t to stream connect to nmbd
|
||||||
|
- accounts needs to be able to execute passwd on behalf of users
|
||||||
|
- Allow systemd_tmpfiles_t to delete boot flags
|
||||||
|
- Allow dnssec_trigger to connect to apache ports
|
||||||
|
- Allow gnome keyring to create sock_files in ~/.cache
|
||||||
|
- google_authenticator is using .google_authenticator
|
||||||
|
- sandbox running from within firefox is exposing more leaks
|
||||||
|
- Dontaudit thumb to read/write /dev/card0
|
||||||
|
- Dontaudit getattr on init_exec_t for gnomeclock_t
|
||||||
|
- Allow certmonger to do a transition to certmonger_unconfined_t
|
||||||
|
- Allow dhcpc setsched which is caused by nmcli
|
||||||
|
- Add rpm_exec_t for /usr/sbin/bcfg2
|
||||||
|
- system cronjobs are sending dbus messages to systemd_logind
|
||||||
|
- Thumnailers read /dev/urand
|
||||||
|
|
||||||
|
* Thu Mar 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-106
|
||||||
|
- Allow auditctl getcap
|
||||||
|
- Allow vdagent to use libsystemd-login
|
||||||
|
- Allow abrt-dump-oops to search /etc/abrt
|
||||||
|
- Got these avc's while trying to print a boarding pass from firefox
|
||||||
|
- Devicekit is now putting the media directory under /run/media
|
||||||
|
- Allow thumbnailers to create content in ~/.thumbails directory
|
||||||
|
- Add support for proL2TPd by Dominick Grift
|
||||||
|
- Allow all domains to call getcap
|
||||||
|
- wdmd seems to get a random chown capability check that it does not need
|
||||||
|
- Allow vhostmd to read kernel sysctls
|
||||||
|
|
||||||
|
* Wed Mar 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-105
|
||||||
|
- Allow chronyd to read unix
|
||||||
|
- Allow hpfax to read /etc/passwd
|
||||||
|
- Add support matahari vios-proxy-* apps and add virtd_exec_t label for them
|
||||||
|
- Allow rpcd to read quota_db_t
|
||||||
|
- Update to man pages to match latest policy
|
||||||
|
- Fix bug in jockey interface for sepolgen-ifgen
|
||||||
|
- Add initial svirt_prot_exec_t policy
|
||||||
|
|
||||||
|
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-104
|
||||||
|
- More fixes for systemd from Dan Walsh
|
||||||
|
|
||||||
|
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-103
|
||||||
|
- Add a new type for /etc/firewalld and allow firewalld to write to this directory
|
||||||
|
- Add definition for ~/Maildir, and allow mail deliver domains to write there
|
||||||
|
- Allow polipo to run from a cron job
|
||||||
|
- Allow rtkit to schedule wine processes
|
||||||
|
- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label
|
||||||
|
- Allow users domains to send signals to consolehelper domains
|
||||||
|
|
||||||
|
* Fri Mar 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-102
|
||||||
|
- More fixes for boinc policy
|
||||||
|
- Allow polipo domain to create its own cache dir and pid file
|
||||||
|
- Add systemctl support to httpd domain
|
||||||
|
- Add systemctl support to polipo, allow NetworkManager to manage the service
|
||||||
|
- Add policy for jockey-backend
|
||||||
|
- Add support for motion daemon which is now covered by zoneminder policy
|
||||||
|
- Allow colord to read/write motion tmpfs
|
||||||
|
- Allow vnstat to search through var_lib_t directories
|
||||||
|
- Stop transitioning to quota_t, from init an sysadm_t
|
||||||
|
|
||||||
|
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-101
|
||||||
|
- Add svirt_lxc_file_t as a customizable type
|
||||||
|
|
||||||
|
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-100
|
||||||
|
- Add additional fixes for icmp nagios plugin
|
||||||
|
- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin
|
||||||
|
- Add certmonger_unconfined_exec_t
|
||||||
|
- Make sure tap22 device is created with the correct label
|
||||||
|
- Allow staff users to read systemd unit files
|
||||||
|
- Merge in previously built policy
|
||||||
|
- Arpwatch needs to be able to start netlink sockets in order to start
|
||||||
|
- Allow cgred_t to sys_ptrace to look at other DAC Processes
|
||||||
|
|
||||||
|
* Mon Mar 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-99
|
||||||
|
- Back port some of the access that was allowed in nsplugin_t
|
||||||
|
- Add definitiona for couchdb ports
|
||||||
|
- Allow nagios to use inherited users ttys
|
||||||
|
- Add git support for mock
|
||||||
|
- Allow inetd to use rdate port
|
||||||
|
- Add own type for rdate port
|
||||||
|
- Allow samba to act as a portmapper
|
||||||
|
- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev
|
||||||
|
- New fixes needed for samba4
|
||||||
|
- Allow apps that use lib_t to read lib_t symlinks
|
||||||
|
|
||||||
|
* Fri Mar 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-98
|
||||||
|
- Add policy for nove-cert
|
||||||
|
- Add labeling for nova-openstack systemd unit files
|
||||||
|
- Add policy for keystoke
|
||||||
|
|
||||||
|
* Thu Mar 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-97
|
||||||
|
- Fix man pages fro domains
|
||||||
|
- Add man pages for SELinux users and roles
|
||||||
|
- Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon
|
||||||
|
- Add policy for matahari-rpcd
|
||||||
|
- nfsd executes mount command on restart
|
||||||
|
- Matahari domains execute renice and setsched
|
||||||
|
- Dontaudit leaked tty in mozilla_plugin_config
|
||||||
|
- mailman is changing to a per instance naming
|
||||||
|
- Add 7600 and 4447 as jboss_management ports
|
||||||
|
- Add fixes for nagios event handlers
|
||||||
|
- Label httpd.event as httpd_exec_t, it is an apache daemon
|
||||||
|
|
||||||
|
* Mon Mar 5 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-96
|
||||||
|
- Add labeling for /var/spool/postfix/dev/log
|
||||||
|
- NM reads sysctl.conf
|
||||||
|
- Iscsi log file context specification fix
|
||||||
|
- Allow mozilla plugins to send dbus messages to user domains that transition to it
|
||||||
|
- Allow mysql to read the passwd file
|
||||||
|
- Allow mozilla_plugin_t to create mozilla home dirs in user homedir
|
||||||
|
- Allow deltacloud to read kernel sysctl
|
||||||
|
- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself
|
||||||
|
- Allow postgresql_t to connectto itself
|
||||||
|
- Add login_userdomain attribute for users which can log in using terminal
|
||||||
|
|
||||||
|
* Tue Feb 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-95
|
||||||
|
- Allow sysadm_u to reach system_r by default #784011
|
||||||
|
- Allow nagios plugins to use inherited user terminals
|
||||||
|
- Razor labeling is not used no longer
|
||||||
|
- Add systemd support for matahari
|
||||||
|
- Add port_types to man page, move booleans to the top, fix some english
|
||||||
|
- Add support for matahari-sysconfig-console
|
||||||
|
- Clean up matahari.fc
|
||||||
|
- Fix matahari_admin() interfac
|
||||||
|
- Add labels for/etc/ssh/ssh_host_*.pub keys
|
||||||
|
|
||||||
|
* Mon Feb 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-94
|
||||||
|
- Allow ksysguardproces to send system log msgs
|
||||||
|
- Allow boinc setpgid and signull
|
||||||
|
- Allow xdm_t to sys_ptrace to run pidof command
|
||||||
|
- Allow smtpd_t to manage spool files/directories and symbolic links
|
||||||
|
- Add labeling for jetty
|
||||||
|
- Needed changes to get unbound/dnssec to work with openswan
|
||||||
|
|
||||||
|
* Thu Feb 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-93
|
||||||
|
- Add user_fonts_t alias xfs_tmp_t
|
||||||
|
- Since depmod now runs as insmod_t we need to write to kernel_object_t
|
||||||
|
- Allow firewalld to dbus chat with networkmanager
|
||||||
|
- Allow qpidd to connect to matahari ports
|
||||||
|
- policykit needs to read /proc for uses not owned by it
|
||||||
|
- Allow systemctl apps to connecto the init stream
|
||||||
|
|
||||||
|
* Wed Feb 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-92
|
||||||
|
- Turn on deny_ptrace boolean
|
||||||
|
|
||||||
|
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-91
|
||||||
|
- Remove pam_selinux.8 man page. There was a conflict.
|
||||||
|
|
||||||
|
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-90
|
||||||
|
- Add proxy class and read access for gssd_proxy
|
||||||
|
- Separate out the sharing public content booleans
|
||||||
|
- Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate
|
||||||
|
- Add label transition for gstream-0.10 and 12
|
||||||
|
- Add booleans to allow rsync to share nfs and cifs file sytems
|
||||||
|
- chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it
|
||||||
|
- Fix filename transitions for cups files
|
||||||
|
- Allow denyhosts to read "unix"
|
||||||
|
- Add file name transition for locale.conf.new
|
||||||
|
- Allow boinc projects to gconf config files
|
||||||
|
- sssd needs to be able to increase the socket limit under certain loads
|
||||||
|
- sge_execd needs to read /etc/passwd
|
||||||
|
- Allow denyhost to check network state
|
||||||
|
- NetworkManager needs to read sessions data
|
||||||
|
- Allow denyhost to check network state
|
||||||
|
- Allow xen to search virt images directories
|
||||||
|
- Add label for /dev/megaraid_sas_ioctl_node
|
||||||
|
- Add autogenerated man pages
|
||||||
|
|
||||||
|
* Thu Feb 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-89
|
||||||
|
- Allow boinc project to getattr on fs
|
||||||
|
- Allow init to execute initrc_state_t
|
||||||
|
- rhev-agent package was rename to ovirt-guest-agent
|
||||||
|
- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly
|
||||||
|
- sytemd writes content to /run/initramfs and executes it on shutdown
|
||||||
|
- kdump_t needs to read /etc/mtab, should be back ported to F16
|
||||||
|
- udev needs to load kernel modules in early system boot
|
||||||
|
|
||||||
|
* Tue Feb 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-88
|
||||||
|
- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses
|
||||||
|
- Add additional systemd interfaces which are needed fro *_admin interfaces
|
||||||
|
- Fix bind_admin() interface
|
||||||
|
|
||||||
|
* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-87
|
||||||
- Allow firewalld to read urand
|
- Allow firewalld to read urand
|
||||||
- Alias java, execmem_mono to bin_t to allow third parties
|
- Alias java, execmem_mono to bin_t to allow third parties
|
||||||
- Add label for kmod
|
- Add label for kmod
|
||||||
@ -493,6 +966,31 @@ SELinux Reference policy mls base module.
|
|||||||
- Allow systemd_tmpfiles_t to delete all file types
|
- Allow systemd_tmpfiles_t to delete all file types
|
||||||
- Allow collectd to ipc_lock
|
- Allow collectd to ipc_lock
|
||||||
|
|
||||||
|
* Fri Feb 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-86
|
||||||
|
- make consoletype_exec optional, so we can remove consoletype policy
|
||||||
|
- remove unconfined_permisive.patch
|
||||||
|
- Allow openvpn_t to inherit user home content and tmp content
|
||||||
|
- Fix dnssec-trigger labeling
|
||||||
|
- Turn on obex policy for staff_t
|
||||||
|
- Pem files should not be secret
|
||||||
|
- Add lots of rules to fix AVC's when playing with containers
|
||||||
|
- Fix policy for dnssec
|
||||||
|
- Label ask-passwd directories correctly for systemd
|
||||||
|
|
||||||
|
* Thu Feb 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-85
|
||||||
|
- sshd fixes seem to be causing unconfined domains to dyntrans to themselves
|
||||||
|
- fuse file system is now being mounted in /run/user
|
||||||
|
- systemd_logind is sending signals to processes that are dbus messaging with it
|
||||||
|
- Add support for winshadow port and allow iscsid to connect to this port
|
||||||
|
- httpd should be allowed to bind to the http_port_t udp socket
|
||||||
|
- zarafa_var_lib_t can be a lnk_file
|
||||||
|
- A couple of new .xsession-errors files
|
||||||
|
- Seems like user space and login programs need to read logind_sessions_files
|
||||||
|
- Devicekit disk seems to be being launched by systemd
|
||||||
|
- Cleanup handling of setfiles so most of rules in te file
|
||||||
|
- Correct port number for dnssec
|
||||||
|
- logcheck has the home dir set to its cache
|
||||||
|
|
||||||
* Tue Feb 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-84
|
* Tue Feb 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-84
|
||||||
- Add policy for grindengine MPI jobs
|
- Add policy for grindengine MPI jobs
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user