- Fix bogus line in logrotate.fc.

2015-06-23 15:44:47 +02:00 · 2015-06-23 15:44:47 +02:00 · 4e49e36893
commit 4e49e36893
parent 1bee2ddf1b
2 changed files with 87 additions and 20 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -8862,7 +8862,7 @@ index 0b1a871..f260e6f 100644
 +allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint };
 +allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint };
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..549967a 100644
+index 6a1e4d1..26e5558 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@ -8963,7 +8963,50 @@ index 6a1e4d1..549967a 100644
 ##	Search the process state directory (/proc/pid) of all domains.
 ## </summary>
 ## <param name="domain">
-@@ -631,7 +645,7 @@ interface(`domain_read_all_domains_state',`
+@@ -590,6 +604,42 @@ interface(`domain_search_all_domains_state',`
 ########################################
 ## <summary>
 +##	Dontaudit search of process kernel keyrings
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to dontaudit.
 +##	</summary>
 +## </param>
 +#
 +interface(`domain_dontaudit_search_all_domains_keyrings',`
 +	gen_require(`
 +		attribute domain;
 +	')
 +
 +	dontaudit $1 domain:key search;
 +')
 +
 +########################################
 +## <summary>
 +##	Dontaudit link of process kernel keyrings
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to dontaudit.
 +##	</summary>
 +## </param>
 +#
 +interface(`domain_dontaudit_link_all_domains_keyrings',`
 +	gen_require(`
 +		attribute domain;
 +	')
 +
 +	dontaudit $1 domain:key link;
 +')
 +
 +########################################
 +## <summary>
 ##	Do not audit attempts to search the process
 ##	state directory (/proc/pid) of all domains.
 ## </summary>
@@ -631,7 +681,7 @@ interface(`domain_read_all_domains_state',`
 ########################################
 ## <summary>
@ -8972,7 +9015,7 @@ index 6a1e4d1..549967a 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -655,7 +669,7 @@ interface(`domain_getattr_all_domains',`
+@@ -655,7 +705,7 @@ interface(`domain_getattr_all_domains',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -8981,7 +9024,7 @@ index 6a1e4d1..549967a 100644
 ##	</summary>
 ## </param>
 #
-@@ -1356,6 +1370,24 @@ interface(`domain_manage_all_entry_files',`
+@@ -1356,6 +1406,24 @@ interface(`domain_manage_all_entry_files',`
 ########################################
 ## <summary>
@ -9006,7 +9049,7 @@ index 6a1e4d1..549967a 100644
 ##	Relabel to and from all entry point
 ##	file types.
 ## </summary>
-@@ -1421,7 +1453,7 @@ interface(`domain_entry_file_spec_domtrans',`
+@@ -1421,7 +1489,7 @@ interface(`domain_entry_file_spec_domtrans',`
 ## <summary>
 ##	Ability to mmap a low area of the address
 ##	space conditionally, as configured by
@ -9015,7 +9058,7 @@ index 6a1e4d1..549967a 100644
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
-@@ -1448,7 +1480,7 @@ interface(`domain_mmap_low',`
+@@ -1448,7 +1516,7 @@ interface(`domain_mmap_low',`
 ## <summary>
 ##	Ability to mmap a low area of the address
 ##	space unconditionally, as configured
@ -9024,7 +9067,7 @@ index 6a1e4d1..549967a 100644
 ##	Preventing such mappings helps protect against
 ##	exploiting null deref bugs in the kernel.
 ## </summary>
-@@ -1508,6 +1540,40 @@ interface(`domain_unconfined_signal',`
+@@ -1508,6 +1576,40 @@ interface(`domain_unconfined_signal',`
 ########################################
 ## <summary>
@ -9065,7 +9108,7 @@ index 6a1e4d1..549967a 100644
 ##	Unconfined access to domains.
 ## </summary>
 ## <param name="domain">
-@@ -1530,4 +1596,63 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1632,63 @@ interface(`domain_unconfined',`
 	typeattribute $1 can_change_object_identity;
 	typeattribute $1 set_curr_context;
 	typeattribute $1 process_uncond_exempt;
@ -30058,7 +30101,7 @@ index 187f04f..cf0af09 100644
 interface(`hostname_exec',`
 	gen_require(`
 diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index 24a7889..d97f6d5 100644
+index 24a7889..a3d8f1a 100644
 --- a/policy/modules/system/hostname.te
 +++ b/policy/modules/system/hostname.te
@@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config;
@ -30101,10 +30144,14 @@ index 24a7889..d97f6d5 100644
 sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
 sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
-@@ -57,6 +60,10 @@ sysnet_read_config(hostname_t)
+@@ -57,6 +60,14 @@ sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 optional_policy(`
 +	kdump_dontaudit_inherited_kdumpctl_tmp_pipes(hostname_t)
 +')
 +
 +optional_policy(`
 +	mock_dontaudit_write_lib_chr_files(hostname_t)
 +')
 +
@ -37021,10 +37068,10 @@ index 1361961..be6b7fc 100644
 #
 # Base type for the tests directory.
 diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 9933677..ca14c17 100644
+index 9933677..0b9c20a 100644
 --- a/policy/modules/system/modutils.fc
 +++ b/policy/modules/system/modutils.fc
-@@ -23,3 +23,15 @@ ifdef(`distro_gentoo',`
+@@ -23,3 +23,17 @@ ifdef(`distro_gentoo',`
 /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 /usr/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)
@ -37037,6 +37084,8 @@ index 9933677..ca14c17 100644
 +/usr/sbin/rmmod.*	--	gen_context(system_u:object_r:insmod_exec_t,s0)
 +/usr/sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 +
 +/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
 +
 +/usr/lib/modules/modprobe\.conf -- 	gen_context(system_u:object_r:modules_conf_t,s0)
 +
 +/var/run/tmpfiles.d/kmod.conf --	gen_context(system_u:object_r:insmod_var_run_t,s0)
@ -44727,7 +44776,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..f01932f 100644
+index 9dc60c6..769ce74 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -49209,8 +49258,8 @@ index 9dc60c6..f01932f 100644
 +## </param>
 +#
 +interface(`userdom_delete_user_tmpfs_files',`
-+    refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.')
+    refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmp_files instead.')
-+    userdom_delete_user_tmpfs_files($1)
+    userdom_delete_user_tmp_files($1)
 +')
 +
 +########################################
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -38243,7 +38243,7 @@ index a49ae4e..0c0e987 100644
 +
 +/var/lock/kdump(/.*)?   gen_context(system_u:object_r:kdump_lock_t,s0)
 diff --git a/kdump.if b/kdump.if
-index 3a00b3a..160c575 100644
+index 3a00b3a..92f125f 100644
 --- a/kdump.if
 +++ b/kdump.if
@@ -1,4 +1,4 @@
@ -38506,7 +38506,7 @@ index 3a00b3a..160c575 100644
 	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
 	domain_system_change_exemption($1)
-@@ -110,6 +295,10 @@ interface(`kdump_admin',`
+@@ -110,6 +295,29 @@ interface(`kdump_admin',`
 	files_search_etc($1)
 	admin_pattern($1, kdump_etc_t)
@ -38519,6 +38519,25 @@ index 3a00b3a..160c575 100644
 +	admin_pattern($1, kdump_unit_file_t)
 +	allow $1 kdump_unit_file_t:service all_service_perms;
 ')
 +
 +###################################
 +## <summary>
 +##     Dontaudit Read/write inherited kdump /var/tmp named pipes.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain to not audit
 +##      </summary>
 +## </param>
 +#
 +interface(`kdump_dontaudit_inherited_kdumpctl_tmp_pipes',`
 +        gen_require(`
 +                type kdumpctl_tmp_t;
 +        ')
 +
 +        dontaudit $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 diff --git a/kdump.te b/kdump.te
 index 715fc21..8bcd248 100644
 --- a/kdump.te
@ -42926,10 +42945,10 @@ index 61db5a0..9d5d255 100644
 +userdom_use_inherited_user_terminals(lockdev_t)
 +
 diff --git a/logrotate.fc b/logrotate.fc
-index a11d5be..5fc9001 100644
+index a11d5be..60f83c5 100644
 --- a/logrotate.fc
 +++ b/logrotate.fc
-@@ -1,6 +1,7 @@
+@@ -1,6 +1,6 @@
 -/etc/cron\.(daily|weekly)/sysklogd	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 +/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
@ -42938,7 +42957,6 @@ index a11d5be..5fc9001 100644
 /var/lib/logrotate(/.*)?	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
 -/var/lib/logrotate\.status	--	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
 +/var/lib/logrotate\.status.* --	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
 +')
 diff --git a/logrotate.if b/logrotate.if
 index dd8e01a..9cd6b0b 100644
 --- a/logrotate.if