* Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123

- Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) - Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to stream connect to networkmanager. - Allow dnssec_trigger_t to create resolv files labeled as net_conf_t - Fix labeling for keystone CGI scripts.
2015-04-14 01:13:22 +02:00 · 2015-04-14 01:13:22 +02:00 · 578b67080c
parent b9a1c72d29
commit 578b67080c
3 changed files with 856 additions and 356 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -6,21 +6,19 @@ index 0000000..bea5755
@@ -0,0 +1 @@
 +TAGS
 diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..7a7d67e 100644
+index 1a93dc5..f2b26f5 100644
 --- a/abrt.fc
 +++ b/abrt.fc
-@@ -1,31 +1,48 @@
+@@ -1,31 +1,46 @@
 -/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
 -/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+HOME_DIR/\.config/abrt(/.*)?   	gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
+/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 
 -/usr/bin/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 -/usr/bin/abrt-retrace-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
 -/usr/bin/coredump2packages	--	gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
 -/usr/bin/retrace-server-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
-+/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+
 +/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
 +
 +/usr/bin/abrt-dump-.* 	    --	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
@ -548,7 +546,7 @@ index 058d908..158acba 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..ab4ab96 100644
+index eb50f07..7f6a8b6 100644
 --- a/abrt.te
 +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -1008,7 +1006,7 @@ index eb50f07..ab4ab96 100644
 #
 
 -allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:capability { fowner chown fsetid dac_override };
+allow abrt_dump_oops_t self:capability { ipc_lock fowner chown fsetid dac_override };
 allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
 -allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
 +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@ -1051,7 +1049,7 @@ index eb50f07..ab4ab96 100644
 
 #######################################
 #
-@@ -404,25 +512,54 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +512,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
 #
 
 allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -1070,6 +1068,10 @@ index eb50f07..ab4ab96 100644
 logging_read_all_logs(abrt_watch_log_t)
 +logging_send_syslog_msg(abrt_watch_log_t)
 +
+optional_policy(`
+    gnome_list_home_config(abrt_watch_log_t)
+')
+
 +tunable_policy(`abrt_upload_watch_anon_write',`
 +	miscfiles_manage_public_files(abrt_upload_watch_t)
 +')
@ -1108,7 +1110,7 @@ index eb50f07..ab4ab96 100644
 ')
 
 #######################################
-@@ -430,10 +567,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +571,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
 # Global local policy
 #
 
@ -24843,10 +24845,10 @@ index 0000000..457d4dd
 +')
 diff --git a/dnssec.te b/dnssec.te
 new file mode 100644
-index 0000000..7f0943f
+index 0000000..46f4d2c
 --- /dev/null
 +++ b/dnssec.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,63 @@
 +policy_module(dnssec, 1.0.0)
 +
 +########################################
@ -24891,6 +24893,7 @@ index 0000000..7f0943f
 +domain_use_interactive_fds(dnssec_trigger_t)
 +
 +files_read_etc_runtime_files(dnssec_trigger_t)
+files_dontaudit_list_tmp(dnssec_trigger_t)
 +
 +logging_send_syslog_msg(dnssec_trigger_t)
 +
@ -24898,6 +24901,7 @@ index 0000000..7f0943f
 +
 +sysnet_dns_name_resolve(dnssec_trigger_t)
 +sysnet_manage_config(dnssec_trigger_t)
+sysnet_filetrans_named_content(dnssec_trigger_t)
 +
 +optional_policy(`
 +    bind_domtrans(dnssec_trigger_t)
@ -24905,7 +24909,9 @@ index 0000000..7f0943f
 +	bind_read_dnssec_keys(dnssec_trigger_t)
 +')
 +
-+
+optional_policy(`
+    networkmanager_stream_connect(dnssec_trigger_t)
+')
 diff --git a/dnssectrigger.te b/dnssectrigger.te
 index c7bb4e7..e6fe2f40 100644
 --- a/dnssectrigger.te
@ -39792,7 +39798,7 @@ index 628b78b..fe65617 100644
 -
 -miscfiles_read_localization(keyboardd_t)
 diff --git a/keystone.fc b/keystone.fc
-index b273d80..9b6e9bd 100644
+index b273d80..6b2b50d 100644
 --- a/keystone.fc
 +++ b/keystone.fc
@@ -1,7 +1,13 @@
@ -39802,7 +39808,7 @@ index b273d80..9b6e9bd 100644
 
 /usr/bin/keystone-all	--	gen_context(system_u:object_r:keystone_exec_t,s0)
 
-+/usr/share/keystone(/.*)?	gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
+/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
 +
 /var/lib/keystone(/.*)?	gen_context(system_u:object_r:keystone_var_lib_t,s0)
 
@ -46189,10 +46195,10 @@ index 0000000..f5b98e6
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..1bf717f
+index 0000000..86766b0
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,278 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@ -46327,6 +46333,7 @@ index 0000000..1bf717f
 +term_search_ptys(mock_t)
 +term_mount_pty_fs(mock_t)
 +term_unmount_pty_fs(mock_t)
+term_use_ptmx(mock_t)
 +
 +auth_use_nsswitch(mock_t)
 +
@ -46809,17 +46816,16 @@ index 0000000..e7220a5
 +logging_send_syslog_msg(mon_procd_t)
 +
 diff --git a/mongodb.fc b/mongodb.fc
-index 6fcfc31..1719247 100644
+index 6fcfc31..91adcaf 100644
 --- a/mongodb.fc
 +++ b/mongodb.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,13 @@
 /etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
 
 -/usr/bin/mongod	--	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/bin/mongod	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/bin/mongos	                                --	gen_context(system_u:object_r:mongod_exec_t,s0)
 +/usr/share/aeolus-conductor/dbomatic/dbomatic   --   gen_context(system_u:object_r:mongod_exec_t,s0)
-+/usr/libexec/mongodb-scl-helper                 --   gen_context(system_u:object_r:mongod_exec_t,s0)
 
 /var/lib/mongo.*	gen_context(system_u:object_r:mongod_var_lib_t,s0)
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 122%{?dist}
+Release: 123%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,15 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
+- Allow abrtd to list home config. BZ(1199658)
+- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
+- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
+- Allow mock_t to use ptmx. BZ(1181333)
+- Allow dnssec_trigger_t to stream connect to networkmanager.
+- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
+- Fix labeling for keystone CGI scripts.
+
 * Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
 - Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
 - Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)