* Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
- Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) - Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to stream connect to networkmanager. - Allow dnssec_trigger_t to create resolv files labeled as net_conf_t - Fix labeling for keystone CGI scripts.
This commit is contained in:
parent
b9a1c72d29
commit
578b67080c
File diff suppressed because it is too large
Load Diff
|
@ -6,21 +6,19 @@ index 0000000..bea5755
|
|||
@@ -0,0 +1 @@
|
||||
+TAGS
|
||||
diff --git a/abrt.fc b/abrt.fc
|
||||
index 1a93dc5..7a7d67e 100644
|
||||
index 1a93dc5..f2b26f5 100644
|
||||
--- a/abrt.fc
|
||||
+++ b/abrt.fc
|
||||
@@ -1,31 +1,48 @@
|
||||
@@ -1,31 +1,46 @@
|
||||
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
||||
+HOME_DIR/\.config/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
||||
|
||||
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
||||
-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
||||
-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
|
||||
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
||||
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
||||
+
|
||||
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
|
||||
+
|
||||
+/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
|
||||
|
@ -548,7 +546,7 @@ index 058d908..158acba 100644
|
|||
+')
|
||||
+
|
||||
diff --git a/abrt.te b/abrt.te
|
||||
index eb50f07..ab4ab96 100644
|
||||
index eb50f07..7f6a8b6 100644
|
||||
--- a/abrt.te
|
||||
+++ b/abrt.te
|
||||
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
||||
|
@ -1008,7 +1006,7 @@ index eb50f07..ab4ab96 100644
|
|||
#
|
||||
|
||||
-allow abrt_dump_oops_t self:capability dac_override;
|
||||
+allow abrt_dump_oops_t self:capability { fowner chown fsetid dac_override };
|
||||
+allow abrt_dump_oops_t self:capability { ipc_lock fowner chown fsetid dac_override };
|
||||
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
|
||||
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
@ -1051,7 +1049,7 @@ index eb50f07..ab4ab96 100644
|
|||
|
||||
#######################################
|
||||
#
|
||||
@@ -404,25 +512,54 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||
@@ -404,25 +512,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||
#
|
||||
|
||||
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
||||
|
@ -1070,6 +1068,10 @@ index eb50f07..ab4ab96 100644
|
|||
logging_read_all_logs(abrt_watch_log_t)
|
||||
+logging_send_syslog_msg(abrt_watch_log_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gnome_list_home_config(abrt_watch_log_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`abrt_upload_watch_anon_write',`
|
||||
+ miscfiles_manage_public_files(abrt_upload_watch_t)
|
||||
+')
|
||||
|
@ -1108,7 +1110,7 @@ index eb50f07..ab4ab96 100644
|
|||
')
|
||||
|
||||
#######################################
|
||||
@@ -430,10 +567,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||
@@ -430,10 +571,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||
# Global local policy
|
||||
#
|
||||
|
||||
|
@ -24843,10 +24845,10 @@ index 0000000..457d4dd
|
|||
+')
|
||||
diff --git a/dnssec.te b/dnssec.te
|
||||
new file mode 100644
|
||||
index 0000000..7f0943f
|
||||
index 0000000..46f4d2c
|
||||
--- /dev/null
|
||||
+++ b/dnssec.te
|
||||
@@ -0,0 +1,59 @@
|
||||
@@ -0,0 +1,63 @@
|
||||
+policy_module(dnssec, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
|
@ -24891,6 +24893,7 @@ index 0000000..7f0943f
|
|||
+domain_use_interactive_fds(dnssec_trigger_t)
|
||||
+
|
||||
+files_read_etc_runtime_files(dnssec_trigger_t)
|
||||
+files_dontaudit_list_tmp(dnssec_trigger_t)
|
||||
+
|
||||
+logging_send_syslog_msg(dnssec_trigger_t)
|
||||
+
|
||||
|
@ -24898,6 +24901,7 @@ index 0000000..7f0943f
|
|||
+
|
||||
+sysnet_dns_name_resolve(dnssec_trigger_t)
|
||||
+sysnet_manage_config(dnssec_trigger_t)
|
||||
+sysnet_filetrans_named_content(dnssec_trigger_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ bind_domtrans(dnssec_trigger_t)
|
||||
|
@ -24905,7 +24909,9 @@ index 0000000..7f0943f
|
|||
+ bind_read_dnssec_keys(dnssec_trigger_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ networkmanager_stream_connect(dnssec_trigger_t)
|
||||
+')
|
||||
diff --git a/dnssectrigger.te b/dnssectrigger.te
|
||||
index c7bb4e7..e6fe2f40 100644
|
||||
--- a/dnssectrigger.te
|
||||
|
@ -39792,7 +39798,7 @@ index 628b78b..fe65617 100644
|
|||
-
|
||||
-miscfiles_read_localization(keyboardd_t)
|
||||
diff --git a/keystone.fc b/keystone.fc
|
||||
index b273d80..9b6e9bd 100644
|
||||
index b273d80..6b2b50d 100644
|
||||
--- a/keystone.fc
|
||||
+++ b/keystone.fc
|
||||
@@ -1,7 +1,13 @@
|
||||
|
@ -39802,7 +39808,7 @@ index b273d80..9b6e9bd 100644
|
|||
|
||||
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
|
||||
|
||||
+/usr/share/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
|
||||
+/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
|
||||
+
|
||||
/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
|
||||
|
||||
|
@ -46189,10 +46195,10 @@ index 0000000..f5b98e6
|
|||
+')
|
||||
diff --git a/mock.te b/mock.te
|
||||
new file mode 100644
|
||||
index 0000000..1bf717f
|
||||
index 0000000..86766b0
|
||||
--- /dev/null
|
||||
+++ b/mock.te
|
||||
@@ -0,0 +1,277 @@
|
||||
@@ -0,0 +1,278 @@
|
||||
+policy_module(mock,1.0.0)
|
||||
+
|
||||
+## <desc>
|
||||
|
@ -46327,6 +46333,7 @@ index 0000000..1bf717f
|
|||
+term_search_ptys(mock_t)
|
||||
+term_mount_pty_fs(mock_t)
|
||||
+term_unmount_pty_fs(mock_t)
|
||||
+term_use_ptmx(mock_t)
|
||||
+
|
||||
+auth_use_nsswitch(mock_t)
|
||||
+
|
||||
|
@ -46809,17 +46816,16 @@ index 0000000..e7220a5
|
|||
+logging_send_syslog_msg(mon_procd_t)
|
||||
+
|
||||
diff --git a/mongodb.fc b/mongodb.fc
|
||||
index 6fcfc31..1719247 100644
|
||||
index 6fcfc31..91adcaf 100644
|
||||
--- a/mongodb.fc
|
||||
+++ b/mongodb.fc
|
||||
@@ -1,9 +1,14 @@
|
||||
@@ -1,9 +1,13 @@
|
||||
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
|
||||
|
||||
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||
|
||||
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 122%{?dist}
|
||||
Release: 123%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
@ -602,6 +602,15 @@ SELinux Reference policy mls base module.
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
|
||||
- Allow abrtd to list home config. BZ(1199658)
|
||||
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
|
||||
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
|
||||
- Allow mock_t to use ptmx. BZ(1181333)
|
||||
- Allow dnssec_trigger_t to stream connect to networkmanager.
|
||||
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
|
||||
- Fix labeling for keystone CGI scripts.
|
||||
|
||||
* Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
|
||||
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
|
||||
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
|
||||
|
|
Loading…
Reference in New Issue