* Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
- Allow abrtd to list home config. BZ(1199658) - Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250) - Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481) - Allow mock_t to use ptmx. BZ(1181333) - Allow dnssec_trigger_t to stream connect to networkmanager. - Allow dnssec_trigger_t to create resolv files labeled as net_conf_t - Fix labeling for keystone CGI scripts.
This commit is contained in:
parent
b9a1c72d29
commit
578b67080c
File diff suppressed because it is too large
Load Diff
|
@ -6,21 +6,19 @@ index 0000000..bea5755
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+TAGS
|
+TAGS
|
||||||
diff --git a/abrt.fc b/abrt.fc
|
diff --git a/abrt.fc b/abrt.fc
|
||||||
index 1a93dc5..7a7d67e 100644
|
index 1a93dc5..f2b26f5 100644
|
||||||
--- a/abrt.fc
|
--- a/abrt.fc
|
||||||
+++ b/abrt.fc
|
+++ b/abrt.fc
|
||||||
@@ -1,31 +1,48 @@
|
@@ -1,31 +1,46 @@
|
||||||
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||||
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
||||||
+HOME_DIR/\.config/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
||||||
|
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
||||||
|
|
||||||
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
||||||
-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
||||||
-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
|
-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
|
||||||
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
||||||
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
|
||||||
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
|
||||||
+
|
|
||||||
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
|
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
|
||||||
+
|
+
|
||||||
+/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
|
+/usr/bin/abrt-dump-.* -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
|
||||||
|
@ -548,7 +546,7 @@ index 058d908..158acba 100644
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
diff --git a/abrt.te b/abrt.te
|
diff --git a/abrt.te b/abrt.te
|
||||||
index eb50f07..ab4ab96 100644
|
index eb50f07..7f6a8b6 100644
|
||||||
--- a/abrt.te
|
--- a/abrt.te
|
||||||
+++ b/abrt.te
|
+++ b/abrt.te
|
||||||
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
||||||
|
@ -1008,7 +1006,7 @@ index eb50f07..ab4ab96 100644
|
||||||
#
|
#
|
||||||
|
|
||||||
-allow abrt_dump_oops_t self:capability dac_override;
|
-allow abrt_dump_oops_t self:capability dac_override;
|
||||||
+allow abrt_dump_oops_t self:capability { fowner chown fsetid dac_override };
|
+allow abrt_dump_oops_t self:capability { ipc_lock fowner chown fsetid dac_override };
|
||||||
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
|
||||||
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
|
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
|
||||||
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
|
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
@ -1051,7 +1049,7 @@ index eb50f07..ab4ab96 100644
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
@@ -404,25 +512,54 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
@@ -404,25 +512,58 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
||||||
#
|
#
|
||||||
|
|
||||||
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
@ -1070,6 +1068,10 @@ index eb50f07..ab4ab96 100644
|
||||||
logging_read_all_logs(abrt_watch_log_t)
|
logging_read_all_logs(abrt_watch_log_t)
|
||||||
+logging_send_syslog_msg(abrt_watch_log_t)
|
+logging_send_syslog_msg(abrt_watch_log_t)
|
||||||
+
|
+
|
||||||
|
+optional_policy(`
|
||||||
|
+ gnome_list_home_config(abrt_watch_log_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
+tunable_policy(`abrt_upload_watch_anon_write',`
|
+tunable_policy(`abrt_upload_watch_anon_write',`
|
||||||
+ miscfiles_manage_public_files(abrt_upload_watch_t)
|
+ miscfiles_manage_public_files(abrt_upload_watch_t)
|
||||||
+')
|
+')
|
||||||
|
@ -1108,7 +1110,7 @@ index eb50f07..ab4ab96 100644
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
@@ -430,10 +567,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
@@ -430,10 +571,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
||||||
# Global local policy
|
# Global local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -24843,10 +24845,10 @@ index 0000000..457d4dd
|
||||||
+')
|
+')
|
||||||
diff --git a/dnssec.te b/dnssec.te
|
diff --git a/dnssec.te b/dnssec.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..7f0943f
|
index 0000000..46f4d2c
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/dnssec.te
|
+++ b/dnssec.te
|
||||||
@@ -0,0 +1,59 @@
|
@@ -0,0 +1,63 @@
|
||||||
+policy_module(dnssec, 1.0.0)
|
+policy_module(dnssec, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
|
@ -24891,6 +24893,7 @@ index 0000000..7f0943f
|
||||||
+domain_use_interactive_fds(dnssec_trigger_t)
|
+domain_use_interactive_fds(dnssec_trigger_t)
|
||||||
+
|
+
|
||||||
+files_read_etc_runtime_files(dnssec_trigger_t)
|
+files_read_etc_runtime_files(dnssec_trigger_t)
|
||||||
|
+files_dontaudit_list_tmp(dnssec_trigger_t)
|
||||||
+
|
+
|
||||||
+logging_send_syslog_msg(dnssec_trigger_t)
|
+logging_send_syslog_msg(dnssec_trigger_t)
|
||||||
+
|
+
|
||||||
|
@ -24898,6 +24901,7 @@ index 0000000..7f0943f
|
||||||
+
|
+
|
||||||
+sysnet_dns_name_resolve(dnssec_trigger_t)
|
+sysnet_dns_name_resolve(dnssec_trigger_t)
|
||||||
+sysnet_manage_config(dnssec_trigger_t)
|
+sysnet_manage_config(dnssec_trigger_t)
|
||||||
|
+sysnet_filetrans_named_content(dnssec_trigger_t)
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ bind_domtrans(dnssec_trigger_t)
|
+ bind_domtrans(dnssec_trigger_t)
|
||||||
|
@ -24905,7 +24909,9 @@ index 0000000..7f0943f
|
||||||
+ bind_read_dnssec_keys(dnssec_trigger_t)
|
+ bind_read_dnssec_keys(dnssec_trigger_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+
|
+optional_policy(`
|
||||||
|
+ networkmanager_stream_connect(dnssec_trigger_t)
|
||||||
|
+')
|
||||||
diff --git a/dnssectrigger.te b/dnssectrigger.te
|
diff --git a/dnssectrigger.te b/dnssectrigger.te
|
||||||
index c7bb4e7..e6fe2f40 100644
|
index c7bb4e7..e6fe2f40 100644
|
||||||
--- a/dnssectrigger.te
|
--- a/dnssectrigger.te
|
||||||
|
@ -39792,7 +39798,7 @@ index 628b78b..fe65617 100644
|
||||||
-
|
-
|
||||||
-miscfiles_read_localization(keyboardd_t)
|
-miscfiles_read_localization(keyboardd_t)
|
||||||
diff --git a/keystone.fc b/keystone.fc
|
diff --git a/keystone.fc b/keystone.fc
|
||||||
index b273d80..9b6e9bd 100644
|
index b273d80..6b2b50d 100644
|
||||||
--- a/keystone.fc
|
--- a/keystone.fc
|
||||||
+++ b/keystone.fc
|
+++ b/keystone.fc
|
||||||
@@ -1,7 +1,13 @@
|
@@ -1,7 +1,13 @@
|
||||||
|
@ -39802,7 +39808,7 @@ index b273d80..9b6e9bd 100644
|
||||||
|
|
||||||
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
|
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
|
||||||
|
|
||||||
+/usr/share/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
|
+/var/www/cgi-bin/keystone(/.*)? gen_context(system_u:object_r:keystone_cgi_script_exec_t,s0)
|
||||||
+
|
+
|
||||||
/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
|
/var/lib/keystone(/.*)? gen_context(system_u:object_r:keystone_var_lib_t,s0)
|
||||||
|
|
||||||
|
@ -46189,10 +46195,10 @@ index 0000000..f5b98e6
|
||||||
+')
|
+')
|
||||||
diff --git a/mock.te b/mock.te
|
diff --git a/mock.te b/mock.te
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..1bf717f
|
index 0000000..86766b0
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/mock.te
|
+++ b/mock.te
|
||||||
@@ -0,0 +1,277 @@
|
@@ -0,0 +1,278 @@
|
||||||
+policy_module(mock,1.0.0)
|
+policy_module(mock,1.0.0)
|
||||||
+
|
+
|
||||||
+## <desc>
|
+## <desc>
|
||||||
|
@ -46327,6 +46333,7 @@ index 0000000..1bf717f
|
||||||
+term_search_ptys(mock_t)
|
+term_search_ptys(mock_t)
|
||||||
+term_mount_pty_fs(mock_t)
|
+term_mount_pty_fs(mock_t)
|
||||||
+term_unmount_pty_fs(mock_t)
|
+term_unmount_pty_fs(mock_t)
|
||||||
|
+term_use_ptmx(mock_t)
|
||||||
+
|
+
|
||||||
+auth_use_nsswitch(mock_t)
|
+auth_use_nsswitch(mock_t)
|
||||||
+
|
+
|
||||||
|
@ -46809,17 +46816,16 @@ index 0000000..e7220a5
|
||||||
+logging_send_syslog_msg(mon_procd_t)
|
+logging_send_syslog_msg(mon_procd_t)
|
||||||
+
|
+
|
||||||
diff --git a/mongodb.fc b/mongodb.fc
|
diff --git a/mongodb.fc b/mongodb.fc
|
||||||
index 6fcfc31..1719247 100644
|
index 6fcfc31..91adcaf 100644
|
||||||
--- a/mongodb.fc
|
--- a/mongodb.fc
|
||||||
+++ b/mongodb.fc
|
+++ b/mongodb.fc
|
||||||
@@ -1,9 +1,14 @@
|
@@ -1,9 +1,13 @@
|
||||||
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
|
/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
|
||||||
|
|
||||||
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
-/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||||
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||||
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
+/usr/bin/mongos -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||||
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
||||||
+/usr/libexec/mongodb-scl-helper -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
|
||||||
|
|
||||||
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
|
/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.13.1
|
Version: 3.13.1
|
||||||
Release: 122%{?dist}
|
Release: 123%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -602,6 +602,15 @@ SELinux Reference policy mls base module.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-123
|
||||||
|
- Allow abrtd to list home config. BZ(1199658)
|
||||||
|
- Dontaudit dnssec_trigger_t to read /tmp. BZ(1210250)
|
||||||
|
- Allow abrt_dump_oops_t to IPC_LOCK. BZ(1205481)
|
||||||
|
- Allow mock_t to use ptmx. BZ(1181333)
|
||||||
|
- Allow dnssec_trigger_t to stream connect to networkmanager.
|
||||||
|
- Allow dnssec_trigger_t to create resolv files labeled as net_conf_t
|
||||||
|
- Fix labeling for keystone CGI scripts.
|
||||||
|
|
||||||
* Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
|
* Tue Apr 07 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-122
|
||||||
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
|
- Label /usr/libexec/mongodb-scl-helper as mongod_initrc_exec_t. BZ(1202013)
|
||||||
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
|
- Add mongodb port to httpd_can_network_connect_db interface. BZ(1209180)
|
||||||
|
|
Loading…
Reference in New Issue