* Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121

- Allow kmscon to read system state. BZ (1206871) - Label ~/.abrt/ as abrt_etc_t. BZ(1199658) - Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
2015-03-30 20:13:54 +02:00 · 2015-03-30 20:13:54 +02:00 · 5852f33770
commit 5852f33770
parent 734dd8ae6f
3 changed files with 169 additions and 150 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -6,19 +6,21 @@ index 0000000..bea5755
@@ -0,0 +1 @@
 +TAGS
 diff --git a/abrt.fc b/abrt.fc
-index 1a93dc5..f2b26f5 100644
+index 1a93dc5..7a7d67e 100644
 --- a/abrt.fc
 +++ b/abrt.fc
-@@ -1,31 +1,46 @@
+@@ -1,31 +1,48 @@
 -/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
 -/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
+HOME_DIR/\.config/abrt(/.*)?   	gen_context(system_u:object_r:abrt_etc_t,s0)
 +/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 -/usr/bin/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 -/usr/bin/abrt-retrace-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
 -/usr/bin/coredump2packages	--	gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
 -/usr/bin/retrace-server-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
 +/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
 +/etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 +
 +/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
 +
 +/usr/bin/abrt-dump-.* 	    --	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
@ -7809,7 +7811,7 @@ index 1a7a97e..2c7252a 100644
 	domain_system_change_exemption($1)
 	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 7fd431b..5ce1846 100644
+index 7fd431b..e9c4c5a 100644
 --- a/apm.te
 +++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
@ -7838,11 +7840,13 @@ index 7fd431b..5ce1846 100644
 domain_use_interactive_fds(apm_t)
-@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
+@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t)
 # Server local policy
 #
- allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
 -dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
 +allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
 +dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
 allow apmd_t self:process { signal_perms getsession };
 allow apmd_t self:fifo_file rw_fifo_file_perms;
@ -40233,10 +40237,10 @@ index 0000000..b9347fa
 +')
 diff --git a/kmscon.te b/kmscon.te
 new file mode 100644
-index 0000000..be3d5d6
+index 0000000..32a9e13
 --- /dev/null
 +++ b/kmscon.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,88 @@
 +# KMSCon SELinux policy module
 +# Contributed by Lubomir Rintel <lkundrak@v3.sk>
 +
@ -40280,6 +40284,8 @@ index 0000000..be3d5d6
 +list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
 +read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
 +
 +kernel_read_system_state(kmscon_t)
 +
 +auth_read_passwd(kmscon_t)
 +
 +dev_rw_dri(kmscon_t)
@ -66883,7 +66889,7 @@ index 30e751f..61feb3a 100644
 	admin_pattern($1, plymouthd_var_run_t)
 ')
 diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce9..18872dc 100644
+index 3078ce9..c57d1cf 100644
 --- a/plymouthd.te
 +++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
@ -66923,7 +66929,7 @@ index 3078ce9..18872dc 100644
 logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
 manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t)
 fs_getattr_all_fs(plymouthd_t)
@ -66933,15 +66939,16 @@ index 3078ce9..18872dc 100644
 term_getattr_pty_fs(plymouthd_t)
 term_use_all_terms(plymouthd_t)
 term_use_ptmx(plymouthd_t)
- 
+term_use_usb_ttys(plymouthd_t)
-miscfiles_read_localization(plymouthd_t)
+
 +init_signal(plymouthd_t)
 +
 +logging_link_generic_logs(plymouthd_t)
 +logging_delete_generic_logs(plymouthd_t)
 +
 +auth_use_nsswitch(plymouthd_t)
-+
+ 
 -miscfiles_read_localization(plymouthd_t)
 miscfiles_read_fonts(plymouthd_t)
 miscfiles_manage_fonts_cache(plymouthd_t)
@ -66955,7 +66962,7 @@ index 3078ce9..18872dc 100644
 ')
 optional_policy(`
-@@ -90,35 +96,37 @@ optional_policy(`
+@@ -90,35 +97,37 @@ optional_policy(`
 ')
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 120%{?dist}
+Release: 121%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,11 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Mon Mar 30 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-121
 - Allow kmscon to read system state. BZ (1206871)
 - Label ~/.abrt/ as abrt_etc_t. BZ(1199658)
 - Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
 * Mon Mar 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-120
 - Allow mysqld_t to use pam. BZ(1196104)
 - Added label mysqld_etc_t for /etc/my.cnf.d/ dir. BZ(1203989)