* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190

- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
- Allow zabbix to connect to postgresql port
- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149)
- Allow systemd to read efivarfs. Resolve: #121
This commit is contained in:
Lukas Vrabec 2016-05-16 17:29:54 +02:00
parent a2f43d9c50
commit 5e78b00393
4 changed files with 108 additions and 70 deletions

Binary file not shown.

View File

@ -27728,10 +27728,10 @@ index 0306134..bb5f3dd 100644
+ ') + ')
+') +')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..5c271ce 100644 index 76d9f66..7528851 100644
--- a/policy/modules/services/ssh.fc --- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc
@@ -1,16 +1,41 @@ @@ -1,16 +1,42 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
@ -27765,6 +27765,7 @@ index 76d9f66..5c271ce 100644
+/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) +/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/libexec/openssh/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
+/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) +/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
@ -36657,7 +36658,7 @@ index 79a45f6..e69fa39 100644
+ allow $1 init_var_lib_t:dir search_dir_perms; + allow $1 init_var_lib_t:dir search_dir_perms;
+') +')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..1522b3c 100644 index 17eda24..09abd53 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te +++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(` @@ -11,10 +11,31 @@ gen_require(`
@ -36882,9 +36883,12 @@ index 17eda24..1522b3c 100644
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t) files_dontaudit_rw_root_chr_files(init_t)
@@ -156,28 +257,64 @@ fs_list_inotifyfs(init_t) @@ -155,29 +256,67 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t) fs_write_ramfs_sockets(init_t)
+fs_read_efivarfs_files(init_t)
+
mcs_process_set_categories(init_t) mcs_process_set_categories(init_t)
-mcs_killall(init_t) -mcs_killall(init_t)
@ -36952,7 +36956,7 @@ index 17eda24..1522b3c 100644
ifdef(`distro_gentoo',` ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap }; allow init_t self:process { getcap setcap };
@@ -186,29 +323,252 @@ ifdef(`distro_gentoo',` @@ -186,29 +325,252 @@ ifdef(`distro_gentoo',`
') ')
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@ -37214,7 +37218,7 @@ index 17eda24..1522b3c 100644
') ')
optional_policy(` optional_policy(`
@@ -216,7 +576,30 @@ optional_policy(` @@ -216,7 +578,30 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37246,7 +37250,7 @@ index 17eda24..1522b3c 100644
') ')
######################################## ########################################
@@ -225,9 +608,9 @@ optional_policy(` @@ -225,9 +610,9 @@ optional_policy(`
# #
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -37258,7 +37262,7 @@ index 17eda24..1522b3c 100644
allow initrc_t self:passwd rootok; allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms; allow initrc_t self:key manage_key_perms;
@@ -258,12 +641,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) @@ -258,12 +643,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms; allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file) files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -37275,7 +37279,7 @@ index 17eda24..1522b3c 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -279,23 +666,36 @@ kernel_change_ring_buffer_level(initrc_t) @@ -279,23 +668,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t) kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t) kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t) kernel_read_all_sysctls(initrc_t)
@ -37318,7 +37322,7 @@ index 17eda24..1522b3c 100644
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
@@ -303,9 +703,11 @@ corenet_sendrecv_all_client_packets(initrc_t) @@ -303,9 +705,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t) dev_read_rand(initrc_t)
dev_read_urand(initrc_t) dev_read_urand(initrc_t)
@ -37330,7 +37334,7 @@ index 17eda24..1522b3c 100644
dev_rw_sysfs(initrc_t) dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t) dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t) dev_read_framebuffer(initrc_t)
@@ -313,8 +715,10 @@ dev_write_framebuffer(initrc_t) @@ -313,8 +717,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t) dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t) dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t)
@ -37341,7 +37345,7 @@ index 17eda24..1522b3c 100644
dev_delete_lvm_control_dev(initrc_t) dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t) dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t) dev_manage_generic_files(initrc_t)
@@ -322,8 +726,7 @@ dev_manage_generic_files(initrc_t) @@ -322,8 +728,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t) dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t) dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t) dev_getattr_all_chr_files(initrc_t)
@ -37351,7 +37355,7 @@ index 17eda24..1522b3c 100644
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t) domain_signal_all_domains(initrc_t)
@@ -332,7 +735,6 @@ domain_sigstop_all_domains(initrc_t) @@ -332,7 +737,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t) domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t) domain_getattr_all_domains(initrc_t)
@ -37359,7 +37363,7 @@ index 17eda24..1522b3c 100644
domain_getsession_all_domains(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t) domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
@@ -340,6 +742,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) @@ -340,6 +744,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t)
@ -37367,7 +37371,7 @@ index 17eda24..1522b3c 100644
files_getattr_all_dirs(initrc_t) files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t) files_getattr_all_files(initrc_t)
@@ -347,14 +750,15 @@ files_getattr_all_symlinks(initrc_t) @@ -347,14 +752,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t) files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t) files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t) files_purge_tmp(initrc_t)
@ -37385,7 +37389,7 @@ index 17eda24..1522b3c 100644
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t) files_manage_generic_spool(initrc_t)
@@ -364,8 +768,12 @@ files_list_isid_type_dirs(initrc_t) @@ -364,8 +770,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t) files_list_default(initrc_t)
files_mounton_default(initrc_t) files_mounton_default(initrc_t)
@ -37399,7 +37403,7 @@ index 17eda24..1522b3c 100644
fs_list_inotifyfs(initrc_t) fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t) fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs # rhgb-console writes to ramfs
@@ -375,10 +783,11 @@ fs_mount_all_fs(initrc_t) @@ -375,10 +785,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t) fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t) fs_getattr_all_fs(initrc_t)
@ -37413,7 +37417,7 @@ index 17eda24..1522b3c 100644
mcs_process_set_categories(initrc_t) mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t) mls_file_read_all_levels(initrc_t)
@@ -387,8 +796,10 @@ mls_process_read_up(initrc_t) @@ -387,8 +798,10 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t) mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t) mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t) mls_fd_share_all_levels(initrc_t)
@ -37424,7 +37428,7 @@ index 17eda24..1522b3c 100644
storage_getattr_fixed_disk_dev(initrc_t) storage_getattr_fixed_disk_dev(initrc_t)
storage_setattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t)
@@ -398,6 +809,7 @@ term_use_all_terms(initrc_t) @@ -398,6 +811,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t) term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t) auth_rw_login_records(initrc_t)
@ -37432,7 +37436,7 @@ index 17eda24..1522b3c 100644
auth_setattr_login_records(initrc_t) auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t) auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t) auth_read_pam_pid(initrc_t)
@@ -416,20 +828,18 @@ logging_read_all_logs(initrc_t) @@ -416,20 +830,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t) logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t) logging_read_audit_config(initrc_t)
@ -37456,7 +37460,7 @@ index 17eda24..1522b3c 100644
ifdef(`distro_debian',` ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t) dev_setattr_generic_dirs(initrc_t)
@@ -451,7 +861,6 @@ ifdef(`distro_gentoo',` @@ -451,7 +863,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate; allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t) dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t) dev_create_zero_dev(initrc_t)
@ -37464,7 +37468,7 @@ index 17eda24..1522b3c 100644
term_create_console_dev(initrc_t) term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks # unfortunately /sbin/rc does stupid tricks
@@ -486,6 +895,10 @@ ifdef(`distro_gentoo',` @@ -486,6 +897,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t) sysnet_setattr_config(initrc_t)
optional_policy(` optional_policy(`
@ -37475,7 +37479,7 @@ index 17eda24..1522b3c 100644
alsa_read_lib(initrc_t) alsa_read_lib(initrc_t)
') ')
@@ -506,7 +919,7 @@ ifdef(`distro_redhat',` @@ -506,7 +921,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -37484,7 +37488,7 @@ index 17eda24..1522b3c 100644
files_dontaudit_read_root_files(initrc_t) files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd # These seem to be from the initrd
@@ -521,6 +934,7 @@ ifdef(`distro_redhat',` @@ -521,6 +936,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t) files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
@ -37492,7 +37496,7 @@ index 17eda24..1522b3c 100644
# wants to read /.fonts directory # wants to read /.fonts directory
files_read_default_files(initrc_t) files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t) files_mountpoint(initrc_tmp_t)
@@ -541,6 +955,7 @@ ifdef(`distro_redhat',` @@ -541,6 +957,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t) miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t) miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t) miscfiles_relabel_localization(initrc_t)
@ -37500,7 +37504,7 @@ index 17eda24..1522b3c 100644
miscfiles_read_fonts(initrc_t) miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t) miscfiles_read_hwdata(initrc_t)
@@ -550,8 +965,44 @@ ifdef(`distro_redhat',` @@ -550,8 +967,44 @@ ifdef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -37545,7 +37549,7 @@ index 17eda24..1522b3c 100644
') ')
optional_policy(` optional_policy(`
@@ -559,14 +1010,31 @@ ifdef(`distro_redhat',` @@ -559,14 +1012,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t) rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t) rpc_manage_nfs_state_data(initrc_t)
') ')
@ -37577,7 +37581,7 @@ index 17eda24..1522b3c 100644
') ')
') ')
@@ -577,6 +1045,39 @@ ifdef(`distro_suse',` @@ -577,6 +1047,39 @@ ifdef(`distro_suse',`
') ')
') ')
@ -37617,7 +37621,7 @@ index 17eda24..1522b3c 100644
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -589,6 +1090,8 @@ optional_policy(` @@ -589,6 +1092,8 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(initrc_t) apache_read_config(initrc_t)
apache_list_modules(initrc_t) apache_list_modules(initrc_t)
@ -37626,7 +37630,7 @@ index 17eda24..1522b3c 100644
') ')
optional_policy(` optional_policy(`
@@ -610,6 +1113,7 @@ optional_policy(` @@ -610,6 +1115,7 @@ optional_policy(`
optional_policy(` optional_policy(`
cgroup_stream_connect_cgred(initrc_t) cgroup_stream_connect_cgred(initrc_t)
@ -37634,7 +37638,7 @@ index 17eda24..1522b3c 100644
') ')
optional_policy(` optional_policy(`
@@ -626,6 +1130,17 @@ optional_policy(` @@ -626,6 +1132,17 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37652,7 +37656,7 @@ index 17eda24..1522b3c 100644
dev_getattr_printer_dev(initrc_t) dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t) cups_read_log(initrc_t)
@@ -642,9 +1157,13 @@ optional_policy(` @@ -642,9 +1159,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t) dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
@ -37666,7 +37670,7 @@ index 17eda24..1522b3c 100644
') ')
optional_policy(` optional_policy(`
@@ -657,15 +1176,11 @@ optional_policy(` @@ -657,15 +1178,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37684,7 +37688,7 @@ index 17eda24..1522b3c 100644
') ')
optional_policy(` optional_policy(`
@@ -686,6 +1201,15 @@ optional_policy(` @@ -686,6 +1203,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37700,7 +37704,7 @@ index 17eda24..1522b3c 100644
inn_exec_config(initrc_t) inn_exec_config(initrc_t)
') ')
@@ -726,6 +1250,7 @@ optional_policy(` @@ -726,6 +1252,7 @@ optional_policy(`
lpd_list_spool(initrc_t) lpd_list_spool(initrc_t)
lpd_read_config(initrc_t) lpd_read_config(initrc_t)
@ -37708,7 +37712,7 @@ index 17eda24..1522b3c 100644
') ')
optional_policy(` optional_policy(`
@@ -743,7 +1268,13 @@ optional_policy(` @@ -743,7 +1270,13 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37723,7 +37727,7 @@ index 17eda24..1522b3c 100644
mta_dontaudit_read_spool_symlinks(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t)
') ')
@@ -766,6 +1297,10 @@ optional_policy(` @@ -766,6 +1299,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37734,7 +37738,7 @@ index 17eda24..1522b3c 100644
postgresql_manage_db(initrc_t) postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t) postgresql_read_config(initrc_t)
') ')
@@ -775,10 +1310,20 @@ optional_policy(` @@ -775,10 +1312,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37755,7 +37759,7 @@ index 17eda24..1522b3c 100644
quota_manage_flags(initrc_t) quota_manage_flags(initrc_t)
') ')
@@ -787,6 +1332,10 @@ optional_policy(` @@ -787,6 +1334,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37766,7 +37770,7 @@ index 17eda24..1522b3c 100644
fs_write_ramfs_sockets(initrc_t) fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t) fs_search_ramfs(initrc_t)
@@ -808,8 +1357,6 @@ optional_policy(` @@ -808,8 +1359,6 @@ optional_policy(`
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -37775,7 +37779,7 @@ index 17eda24..1522b3c 100644
') ')
optional_policy(` optional_policy(`
@@ -818,6 +1365,10 @@ optional_policy(` @@ -818,6 +1367,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37786,7 +37790,7 @@ index 17eda24..1522b3c 100644
# shorewall-init script run /var/lib/shorewall/firewall # shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t) shorewall_lib_domtrans(initrc_t)
') ')
@@ -827,10 +1378,12 @@ optional_policy(` @@ -827,10 +1380,12 @@ optional_policy(`
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -37799,7 +37803,7 @@ index 17eda24..1522b3c 100644
optional_policy(` optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t) ssh_dontaudit_read_server_keys(initrc_t)
@@ -857,21 +1410,62 @@ optional_policy(` @@ -857,21 +1412,62 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37863,7 +37867,7 @@ index 17eda24..1522b3c 100644
') ')
optional_policy(` optional_policy(`
@@ -887,6 +1481,10 @@ optional_policy(` @@ -887,6 +1483,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -37874,7 +37878,7 @@ index 17eda24..1522b3c 100644
# Set device ownerships/modes. # Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t) xserver_setattr_console_pipes(initrc_t)
@@ -897,3 +1495,218 @@ optional_policy(` @@ -897,3 +1497,218 @@ optional_policy(`
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')
@ -39558,7 +39562,7 @@ index 808ba93..57a68da 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+') +')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 54f8fa5..1584203 100644 index 54f8fa5..544b8e3 100644
--- a/policy/modules/system/libraries.te --- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@ -39652,10 +39656,14 @@ index 54f8fa5..1584203 100644
optional_policy(` optional_policy(`
unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
') ')
@@ -131,6 +150,14 @@ optional_policy(` @@ -131,6 +150,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
+ glusterd_dontaudit_read_lib_dirs(ldconfig_t)
+')
+
+optional_policy(`
+ gnome_append_generic_cache_files(ldconfig_t) + gnome_append_generic_cache_files(ldconfig_t)
+') +')
+ +
@ -39667,7 +39675,7 @@ index 54f8fa5..1584203 100644
puppet_rw_tmp(ldconfig_t) puppet_rw_tmp(ldconfig_t)
') ')
@@ -141,6 +168,3 @@ optional_policy(` @@ -141,6 +172,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t) rpm_manage_script_tmp_files(ldconfig_t)
') ')

View File

@ -31640,10 +31640,10 @@ index 5cd0909..bd3c3d2 100644
+corenet_tcp_connect_glance_registry_port(glance_scrubber_t) +corenet_tcp_connect_glance_registry_port(glance_scrubber_t)
diff --git a/glusterd.fc b/glusterd.fc diff --git a/glusterd.fc b/glusterd.fc
new file mode 100644 new file mode 100644
index 0000000..cbd6aa4 index 0000000..52b4110
--- /dev/null --- /dev/null
+++ b/glusterd.fc +++ b/glusterd.fc
@@ -0,0 +1,20 @@ @@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+ +
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) +/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
@ -31659,17 +31659,19 @@ index 0000000..cbd6aa4
+/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) +/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+ +
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) +/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0)
+ +
+/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
diff --git a/glusterd.if b/glusterd.if diff --git a/glusterd.if b/glusterd.if
new file mode 100644 new file mode 100644
index 0000000..fc9bf19 index 0000000..764ae00
--- /dev/null --- /dev/null
+++ b/glusterd.if +++ b/glusterd.if
@@ -0,0 +1,243 @@ @@ -0,0 +1,261 @@
+ +
+## <summary>policy for glusterd</summary> +## <summary>policy for glusterd</summary>
+ +
@ -31830,6 +31832,24 @@ index 0000000..fc9bf19
+ +
+###################################### +######################################
+## <summary> +## <summary>
+## Dontaudit Read /var/lib/glusterd files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterd_dontaudit_read_lib_dirs',`
+ gen_require(`
+ type glusterd_var_lib_t;
+ ')
+
+ dontaudit $1 glusterd_var_lib_t:dir list_dir_perms;
+')
+
+######################################
+## <summary>
+## Read and write /var/lib/glusterd files. +## Read and write /var/lib/glusterd files.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -31915,10 +31935,10 @@ index 0000000..fc9bf19
+ +
diff --git a/glusterd.te b/glusterd.te diff --git a/glusterd.te b/glusterd.te
new file mode 100644 new file mode 100644
index 0000000..afabf8c index 0000000..59e84ca
--- /dev/null --- /dev/null
+++ b/glusterd.te +++ b/glusterd.te
@@ -0,0 +1,297 @@ @@ -0,0 +1,295 @@
+policy_module(glusterd, 1.1.3) +policy_module(glusterd, 1.1.3)
+ +
+## <desc> +## <desc>
@ -32002,10 +32022,8 @@ index 0000000..afabf8c
+allow glusterd_t glusterd_tmp_t:dir mounton; +allow glusterd_t glusterd_tmp_t:dir mounton;
+ +
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) +logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir })
+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
+ +
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
@ -45368,7 +45386,7 @@ index dd8e01a..9cd6b0b 100644
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
diff --git a/logrotate.te b/logrotate.te diff --git a/logrotate.te b/logrotate.te
index be0ab84..3c99496 100644 index be0ab84..688605e 100644
--- a/logrotate.te --- a/logrotate.te
+++ b/logrotate.te +++ b/logrotate.te
@@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0)
@ -45493,7 +45511,7 @@ index be0ab84..3c99496 100644
files_manage_generic_spool(logrotate_t) files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t) files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t) files_getattr_generic_locks(logrotate_t)
@@ -95,32 +126,52 @@ mls_process_write_to_clearance(logrotate_t) @@ -95,32 +126,54 @@ mls_process_write_to_clearance(logrotate_t)
selinux_get_fs_mount(logrotate_t) selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t) selinux_get_enforce_mode(logrotate_t)
@ -45524,6 +45542,8 @@ index be0ab84..3c99496 100644
+miscfiles_read_hwdata(logrotate_t) +miscfiles_read_hwdata(logrotate_t)
-userdom_use_user_terminals(logrotate_t) -userdom_use_user_terminals(logrotate_t)
+term_dontaudit_use_unallocated_ttys(logrotate_t)
+
+userdom_use_inherited_user_terminals(logrotate_t) +userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t) userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t)
@ -45552,7 +45572,7 @@ index be0ab84..3c99496 100644
') ')
optional_policy(` optional_policy(`
@@ -135,16 +186,17 @@ optional_policy(` @@ -135,16 +188,17 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_read_config(logrotate_t) apache_read_config(logrotate_t)
@ -45572,7 +45592,7 @@ index be0ab84..3c99496 100644
') ')
optional_policy(` optional_policy(`
@@ -170,6 +222,11 @@ optional_policy(` @@ -170,6 +224,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -45584,7 +45604,7 @@ index be0ab84..3c99496 100644
fail2ban_stream_connect(logrotate_t) fail2ban_stream_connect(logrotate_t)
') ')
@@ -178,7 +235,7 @@ optional_policy(` @@ -178,7 +237,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -45593,7 +45613,7 @@ index be0ab84..3c99496 100644
') ')
optional_policy(` optional_policy(`
@@ -198,17 +255,18 @@ optional_policy(` @@ -198,17 +257,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -45615,7 +45635,7 @@ index be0ab84..3c99496 100644
') ')
optional_policy(` optional_policy(`
@@ -216,6 +274,14 @@ optional_policy(` @@ -216,6 +276,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -45630,7 +45650,7 @@ index be0ab84..3c99496 100644
samba_exec_log(logrotate_t) samba_exec_log(logrotate_t)
') ')
@@ -228,26 +294,43 @@ optional_policy(` @@ -228,26 +296,43 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -117642,7 +117662,7 @@ index dd63de0..38ce620 100644
- admin_pattern($1, zabbix_tmpfs_t) - admin_pattern($1, zabbix_tmpfs_t)
') ')
diff --git a/zabbix.te b/zabbix.te diff --git a/zabbix.te b/zabbix.te
index 7f496c6..b23f29d 100644 index 7f496c6..fccb7b1 100644
--- a/zabbix.te --- a/zabbix.te
+++ b/zabbix.te +++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@ -117860,7 +117880,7 @@ index 7f496c6..b23f29d 100644
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
@@ -170,6 +185,26 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) @@ -170,6 +185,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t)
corenet_tcp_connect_ssh_port(zabbix_agent_t) corenet_tcp_connect_ssh_port(zabbix_agent_t)
corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) corenet_tcp_sendrecv_ssh_port(zabbix_agent_t)
@ -117880,6 +117900,10 @@ index 7f496c6..b23f29d 100644
+corenet_tcp_connect_pop_port(zabbix_agent_t) +corenet_tcp_connect_pop_port(zabbix_agent_t)
+corenet_tcp_sendrecv_pop_port(zabbix_agent_t) +corenet_tcp_sendrecv_pop_port(zabbix_agent_t)
+ +
+corenet_sendrecv_postgresql_client_packets(zabbix_agent_t)
+corenet_tcp_connect_postgresql_port(zabbix_agent_t)
+corenet_tcp_sendrecv_postgresql_port(zabbix_agent_t)
+
+corenet_sendrecv_smtp_client_packets(zabbix_agent_t) +corenet_sendrecv_smtp_client_packets(zabbix_agent_t)
+corenet_tcp_connect_smtp_port(zabbix_agent_t) +corenet_tcp_connect_smtp_port(zabbix_agent_t)
+corenet_tcp_sendrecv_smtp_port(zabbix_agent_t) +corenet_tcp_sendrecv_smtp_port(zabbix_agent_t)
@ -117887,7 +117911,7 @@ index 7f496c6..b23f29d 100644
corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) corenet_sendrecv_zabbix_client_packets(zabbix_agent_t)
corenet_tcp_connect_zabbix_port(zabbix_agent_t) corenet_tcp_connect_zabbix_port(zabbix_agent_t)
corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
@@ -177,21 +212,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) @@ -177,21 +216,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t)
dev_getattr_all_chr_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 189%{?dist} Release: 190%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -647,6 +647,12 @@ exit 0
%endif %endif
%changelog %changelog
* Mon May 16 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-190
- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t.
- Allow zabbix to connect to postgresql port
- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149)
- Allow systemd to read efivarfs. Resolve: #121
* Tue May 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-189 * Tue May 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-189
- Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed - Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed