Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

Conflicts:
	config.tgz
This commit is contained in:
Dan Walsh 2012-06-07 10:14:02 -04:00
commit 5f75e360e4
14 changed files with 223111 additions and 3712 deletions

View File

@ -1,5 +1,5 @@
# Turn off the ability for one process to read/modify another processes memory
deny_ptrace = true
deny_ptrace = false
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
deny_execmem = false
@ -11,7 +11,7 @@ allow_execmod = true
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
allow_execstack = false
allow_execstack = true
# Allow ftpd to read cifs directories.
#
@ -33,6 +33,10 @@ allow_gssd_read_tmp = true
#
allow_httpd_anon_write = false
# Allow Apache to connect to port 80 for graceful shutdown
#
httpd_graceful_shutdown = true
# Allow Apache to use mod_auth_pam module
#
allow_httpd_mod_auth_pam = false
@ -232,7 +236,9 @@ allow_xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
allow_guest_exec_content = false
allow_xguest_exec_content = false
# xguest now requires to execute content in homedir to allow gnome-shell to work# properly.
allow_xguest_exec_content = true
# Only allow browser to use the web
#
@ -264,7 +270,7 @@ unconfined_mozilla_plugin_transition=true
# Allow unconfined domain to transition to confined domain
#
unconfined_telepathy_transition=true
unconfined_telepathy_transition=false
# Allow unconfined domain to transition to chrome_sandbox confined domain
#

Binary file not shown.

View File

@ -67,6 +67,13 @@ collectd = module
#
colord = module
# Layer: services
# Module: couchdb
#
# Apache CouchDB database server
#
couchdb = module
# Layer: apps
# Module: cpufreqselector
#
@ -194,6 +201,13 @@ automount = module
#
avahi = module
# Layer: services
# Module: bcfg2
#
# Configuration management server
#
bcfg2 = module
# Layer: services
# Module: boinc
#
@ -723,13 +737,6 @@ hddtemp = module
#
passenger = module
# Layer: admin
# Module: permissivedomains
#
# Contains all permissivedomains shipped by distribution
#
permissivedomains = module
# Layer: services
# Module: policykit
#
@ -758,6 +765,20 @@ ptchown = module
#
psad = module
# Layer: apps
# Module: pwauth
#
# External plugin for mod_authnz_external authenticator
#
pwauth = module
# Layer: services
# Module: quantum
#
# Quantum is a virtual network service for Openstack
#
quantum = module
# Layer: system
# Module: hostname
#
@ -835,7 +856,6 @@ icecast = module
#
i18n_input = off
# Layer: services
# Module: jabber
#
@ -843,6 +863,13 @@ i18n_input = off
#
jabber = module
# Layer: services
# Module: jetty
#
# Java based http server
#
jetty = module
# Layer: admin
# Module: kdump
#
@ -2369,6 +2396,13 @@ milter = module
#
keyboardd = module
# Layer: services
# Module: keystone
#
# openstack-keystone
#
keystone = module
# Layer: services
# Module: firewalld
#
@ -2439,6 +2473,13 @@ sblim = module
#
cfengine = module
# Layer: services
# Module: pacemaker
#
# pacemaker
#
pacemaker = module
# Layer: services
# Module: polipo
#
@ -2480,3 +2521,38 @@ obex = module
# policy for grindengine MPI jobs
#
sge = module
# Layer: apps
# Module: jockey
#
# policy for jockey-backend
#
jockey = module
# Layer: services
# Module: numad
#
# numad - user-level daemon that provides advice and managment for optimum use of CPUs and memory on systems with NUMA topology
#
numad = module
# Layer: services
# Module: condor
#
# policy for condor
#
condor = module
# Layer: services
# Module: svnserve
#
# policy for subversion service
#
svnserve = module
# Layer: apps
# Module: man2html
#
# policy for man2html apps
#
man2html = module

1
permissivedomains.fc Normal file
View File

@ -0,0 +1 @@
# No file contexts

1
permissivedomains.if Normal file
View File

@ -0,0 +1 @@
## <summary>No Interfaces</summary>

BIN
permissivedomains.pp Normal file

Binary file not shown.

162
permissivedomains.te Normal file
View File

@ -0,0 +1,162 @@
policy_module(permissivedomains,17)
optional_policy(`
gen_require(`
type bcfg2_t;
')
permissive bcfg2_t;
')
optional_policy(`
gen_require(`
type couchdb_t;
')
permissive couchdb_t;
')
optional_policy(`
gen_require(`
type blueman_t;
')
permissive blueman_t;
')
optional_policy(`
gen_require(`
type httpd_zoneminder_script_t, zoneminder_t;
')
permissive httpd_zoneminder_script_t;
permissive zoneminder_t;
')
optional_policy(`
gen_require(`
type selinux_munin_plugin_t;
')
permissive selinux_munin_plugin_t;
')
optional_policy(`
gen_require(`
type dnssec_trigger_t;
')
permissive dnssec_trigger_t;
')
optional_policy(`
gen_require(`
type obex_t;
')
permissive obex_t;
')
optional_policy(`
gen_require(`
type sge_shepherd_t;
type sge_execd_t;
type sge_job_t;
')
permissive sge_shepherd_t;
permissive sge_execd_t;
permissive sge_job_t;
')
optional_policy(`
gen_require(`
type matahari_rpcd_t;
')
permissive matahari_rpcd_t;
')
optional_policy(`
gen_require(`
type keystone_t;
')
permissive keystone_t;
')
optional_policy(`
gen_require(`
type pacemaker_t;
')
permissive pacemaker_t;
')
optional_policy(`
gen_require(`
type jockey_t;
')
permissive jockey_t;
')
optional_policy(`
gen_require(`
type quantum_t;
')
permissive quantum_t;
')
optional_policy(`
gen_require(`
type numad_t;
')
permissive numad_t;
')
optional_policy(`
gen_require(`
type pwauth_t;
')
permissive pwauth_t;
')
optional_policy(`
gen_require(`
type man2html_t;
')
permissive man2html_t;
')
optional_policy(`
gen_require(`
type svnserve_t;
')
permissive svnserve_t;
')
optional_policy(`
gen_require(`
type condor_collector_t;
type condor_negotiator_t;
type condor_startd_t;
type condor_schedd_t;
type condor_procd_t;
type condor_master_t;
')
permissive condor_collector_t;
permissive condor_negotiator_t;
permissive condor_schedd_t;
permissive condor_startd_t;
permissive condor_procd_t;
permissive condor_master_t;
')

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

90452
policy-rawhide.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,854 @@
commit f53f820fe366940d4fdecaef80de4e5b1178fac6
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 01:38:59 2012 +0200
roleattribute patch
diff --git a/livecd.if b/livecd.if
index bfbf676..fb7869e 100644
--- a/livecd.if
+++ b/livecd.if
@@ -38,12 +38,19 @@ interface(`livecd_run',`
gen_require(`
type livecd_t;
type livecd_exec_t;
- attribute_role livecd_roles;
+ #attribute_role livecd_roles;
')
livecd_domtrans($1)
- roleattribute $2 livecd_roles;
+ #roleattribute $2 livecd_roles;
+ role $2 types livecd_t;
role_transition $2 livecd_exec_t system_r;
+
+ seutil_run_setfiles_mac(livecd_t, system_r)
+
+ optional_policy(`
+ mount_run(livecd_t, $2)
+ ')
')
########################################
diff --git a/livecd.te b/livecd.te
index 65efdae..7a944b5 100644
--- a/livecd.te
+++ b/livecd.te
@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0)
# Declarations
#
-attribute_role livecd_roles;
-roleattribute system_r livecd_roles;
+#attribute_role livecd_roles;
+#roleattribute system_r livecd_roles;
type livecd_t;
type livecd_exec_t;
application_domain(livecd_t, livecd_exec_t)
-role livecd_roles types livecd_t;
+role system_r types livecd_t;
+#role livecd_roles types livecd_t;
type livecd_tmp_t;
files_tmp_file(livecd_tmp_t)
@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t)
sysnet_filetrans_named_content(livecd_t)
-optional_policy(`
- mount_run(livecd_t, livecd_roles)
- seutil_run_setfiles_mac(livecd_t, livecd_roles)
-')
+#optional_policy(`
+# mount_run(livecd_t, livecd_roles)
+# seutil_run_setfiles_mac(livecd_t, livecd_roles)
+#')
optional_policy(`
ssh_filetrans_admin_home_content(livecd_t)
diff --git a/mozilla.if b/mozilla.if
index 30b0241..30bfefb 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
interface(`mozilla_role',`
gen_require(`
type mozilla_t, mozilla_exec_t, mozilla_home_t;
- attribute_role mozilla_roles;
+ #attribute_role mozilla_roles;
')
- roleattribute $1 mozilla_roles;
+ #roleattribute $1 mozilla_roles;
+ role $1 types mozilla_t;
domain_auto_trans($2, mozilla_exec_t, mozilla_t)
# Unrestricted inheritance from the caller.
@@ -47,6 +48,8 @@ interface(`mozilla_role',`
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+ #should be remove then with adding of roleattribute
+ mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2)
userdom_manage_tmp_role($1, mozilla_t)
@@ -63,7 +66,6 @@ interface(`mozilla_role',`
mozilla_filetrans_home_content($2)
- mozilla_dbus_chat($2)
')
########################################
diff --git a/mozilla.te b/mozilla.te
index 7bf56bf..56700a4 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false)
## </desc>
gen_tunable(mozilla_plugin_enable_homedirs, false)
-attribute_role mozilla_roles;
+#attribute_role mozilla_roles;
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
-role mozilla_roles types mozilla_t;
+#role mozilla_roles types mozilla_t;
+role system_r types mozilla_t;
type mozilla_conf_t;
files_config_file(mozilla_conf_t)
@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
-role mozilla_roles types mozilla_plugin_t;
+#role mozilla_roles types mozilla_plugin_t;
+role system_r types mozilla_plugin_t;
type mozilla_plugin_tmp_t;
userdom_user_tmp_content(mozilla_plugin_tmp_t)
@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t)
type mozilla_plugin_config_t;
type mozilla_plugin_config_exec_t;
application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
-role mozilla_roles types mozilla_plugin_config_t;
+#role mozilla_roles types mozilla_plugin_config_t;
+role system_r types mozilla_plugin_config_t;
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t)
userdom_use_inherited_user_ptys(mozilla_t)
-mozilla_run_plugin(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
@@ -298,7 +301,8 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_role(mozilla_roles, mozilla_t)
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
@@ -476,9 +480,9 @@ optional_policy(`
java_exec(mozilla_plugin_t)
')
-optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
-')
+#optional_policy(`
+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
+#')
optional_policy(`
mplayer_exec(mozilla_plugin_t)
diff --git a/ncftool.if b/ncftool.if
index 1520b6c..3a4455f 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',`
#
interface(`ncftool_run',`
gen_require(`
- attribute_role ncftool_roles;
+ type ncftool_t;
+ #attribute_role ncftool_roles;
')
- ncftool_domtrans($1)
- roleattribute $2 ncftool_roles;
+ #ncftool_domtrans($1)
+ #roleattribute $2 ncftool_roles;
+
+ role $1 types ncftool_t;
+
+ ncftool_domtrans($2)
+
+ ps_process_pattern($2, ncftool_t)
+ allow $2 ncftool_t:process signal;
')
diff --git a/ncftool.te b/ncftool.te
index 91ab36d..8c48c33 100644
--- a/ncftool.te
+++ b/ncftool.te
@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0)
# Declarations
#
-attribute_role ncftool_roles;
-roleattribute system_r ncftool_roles;
+#attribute_role ncftool_roles;
+#roleattribute system_r ncftool_roles;
type ncftool_t;
type ncftool_exec_t;
application_domain(ncftool_t, ncftool_exec_t)
domain_obj_id_change_exemption(ncftool_t)
domain_system_change_exemption(ncftool_t)
-role ncftool_roles types ncftool_t;
+#role ncftool_roles types ncftool_t;
+role system_r types ncftool_t;
########################################
#
@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t)
miscfiles_read_localization(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
-sysnet_run_dhcpc(ncftool_t, ncftool_roles)
-sysnet_run_ifconfig(ncftool_t, ncftool_roles)
+sysnet_domtrans_dhcpc(ncftool_t)
+sysnet_domtrans_ifconfig(ncftool_t)
+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t)
userdom_use_user_terminals(ncftool_t)
userdom_read_user_tmp_files(ncftool_t)
-optional_policy(`
- brctl_run(ncftool_t, ncftool_roles)
-')
+#optional_policy(`
+# brctl_run(ncftool_t, ncftool_roles)
+#')
optional_policy(`
consoletype_exec(ncftool_t)
@@ -85,9 +88,12 @@ optional_policy(`
optional_policy(`
modutils_read_module_config(ncftool_t)
- modutils_run_insmod(ncftool_t, ncftool_roles)
+ modutils_domtrans_insmod(ncftool_t)
+ #modutils_run_insmod(ncftool_t, ncftool_roles)
+
')
optional_policy(`
- netutils_run(ncftool_t, ncftool_roles)
+ netutils_domtrans(ncftool_t)
+ #netutils_run(ncftool_t, ncftool_roles)
')
diff --git a/ppp.if b/ppp.if
index c174b05..a4cad0b 100644
--- a/ppp.if
+++ b/ppp.if
@@ -175,11 +175,18 @@ interface(`ppp_run_cond',`
#
interface(`ppp_run',`
gen_require(`
- attribute_role pppd_roles;
+ #attribute_role pppd_roles;
+ type pppd_t;
')
- ppp_domtrans($1)
- roleattribute $2 pppd_roles;
+ #ppp_domtrans($1)
+ #roleattribute $2 pppd_roles;
+
+ role $2 types pppd_t;
+
+ tunable_policy(`pppd_for_user',`
+ ppp_domtrans($1)
+ ')
')
########################################
diff --git a/ppp.te b/ppp.te
index 17e10a2..92cec2b 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
## </desc>
gen_tunable(pppd_for_user, false)
-attribute_role pppd_roles;
+#attribute_role pppd_roles;
# pppd_t is the domain for the pppd program.
# pppd_exec_t is the type of the pppd executable.
type pppd_t;
type pppd_exec_t;
init_daemon_domain(pppd_t, pppd_exec_t)
-role pppd_roles types pppd_t;
+#role pppd_roles types pppd_t;
+role system_r types pppd_t;
type pppd_devpts_t;
term_pty(pppd_devpts_t)
@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t)
type pptp_t;
type pptp_exec_t;
init_daemon_domain(pptp_t, pptp_exec_t)
-role pppd_roles types pptp_t;
+#role pppd_roles types pptp_t;
+role system_r types pptp_t;
type pptp_log_t;
logging_log_file(pptp_log_t)
@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
-auth_run_chk_passwd(pppd_t,pppd_roles)
+auth_domtrans_chk_passwd(pppd_t)
+#auth_run_chk_passwd(pppd_t,pppd_roles)
auth_write_login_records(pppd_t)
logging_send_syslog_msg(pppd_t)
@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t)
ppp_exec(pppd_t)
optional_policy(`
- ddclient_run(pppd_t, pppd_roles)
+ #ddclient_run(pppd_t, pppd_roles)
+ ddclient_domtrans(pppd_t)
')
optional_policy(`
diff --git a/usernetctl.if b/usernetctl.if
index d45c715..2d4f1ba 100644
--- a/usernetctl.if
+++ b/usernetctl.if
@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',`
#
interface(`usernetctl_run',`
gen_require(`
- attribute_role usernetctl_roles;
+ type usernetctl_t;
+ #attribute_role usernetctl_roles;
')
- usernetctl_domtrans($1)
- roleattribute $2 usernetctl_roles;
+ #usernetctl_domtrans($1)
+ #roleattribute $2 usernetctl_roles;
+
+ sysnet_run_ifconfig(usernetctl_t, $2)
+ sysnet_run_dhcpc(usernetctl_t, $2)
+
+ optional_policy(`
+ iptables_run(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ modutils_run_insmod(usernetctl_t, $2)
+ ')
+
+ optional_policy(`
+ ppp_run(usernetctl_t, $2)
+ ')
+
')
diff --git a/usernetctl.te b/usernetctl.te
index 8604c1c..35b12a6 100644
--- a/usernetctl.te
+++ b/usernetctl.te
@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
# Declarations
#
-attribute_role usernetctl_roles;
+#attribute_role usernetctl_roles;
type usernetctl_t;
type usernetctl_exec_t;
application_domain(usernetctl_t, usernetctl_exec_t)
domain_interactive_fd(usernetctl_t)
-role usernetctl_roles types usernetctl_t;
+#role usernetctl_roles types usernetctl_t;
+role system_r types usernetctl_t;
########################################
#
@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t)
userdom_use_inherited_user_terminals(usernetctl_t)
-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
optional_policy(`
- consoletype_run(usernetctl_t, usernetctl_roles)
+ #consoletype_run(usernetctl_t, usernetctl_roles)
+ consoletype_exec(usernetctl_t)
')
optional_policy(`
hostname_exec(usernetctl_t)
')
-optional_policy(`
- iptables_run(usernetctl_t, usernetctl_roles)
-')
+#optional_policy(`
+# iptables_run(usernetctl_t, usernetctl_roles)
+#')
-optional_policy(`
- modutils_run_insmod(usernetctl_t, usernetctl_roles)
-')
+#optional_policy(`
+# modutils_run_insmod(usernetctl_t, usernetctl_roles)
+#')
optional_policy(`
nis_use_ypbind(usernetctl_t)
')
-optional_policy(`
- ppp_run(usernetctl_t, usernetctl_roles)
-')
+#optional_policy(`
+# ppp_run(usernetctl_t, usernetctl_roles)
+#')
diff --git a/vpn.if b/vpn.if
index 7b93e07..a4e2f60 100644
--- a/vpn.if
+++ b/vpn.if
@@ -37,11 +37,16 @@ interface(`vpn_domtrans',`
#
interface(`vpn_run',`
gen_require(`
- attribute_role vpnc_roles;
+ #attribute_role vpnc_roles;
+ type vpnc_t;
')
+ #vpn_domtrans($1)
+ #roleattribute $2 vpnc_roles;
+
vpn_domtrans($1)
- roleattribute $2 vpnc_roles;
+ role $2 types vpnc_t;
+ sysnet_run_ifconfig(vpnc_t, $2)
')
########################################
diff --git a/vpn.te b/vpn.te
index 99fd457..d2585bb 100644
--- a/vpn.te
+++ b/vpn.te
@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0)
# Declarations
#
-attribute_role vpnc_roles;
-roleattribute system_r vpnc_roles;
+#attribute_role vpnc_roles;
+#roleattribute system_r vpnc_roles;
type vpnc_t;
type vpnc_exec_t;
init_system_domain(vpnc_t, vpnc_exec_t)
application_domain(vpnc_t, vpnc_exec_t)
-role vpnc_roles types vpnc_t;
+#role vpnc_roles types vpnc_t;
+role system_r types vpnc_t;
type vpnc_tmp_t;
files_tmp_file(vpnc_tmp_t)
@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
-sysnet_run_ifconfig(vpnc_t, vpnc_roles)
+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
commit 88b64bdd71ef734271b9370fc37e02785f354f7f
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 02:33:40 2012 +0200
Fix ncftool.if
diff --git a/ncftool.if b/ncftool.if
index 3a4455f..59f096b 100644
--- a/ncftool.if
+++ b/ncftool.if
@@ -43,11 +43,12 @@ interface(`ncftool_run',`
#ncftool_domtrans($1)
#roleattribute $2 ncftool_roles;
- role $1 types ncftool_t;
+ ncftool_domtrans($1)
+ role $2 types ncftool_t;
- ncftool_domtrans($2)
+ optional_policy(`
+ brctl_run(ncftool_t, $2)
+ ')
- ps_process_pattern($2, ncftool_t)
- allow $2 ncftool_t:process signal;
')
commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 10:47:57 2012 +0200
roleattriburte temp fixes for portage and dpkg
diff --git a/dpkg.if b/dpkg.if
index 4d32b42..d945bd0 100644
--- a/dpkg.if
+++ b/dpkg.if
@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',`
#
interface(`dpkg_run',`
gen_require(`
- attribute_role dpkg_roles;
+ #attribute_role dpkg_roles;
+ type dpkg_t, dpkg_script_t
')
+ #dpkg_domtrans($1)
+ #roleattribute $2 dpkg_roles;
+
dpkg_domtrans($1)
- roleattribute $2 dpkg_roles;
+ role $2 types dpkg_t;
+ role $2 types dpkg_script_t;
+ seutil_run_loadpolicy(dpkg_script_t, $2)
+
')
########################################
diff --git a/dpkg.te b/dpkg.te
index a1b8f92..9ac1b80 100644
--- a/dpkg.te
+++ b/dpkg.te
@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
# Declarations
#
-attribute_role dpkg_roles;
-roleattribute system_r dpkg_roles;
+#attribute_role dpkg_roles;
+#roleattribute system_r dpkg_roles;
type dpkg_t;
type dpkg_exec_t;
@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
-role dpkg_roles types dpkg_t;
+#role dpkg_roles types dpkg_t;
+role system_r types dpkg_t;
# lockfile
type dpkg_lock_t;
@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
-role dpkg_roles types dpkg_script_t;
+#role dpkg_roles types dpkg_script_t;
+role system_r types dpkg_script_t;
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)
@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t)
init_domtrans_script(dpkg_t)
init_use_script_ptys(dpkg_t)
+#libs_exec_ld_so(dpkg_t)
+#libs_exec_lib_files(dpkg_t)
+#libs_run_ldconfig(dpkg_t, dpkg_roles)
libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
-libs_run_ldconfig(dpkg_t, dpkg_roles)
+libs_domtrans_ldconfig(dpkg_t)
logging_send_syslog_msg(dpkg_t)
@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-seutil_run_setfiles(dpkg_t, dpkg_roles)
+#modutils_run_depmod(dpkg_t, dpkg_roles)
+#modutils_run_insmod(dpkg_t, dpkg_roles)
+#seutil_run_loadpolicy(dpkg_t, dpkg_roles)
+#seutil_run_setfiles(dpkg_t, dpkg_roles)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`
mta_send_mail(dpkg_t)
')
+
+
optional_policy(`
- usermanage_run_groupadd(dpkg_t, dpkg_roles)
- usermanage_run_useradd(dpkg_t, dpkg_roles)
+ modutils_domtrans_depmod(dpkg_t)
+ modutils_domtrans_insmod(dpkg_t)
+ seutil_domtrans_loadpolicy(dpkg_t)
+ seutil_domtrans_setfiles(dpkg_t)
+ usermanage_domtrans_groupadd(dpkg_t)
+ usermanage_domtrans_useradd(dpkg_t)
')
+#optional_policy(`
+# usermanage_run_groupadd(dpkg_t, dpkg_roles)
+# usermanage_run_useradd(dpkg_t, dpkg_roles)
+#')
+
########################################
#
# dpkg-script Local policy
@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t)
miscfiles_read_localization(dpkg_script_t)
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
+#modutils_run_depmod(dpkg_script_t, dpkg_roles)
+#modutils_run_insmod(dpkg_script_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
-seutil_run_setfiles(dpkg_script_t, dpkg_roles)
+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
+#seutil_run_setfiles(dpkg_script_t, dpkg_roles)
userdom_use_all_users_fds(dpkg_script_t)
@@ -319,9 +335,9 @@ optional_policy(`
apt_use_fds(dpkg_script_t)
')
-optional_policy(`
- bootloader_run(dpkg_script_t, dpkg_roles)
-')
+#optional_policy(`
+# bootloader_run(dpkg_script_t, dpkg_roles)
+#')
optional_policy(`
mta_send_mail(dpkg_script_t)
@@ -335,7 +351,7 @@ optional_policy(`
unconfined_domain(dpkg_script_t)
')
-optional_policy(`
- usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
- usermanage_run_useradd(dpkg_script_t, dpkg_roles)
-')
+#optional_policy(`
+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles)
+# usermanage_run_useradd(dpkg_script_t, dpkg_roles)
+#')
diff --git a/portage.if b/portage.if
index b4bb48a..e5e8f12 100644
--- a/portage.if
+++ b/portage.if
@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
#
interface(`portage_run',`
gen_require(`
- attribute_role portage_roles;
+ type portage_t, portage_fetch_t, portage_sandbox_t;
+ #attribute_role portage_roles;
')
- portage_domtrans($1)
- roleattribute $2 portage_roles;
+ #portage_domtrans($1)
+ #roleattribute $2 portage_roles;
+ portage_domtrans($1)
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }
+
')
########################################
diff --git a/portage.te b/portage.te
index 22bdf7d..f726e1d 100644
--- a/portage.te
+++ b/portage.te
@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
## </desc>
gen_tunable(portage_use_nfs, false)
-attribute_role portage_roles;
+#attribute_role portage_roles;
type gcc_config_t;
type gcc_config_exec_t;
@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t)
domain_obj_id_change_exemption(portage_t)
rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)
-role portage_roles types portage_t;
+#role portage_roles types portage_t;
+role system_r types portage_t;
# portage compile sandbox domain
type portage_sandbox_t;
@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
-role portage_roles types portage_sandbox_t;
+#role portage_roles types portage_sandbox_t;
+role system_r types portage_sandbox_t;
# portage package fetching domain
type portage_fetch_t;
@@ -41,7 +43,8 @@ type portage_fetch_exec_t;
application_domain(portage_fetch_t, portage_fetch_exec_t)
corecmd_shell_entry_type(portage_fetch_t)
rsync_entry_type(portage_fetch_t)
-role portage_roles types portage_fetch_t;
+#role portage_roles types portage_fetch_t;
+role system_r types portage_fetch_t;
type portage_devpts_t;
term_pty(portage_devpts_t)
@@ -115,7 +118,8 @@ files_list_all(gcc_config_t)
init_dontaudit_read_script_status_files(gcc_config_t)
libs_read_lib_files(gcc_config_t)
-libs_run_ldconfig(gcc_config_t, portage_roles)
+#libs_run_ldconfig(gcc_config_t, portage_roles)
+libs_domtrans_ldconfig(gcc_config_t)
libs_manage_shared_libs(gcc_config_t)
# gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t)
@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t)
init_exec(portage_t)
# run setfiles -r
-seutil_run_setfiles(portage_t, portage_roles)
+#seutil_run_setfiles(portage_t, portage_roles)
# run semodule
-seutil_run_semanage(portage_t, portage_roles)
+#seutil_run_semanage(portage_t, portage_roles)
-portage_run_gcc_config(portage_t, portage_roles)
+#portage_run_gcc_config(portage_t, portage_roles)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t)
-optional_policy(`
- bootloader_run(portage_t, portage_roles)
-')
+#optional_policy(`
+# bootloader_run(portage_t, portage_roles)
+#')
optional_policy(`
cron_system_entry(portage_t, portage_exec_t)
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
')
-optional_policy(`
- modutils_run_depmod(portage_t, portage_roles)
- modutils_run_update_mods(portage_t, portage_roles)
+#optional_policy(`
+# modutils_run_depmod(portage_t, portage_roles)
+# modutils_run_update_mods(portage_t, portage_roles)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
-optional_policy(`
- usermanage_run_groupadd(portage_t, portage_roles)
- usermanage_run_useradd(portage_t, portage_roles)
-')
+#optional_policy(`
+# usermanage_run_groupadd(portage_t, portage_roles)
+# usermanage_run_useradd(portage_t, portage_roles)
+#')
+
+seutil_domtrans_setfiles(portage_t)
+seutil_domtrans_semanage(portage_t)
+bootloader_domtrans(portage_t)
+modutils_domtrans_depmod(portage_t)
+modutils_domtrans_update_mods(portage_t)
+usermanage_domtrans_groupadd(portage_t)
+usermanage_domtrans_useradd(portage_t)
ifdef(`TODO',`
# seems to work ok without these
commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 10:52:09 2012 +0200
Fix typo
diff --git a/portage.if b/portage.if
index e5e8f12..7098ded 100644
--- a/portage.if
+++ b/portage.if
@@ -50,7 +50,7 @@ interface(`portage_run',`
#portage_domtrans($1)
#roleattribute $2 portage_roles;
portage_domtrans($1)
- role $2 types { portage_t portage_fetch_t portage_sandbox_t }
+ role $2 types { portage_t portage_fetch_t portage_sandbox_t };
')
commit cf999ca29d2a4401c481e28c169e10d676d73526
Author: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu Jun 7 10:59:22 2012 +0200
One more typo
diff --git a/dpkg.if b/dpkg.if
index d945bd0..78736d8 100644
--- a/dpkg.if
+++ b/dpkg.if
@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',`
interface(`dpkg_run',`
gen_require(`
#attribute_role dpkg_roles;
- type dpkg_t, dpkg_script_t
+ type dpkg_t, dpkg_script_t;
')
#dpkg_domtrans($1)

58863
policy_contrib-rawhide.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -15,16 +15,18 @@
%endif
%define POLICYVER 27
%define POLICYCOREUTILSVER 2.1.9-4
%define CHECKPOLICYVER 2.1.7-3
%define CHECKPOLICYVER 2.1.9-4
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
Release: 85%{?dist}
Version: 3.11.0
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-F16.patch
patch1: unconfined_permissive.patch
patch: policy-rawhide.patch
patch1: policy_contrib-rawhide.patch
patch2: policy_contrib-rawhide-roleattribute.patch
patch3: policy-rawhide-roleattribute.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@ -45,39 +47,47 @@ Source23: users-targeted
Source25: users-minimum
Source26: file_contexts.subs_dist
Source27: selinux-policy.conf
Source28: permissivedomains.pp
Source29: serefpolicy-contrib-%{version}.tgz
Url: http://oss.tresys.com/repos/refpolicy/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.46-6
Requires(post): /bin/awk /usr/bin/md5sum
Requires(post): /bin/awk /usr/bin/sha512sum
Requires: checkpolicy >= %{CHECKPOLICYVER} m4
Obsoletes: selinux-policy-devel <= %{version}-%{release}
Provides: selinux-policy-devel = %{version}-%{release}
%description
SELinux Base package
%files
%defattr(-,root,root,-)
%{_mandir}/man*/*
# policycoreutils owns these manpage directories, we only own the files within them
%{_mandir}/ru/*/*
%dir %{_usr}/share/selinux
%dir %{_usr}/share/selinux/devel
%dir %{_usr}/share/selinux/devel/include
%dir %{_usr}/share/selinux/packages
%dir %{_sysconfdir}/selinux
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
%ghost %{_sysconfdir}/sysconfig/selinux
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
%package devel
Summary: SELinux policy devel
Group: System Environment/Base
Requires(pre): selinux-policy = %{version}-%{release}
%description devel
SELinux policy development and man page package
%files devel
%defattr(-,root,root,-)
%{_mandir}/man*/*
%{_mandir}/ru/*/*
%dir %{_usr}/share/selinux/devel
%dir %{_usr}/share/selinux/devel/include
%{_usr}/share/selinux/devel/include/*
%{_usr}/share/selinux/devel/Makefile
%{_usr}/share/selinux/devel/example.*
%{_usr}/share/selinux/devel/policy.*
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
%if %{BUILD_DOC}
%package doc
Summary: SELinux policy documentation
Group: System Environment/Base
@ -91,7 +101,7 @@ SELinux policy documentation package
%defattr(-,root,root,-)
%doc %{_usr}/share/doc/%{name}-%{version}
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
%endif
%{_usr}/share/selinux/devel/policy.*
%define makeCmds() \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
@ -105,6 +115,7 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
@ -127,8 +138,9 @@ rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policymd5; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern
%nil
%define fileList() \
@ -137,13 +149,14 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
%dir %{_sysconfdir}/selinux/%1/logins \
%dir %{_sysconfdir}/selinux/%1/modules \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
%verify(not md5 size md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \
@ -157,7 +170,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
%dir %{_sysconfdir}/selinux/%1/policy/ \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
%{_sysconfdir}/selinux/%1/.policymd5 \
%{_sysconfdir}/selinux/%1/.policy.sha512 \
%dir %{_sysconfdir}/selinux/%1/contexts \
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
@ -166,6 +179,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
@ -191,8 +205,8 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
/usr/sbin/selinuxenabled; \
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore; \
/sbin/restorecon -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi;
@ -204,10 +218,10 @@ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi; \
touch /etc/selinux/%1/.rebuild; \
if [ -e /etc/selinux/%1/.policymd5 ]; then \
md5=`md5sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
checkmd5=`cat /etc/selinux/%1/.policymd5`; \
if [ "$md5" == "$checkmd5" ] ; then \
if [ -e /etc/selinux/%1/.policy.sha512 ]; then \
sha512=`sha512sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \
checksha512=`cat /etc/selinux/%1/.policy.sha512`; \
if [ "$sha512" == "$checksha512" ] ; then \
rm /etc/selinux/%1/.rebuild; \
fi; \
fi; \
@ -218,7 +232,7 @@ fi;
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
if [ %1 -ne 1 ]; then \
/usr/sbin/semodule -n -s %2 -r kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
/usr/sbin/semodule -n -s %2 -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
fi \
rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp \
/usr/sbin/semodule -B -n -s %2; \
@ -240,9 +254,15 @@ Based off of reference policy: Checked out revision 2.20091117
%build
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch1 -p1
%patch2 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch -p1
#%patch1 -p1 -b .unconfined
%patch3 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
%install
mkdir selinux_config
@ -252,8 +272,6 @@ done
tar zxvf selinux_config/config.tgz
# Build targeted policy
%{__rm} -fR %{buildroot}
mkdir -p %{buildroot}%{_mandir}
cp -R man/* %{buildroot}%{_mandir}
mkdir -p %{buildroot}%{_sysconfdir}/selinux
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
touch %{buildroot}%{_sysconfdir}/selinux/config
@ -269,6 +287,8 @@ make clean
%if %{BUILD_TARGETED}
# Build targeted policy
# Commented out because only targeted ref policy currently builds
mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted
%makeCmds targeted mcs n allow
%installCmds targeted mcs n allow
%endif
@ -276,6 +296,8 @@ make clean
%if %{BUILD_MINIMUM}
# Build minimum policy
# Commented out because only minimum ref policy currently builds
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum
%makeCmds minimum mcs n allow
%installCmds minimum mcs n allow
%modulesList minimum
@ -287,22 +309,20 @@ make clean
%installCmds mls mls n deny
%endif
%if %{BUILD_DOC}
mkdir -p %{buildroot}%{_mandir}
cp -R man/* %{buildroot}%{_mandir}
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
%endif
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mkdir %{buildroot}%{_usr}/share/selinux/packages/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
%if %{BUILD_DOC}
echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
%endif
mkdir %{buildroot}%{_usr}/share/selinux/packages/
rm -rf selinux_config
%clean
%{__rm} -fR %{buildroot}
@ -321,6 +341,7 @@ echo "
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
@ -483,7 +504,475 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-85
* Thu Jun 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-1
- Mass merge with upstream
* new policy topology to include contrib policy modules
* we have now two base policy patches
* Wed May 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-128
- Fix description of authlogin_nsswitch_use_ldap
- Fix transition rule for rhsmcertd_t needed for RHEL7
- Allow useradd to list nfs state data
- Allow openvpn to manage its log file and directory
- We want vdsm to transition to mount_t when executing mount command to make sure /etc/mtab remains labeled correctly
- Allow thumb to use nvidia devices
- Allow local_login to create user_tmp_t files for kerberos
- Pulseaudio needs to read systemd_login /var/run content
- virt should only transition named system_conf_t config files
- Allow munin to execute its plugins
- Allow nagios system plugin to read /etc/passwd
- Allow plugin to connect to soundd port
- Fix httpd_passwd to be able to ask passwords
- Radius servers can use ldap for backing store
- Seems to need to mount on /var/lib for xguest polyinstatiation to work.
- Allow systemd_logind to list the contents of gnome keyring
- VirtualGL need xdm to be able to manage content in /etc/opt/VirtualGL
- Add policy for isns-utils
* Mon May 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-127
- Add policy for subversion daemon
- Allow boinc to read passwd
- Allow pads to read kernel network state
- Fix man2html interface for sepolgen-ifgen
- Remove extra /usr/lib/systemd/system/smb
- Remove all /lib/systemd and replace with /usr/lib/systemd
- Add policy for man2html
- Fix the label of kerberos_home_t to krb5_home_t
- Allow mozilla plugins to use Citrix
- Allow tuned to read /proc/sys/kernel/nmi_watchdog
- Allow tune /sys options via systemd's tmpfiles.d "w" type
* Wed May 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-126
- Dontaudit lpr_t to read/write leaked mozilla tmp files
- Add file name transition for .grl-podcasts directory
- Allow corosync to read user tmp files
- Allow fenced to create snmp lib dirs/files
- More fixes for sge policy
- Allow mozilla_plugin_t to execute any application
- Allow dbus to read/write any open file descriptors to any non security file on the system that it inherits to that it can pass them to another domain
- Allow mongod to read system state information
- Fix wrong type, we should dontaudit sys_admin for xdm_t not xserver_t
- Allow polipo to manage polipo_cache dirs
- Add jabbar_client port to mozilla_plugin_t
- Cleanup procmail policy
- system bus will pass around open file descriptors on files that do not have labels on them
- Allow l2tpd_t to read system state
- Allow tuned to run ls /dev
- Allow sudo domains to read usr_t files
- Add label to machine-id
- Fix corecmd_read_bin_symlinks cut and paste error
* Wed May 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-125
- Fix pulseaudio port definition
- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
- Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events
* Wed May 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-124
- Make systemd unit files less specific
* Tue May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-123
- Fix zarafa labeling
- Allow guest_t to fix labeling
- corenet_tcp_bind_all_unreserved_ports(ssh_t) should be called with the user_tcp_server boolean
- add lxc_contexts
- Allow accountsd to read /proc
- Allow restorecond to getattr on all file sytems
- tmpwatch now calls getpw
- Allow apache daemon to transition to pwauth domain
- Label content under /var/run/user/NAME/keyring* as gkeyringd_tmp_t
- The obex socket seems to be a stream socket
- dd label for /var/run/nologin
* Mon May 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-122
- Allow jetty running as httpd_t to read hugetlbfs files
- Allow sys_nice and setsched for rhsmcertd
- Dontaudit attempts by mozilla_plugin_t to bind to ssdp ports
- Allow setfiles to append to xdm_tmp_t
- Add labeling for /export as a usr_t directory
- Add labels for .grl files created by gstreamer
* Fri May 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-121
- Add labeling for /usr/share/jetty/bin/jetty.sh
- Add jetty policy which contains file type definitios
- Allow jockey to use its own fifo_file and make this the default for all domains
- Allow mozilla_plugins to use spice (vnc_port/couchdb)
- asterisk wants to read the network state
- Blueman now uses /var/lib/blueman- Add label for nodejs_debug
- Allow mozilla_plugin_t to create ~/.pki directory and content
* Wed May 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-120
- Add clamscan_can_scan_system boolean
- Allow mysqld to read kernel network state
- Allow sshd to read/write condor lib files
- Allow sshd to read/write condor-startd tcp socket
- Fix description on httpd_graceful_shutdown
- Allow glance_registry to communicate with mysql
- dbus_system_domain is using systemd to lauch applications
- add interfaces to allow domains to send kill signals to user mail agents
- Remove unnessary access for svirt_lxc domains, add privs for virtd_lxc_t
- Lots of new access required for secure containers
- Corosync needs sys_admin capability
- ALlow colord to create shm
- .orc should be allowed to be created by any app that can create gstream home content, thumb_t to be specific
- Add boolean to control whether or not mozilla plugins can create random content in the users homedir
- Add new interface to allow domains to list msyql_db directories, needed for libra
- shutdown has to be allowed to delete etc_runtime_t
- Fail2ban needs to read /etc/passwd
- Allow ldconfig to create /var/cache/ldconfig
- Allow tgtd to read hardware state information
- Allow collectd to create packet socket
- Allow chronyd to send signal to itself
- Allow collectd to read /dev/random
- Allow collectd to send signal to itself
- firewalld needs to execute restorecon
- Allow restorecon and other login domains to execute restorecon
* Tue Apr 26 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-119
- Allow logrotate to getattr on systemd unit files
- Add support for tor systemd unit file
- Allow apmd to create /var/run/pm-utils with the correct label
- Allow l2tpd to send sigkill to pppd
- Allow pppd to stream connect to l2tpd
- Add label for scripts in /etc/gdm/
- Allow systemd_logind_t to ignore mcs constraints on sigkill
- Fix files_filetrans_system_conf_named_files() interface
- Add labels for /usr/share/wordpress/wp-includes/*.php
- Allow cobbler to get SELinux mode and booleans
* Mon Apr 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-118
- Add unconfined_execmem_exec_t as an alias to bin_t
- Allow fenced to read snmp var lib files, also allow it to read usr_t
- ontaudit access checks on all executables from mozilla_plugin
- Allow all user domains to setexec, so that sshd will work properly if it call setexec(NULL) while running withing a user mode
- Allow systemd_tmpfiles_t to getattr all pipes and sockets
- Allow glance-registry to send system log messages
- semanage needs to manage mock lib files/dirs
* Sun Apr 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-117
- Add policy for abrt-watch-log
- Add definitions for jboss_messaging ports
- Allow systemd_tmpfiles to manage printer devices
- Allow oddjob to use nsswitch
- Fix labeling of log files for postgresql
- Allow mozilla_plugin_t to execmem and execstack by default
- Allow firewalld to execute shell
- Fix /etc/wicd content files to get created with the correct label
- Allow mcelog to exec shell
- Add ~/.orc as a gstreamer_home_t
- /var/spool/postfix/lib64 should be labeled lib_t
- mpreaper should be able to list all file system labeled directories
- Add support for apache to use openstack
- Add labeling for /etc/zipl.conf and zipl binary
- Turn on allow_execstack and turn off telepathy transition for final release
* Mon Apr 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-116
- More access required for virt_qmf_t
- Additional assess required for systemd-logind to support multi-seat
- Allow mozilla_plugin to setrlimit
- Revert changes to fuse file system to stop deadlock
* Mon Apr 15 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-115
- Allow condor domains to connect to ephemeral ports
- More fixes for condor policy
- Allow keystone to stream connect to mysqld
- Allow mozilla_plugin_t to read generic USB device to support GPS devices
- Allow thum to file name transition gstreamer home content
- Allow thum to read all non security files
- Allow glance_api_t to connect to ephemeral ports
- Allow nagios plugins to read /dev/urandom
- Allow syslogd to search postfix spool to support postfix chroot env
- Fix labeling for /var/spool/postfix/dev
- Allow wdmd chown
- Label .esd_auth as pulseaudio_home_t
- Have no idea why keyring tries to write to /run/user/dwalsh/dconf/user, but we can dontaudit for now
* Fri Apr 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-114
- Add support for clamd+systemd
- Allow fresclam to execute systemctl to handle clamd
- Change labeling for /usr/sbin/rpc.ypasswd.env
- Allow yppaswd_t to execute yppaswd_exec_t
- Allow yppaswd_t to read /etc/passwd
- Gnomekeyring socket has been moved to /run/user/USER/
- Allow samba-net to connect to ldap port
- Allow signal for vhostmd
- allow mozilla_plugin_t to read user_home_t socket
- New access required for secure Linux Containers
- zfs now supports xattrs
- Allow quantum to execute sudo and list sysfs
- Allow init to dbus chat with the firewalld
- Allow zebra to read /etc/passwd
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-113
- Allow svirt_t to create content in the users homedir under ~/.libvirt
- Fix label on /var/lib/heartbeat
- Allow systemd_logind_t to send kill signals to all processes started by a user
- Fuse now supports Xattr Support
* Tue Apr 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-112
- upowered needs to setsched on the kernel
- Allow mpd_t to manage log files
- Allow xdm_t to create /var/run/systemd/multi-session-x
- Add rules for missedfont.log to be used by thumb.fc
- Additional access required for virt_qmf_t
- Allow dhclient to dbus chat with the firewalld
- Add label for lvmetad
- Allow systemd_logind_t to remove userdomain sock_files
- Allow cups to execute usr_t files
- Fix labeling on nvidia shared libraries
- wdmd_t needs access to sssd and /etc/passwd
- Add boolean to allow ftp servers to run in passive mode
- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with
- Fix using httpd_use_fusefs
- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox
* Fri Apr 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-111
- Rename rdate port to time port, and allow gnomeclock to connect to it
- We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda
- /etc/auto.* should be labeled bin_t
- Add httpd_use_fusefs boolean
- Add fixes for heartbeat
- Allow sshd_t to signal processes that it transitions to
- Add condor policy
- Allow svirt to create monitors in ~/.libvirt
- Allow dovecot to domtrans sendmail to handle sieve scripts
- Lot of fixes for cfengine
* Tue Apr 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-110
- /var/run/postmaster.* labeling is no longer needed
- Alllow drbdadmin to read /dev/urandom
- l2tpd_t seems to use ptmx
- group+ and passwd+ should be labeled as /etc/passwd
- Zarafa-indexer is a socket
* Fri Mar 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-109
- Ensure lastlog is labeled correctly
- Allow accountsd to read /proc data about gdm
- Add fixes for tuned
- Add bcfg2 fixes which were discovered during RHEL6 testing
- More fixes for gnome-keyring socket being moved
- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown
- Fix description for files_dontaudit_read_security_files() interface
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-108
- Add new policy and man page for bcfg2
- cgconfig needs to use getpw calls
- Allow domains that communicate with the keyring to use cache_home_t instead of gkeyringd_tmpt
- gnome-keyring wants to create a directory in cache_home_t
- sanlock calls getpw
* Wed Mar 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-107
- Add numad policy and numad man page
- Add fixes for interface bugs discovered by SEWatch
- Add /tmp support for squid
- Add fix for #799102
* change default labeling for /var/run/slapd.* sockets
- Make thumb_t as userdom_home_reader
- label /var/lib/sss/mc same as pubconf, so getpw domains can read it
- Allow smbspool running as cups_t to stream connect to nmbd
- accounts needs to be able to execute passwd on behalf of users
- Allow systemd_tmpfiles_t to delete boot flags
- Allow dnssec_trigger to connect to apache ports
- Allow gnome keyring to create sock_files in ~/.cache
- google_authenticator is using .google_authenticator
- sandbox running from within firefox is exposing more leaks
- Dontaudit thumb to read/write /dev/card0
- Dontaudit getattr on init_exec_t for gnomeclock_t
- Allow certmonger to do a transition to certmonger_unconfined_t
- Allow dhcpc setsched which is caused by nmcli
- Add rpm_exec_t for /usr/sbin/bcfg2
- system cronjobs are sending dbus messages to systemd_logind
- Thumnailers read /dev/urand
* Thu Mar 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-106
- Allow auditctl getcap
- Allow vdagent to use libsystemd-login
- Allow abrt-dump-oops to search /etc/abrt
- Got these avc's while trying to print a boarding pass from firefox
- Devicekit is now putting the media directory under /run/media
- Allow thumbnailers to create content in ~/.thumbails directory
- Add support for proL2TPd by Dominick Grift
- Allow all domains to call getcap
- wdmd seems to get a random chown capability check that it does not need
- Allow vhostmd to read kernel sysctls
* Wed Mar 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-105
- Allow chronyd to read unix
- Allow hpfax to read /etc/passwd
- Add support matahari vios-proxy-* apps and add virtd_exec_t label for them
- Allow rpcd to read quota_db_t
- Update to man pages to match latest policy
- Fix bug in jockey interface for sepolgen-ifgen
- Add initial svirt_prot_exec_t policy
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-104
- More fixes for systemd from Dan Walsh
* Mon Mar 19 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-103
- Add a new type for /etc/firewalld and allow firewalld to write to this directory
- Add definition for ~/Maildir, and allow mail deliver domains to write there
- Allow polipo to run from a cron job
- Allow rtkit to schedule wine processes
- Allow mozilla_plugin_t to acquire a bug, and allow it to transition gnome content in the home dir to the proper label
- Allow users domains to send signals to consolehelper domains
* Fri Mar 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-102
- More fixes for boinc policy
- Allow polipo domain to create its own cache dir and pid file
- Add systemctl support to httpd domain
- Add systemctl support to polipo, allow NetworkManager to manage the service
- Add policy for jockey-backend
- Add support for motion daemon which is now covered by zoneminder policy
- Allow colord to read/write motion tmpfs
- Allow vnstat to search through var_lib_t directories
- Stop transitioning to quota_t, from init an sysadm_t
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-101
- Add svirt_lxc_file_t as a customizable type
* Wed Mar 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-100
- Add additional fixes for icmp nagios plugin
- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin
- Add certmonger_unconfined_exec_t
- Make sure tap22 device is created with the correct label
- Allow staff users to read systemd unit files
- Merge in previously built policy
- Arpwatch needs to be able to start netlink sockets in order to start
- Allow cgred_t to sys_ptrace to look at other DAC Processes
* Mon Mar 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-99
- Back port some of the access that was allowed in nsplugin_t
- Add definitiona for couchdb ports
- Allow nagios to use inherited users ttys
- Add git support for mock
- Allow inetd to use rdate port
- Add own type for rdate port
- Allow samba to act as a portmapper
- Dontaudit chrome_sandbox attempts to getattr on chr_files in /dev
- New fixes needed for samba4
- Allow apps that use lib_t to read lib_t symlinks
* Fri Mar 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-98
- Add policy for nove-cert
- Add labeling for nova-openstack systemd unit files
- Add policy for keystoke
* Thu Mar 8 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-97
- Fix man pages fro domains
- Add man pages for SELinux users and roles
- Add storage_dev_filetrans_named_fixed_disk() and use it for smartmon
- Add policy for matahari-rpcd
- nfsd executes mount command on restart
- Matahari domains execute renice and setsched
- Dontaudit leaked tty in mozilla_plugin_config
- mailman is changing to a per instance naming
- Add 7600 and 4447 as jboss_management ports
- Add fixes for nagios event handlers
- Label httpd.event as httpd_exec_t, it is an apache daemon
* Mon Mar 5 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-96
- Add labeling for /var/spool/postfix/dev/log
- NM reads sysctl.conf
- Iscsi log file context specification fix
- Allow mozilla plugins to send dbus messages to user domains that transition to it
- Allow mysql to read the passwd file
- Allow mozilla_plugin_t to create mozilla home dirs in user homedir
- Allow deltacloud to read kernel sysctl
- Allow postgresql_t to connectto itselfAllow postgresql_t to connectto itself
- Allow postgresql_t to connectto itself
- Add login_userdomain attribute for users which can log in using terminal
* Tue Feb 28 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-95
- Allow sysadm_u to reach system_r by default #784011
- Allow nagios plugins to use inherited user terminals
- Razor labeling is not used no longer
- Add systemd support for matahari
- Add port_types to man page, move booleans to the top, fix some english
- Add support for matahari-sysconfig-console
- Clean up matahari.fc
- Fix matahari_admin() interfac
- Add labels for/etc/ssh/ssh_host_*.pub keys
* Mon Feb 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-94
- Allow ksysguardproces to send system log msgs
- Allow boinc setpgid and signull
- Allow xdm_t to sys_ptrace to run pidof command
- Allow smtpd_t to manage spool files/directories and symbolic links
- Add labeling for jetty
- Needed changes to get unbound/dnssec to work with openswan
* Thu Feb 23 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-93
- Add user_fonts_t alias xfs_tmp_t
- Since depmod now runs as insmod_t we need to write to kernel_object_t
- Allow firewalld to dbus chat with networkmanager
- Allow qpidd to connect to matahari ports
- policykit needs to read /proc for uses not owned by it
- Allow systemctl apps to connecto the init stream
* Wed Feb 22 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-92
- Turn on deny_ptrace boolean
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-91
- Remove pam_selinux.8 man page. There was a conflict.
* Tue Feb 21 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-90
- Add proxy class and read access for gssd_proxy
- Separate out the sharing public content booleans
- Allow certmonger to execute a script and send signals to apache and dirsrv to reload the certificate
- Add label transition for gstream-0.10 and 12
- Add booleans to allow rsync to share nfs and cifs file sytems
- chrome_sandbox wants to read the /proc/PID/exe file of the program that executed it
- Fix filename transitions for cups files
- Allow denyhosts to read "unix"
- Add file name transition for locale.conf.new
- Allow boinc projects to gconf config files
- sssd needs to be able to increase the socket limit under certain loads
- sge_execd needs to read /etc/passwd
- Allow denyhost to check network state
- NetworkManager needs to read sessions data
- Allow denyhost to check network state
- Allow xen to search virt images directories
- Add label for /dev/megaraid_sas_ioctl_node
- Add autogenerated man pages
* Thu Feb 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-89
- Allow boinc project to getattr on fs
- Allow init to execute initrc_state_t
- rhev-agent package was rename to ovirt-guest-agent
- If initrc_t creates /etc/local.conf then we need to make sure it is labeled correctly
- sytemd writes content to /run/initramfs and executes it on shutdown
- kdump_t needs to read /etc/mtab, should be back ported to F16
- udev needs to load kernel modules in early system boot
* Tue Feb 14 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-88
- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses
- Add additional systemd interfaces which are needed fro *_admin interfaces
- Fix bind_admin() interface
* Mon Feb 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-87
- Allow firewalld to read urand
- Alias java, execmem_mono to bin_t to allow third parties
- Add label for kmod
@ -493,6 +982,31 @@ SELinux Reference policy mls base module.
- Allow systemd_tmpfiles_t to delete all file types
- Allow collectd to ipc_lock
* Fri Feb 10 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-86
- make consoletype_exec optional, so we can remove consoletype policy
- remove unconfined_permisive.patch
- Allow openvpn_t to inherit user home content and tmp content
- Fix dnssec-trigger labeling
- Turn on obex policy for staff_t
- Pem files should not be secret
- Add lots of rules to fix AVC's when playing with containers
- Fix policy for dnssec
- Label ask-passwd directories correctly for systemd
* Thu Feb 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-85
- sshd fixes seem to be causing unconfined domains to dyntrans to themselves
- fuse file system is now being mounted in /run/user
- systemd_logind is sending signals to processes that are dbus messaging with it
- Add support for winshadow port and allow iscsid to connect to this port
- httpd should be allowed to bind to the http_port_t udp socket
- zarafa_var_lib_t can be a lnk_file
- A couple of new .xsession-errors files
- Seems like user space and login programs need to read logind_sessions_files
- Devicekit disk seems to be being launched by systemd
- Cleanup handling of setfiles so most of rules in te file
- Correct port number for dnssec
- logcheck has the home dir set to its cache
* Tue Feb 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-84
- Add policy for grindengine MPI jobs

View File

@ -1,2 +1,3 @@
409b40c8102b1617681ba17c31032e66 config.tgz
4fdbfc8caff5bccdb27a3d08bf8e384a serefpolicy-3.10.0.tgz
468f5688ae2b0c2c185d094c930957e0 serefpolicy-contrib-3.11.0.tgz
766a3bb5686bc8b585f73935a2e39b1e serefpolicy-3.11.0.tgz
dbea318af516689d48155ba4677b5303 config.tgz