* Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
- Allow NetworkManager write to sysfs. BZ(1234086) - Fix bogus line in logrotate.fc. - Add dontaudit interface for kdumpctl_tmp_t - Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te - Add postgresql support for systemd unit files. - Fix missing bracket - Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18 - Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
This commit is contained in:
parent
4e49e36893
commit
7100c57b1f
@ -22567,10 +22567,10 @@ index 6d77e81..656a8c4 100644
|
||||
+ ')
|
||||
')
|
||||
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
|
||||
index a26f84f..59fe535 100644
|
||||
index a26f84f..f4a44eb 100644
|
||||
--- a/policy/modules/services/postgresql.fc
|
||||
+++ b/policy/modules/services/postgresql.fc
|
||||
@@ -10,6 +10,9 @@
|
||||
@@ -10,11 +10,16 @@
|
||||
#
|
||||
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
@ -22580,7 +22580,14 @@ index a26f84f..59fe535 100644
|
||||
|
||||
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
@@ -28,9 +31,10 @@ ifdef(`distro_redhat', `
|
||||
/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
|
||||
+/usr/lib/systemd/system/postgresql.* -- gen_context(system_u:object_r:postgresql_unit_file_t,s0)
|
||||
+
|
||||
ifdef(`distro_debian', `
|
||||
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
')
|
||||
@@ -28,9 +33,10 @@ ifdef(`distro_redhat', `
|
||||
#
|
||||
/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||
|
||||
@ -22593,7 +22600,7 @@ index a26f84f..59fe535 100644
|
||||
|
||||
/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||
@@ -45,4 +49,4 @@ ifdef(`distro_redhat', `
|
||||
@@ -45,4 +51,4 @@ ifdef(`distro_redhat', `
|
||||
|
||||
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
|
||||
|
||||
@ -22933,7 +22940,7 @@ index 9d2f311..9e87525 100644
|
||||
+ postgresql_filetrans_named_content($1)
|
||||
')
|
||||
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
|
||||
index 0306134..ae0d841 100644
|
||||
index 0306134..bb5f3dd 100644
|
||||
--- a/policy/modules/services/postgresql.te
|
||||
+++ b/policy/modules/services/postgresql.te
|
||||
@@ -19,25 +19,32 @@ gen_require(`
|
||||
@ -22975,7 +22982,17 @@ index 0306134..ae0d841 100644
|
||||
|
||||
type postgresql_t;
|
||||
type postgresql_exec_t;
|
||||
@@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
|
||||
@@ -52,6 +59,9 @@ files_config_file(postgresql_etc_t)
|
||||
type postgresql_initrc_exec_t;
|
||||
init_script_file(postgresql_initrc_exec_t)
|
||||
|
||||
+type postgresql_unit_file_t;
|
||||
+systemd_unit_file(postgresql_unit_file_t)
|
||||
+
|
||||
type postgresql_lock_t;
|
||||
files_lock_file(postgresql_lock_t)
|
||||
|
||||
@@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
|
||||
allow postgresql_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
|
||||
@ -22985,7 +23002,7 @@ index 0306134..ae0d841 100644
|
||||
allow postgresql_t self:process { setsockcreate };
|
||||
')
|
||||
|
||||
@@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
||||
@@ -270,18 +281,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
||||
manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
||||
manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
||||
manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
||||
@ -23007,7 +23024,7 @@ index 0306134..ae0d841 100644
|
||||
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
|
||||
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
|
||||
|
||||
@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
|
||||
@@ -299,12 +311,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
|
||||
files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
|
||||
|
||||
kernel_read_kernel_sysctls(postgresql_t)
|
||||
@ -23021,7 +23038,7 @@ index 0306134..ae0d841 100644
|
||||
corenet_all_recvfrom_netlabel(postgresql_t)
|
||||
corenet_tcp_sendrecv_generic_if(postgresql_t)
|
||||
corenet_udp_sendrecv_generic_if(postgresql_t)
|
||||
@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
|
||||
@@ -342,8 +354,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
|
||||
domain_use_interactive_fds(postgresql_t)
|
||||
|
||||
files_dontaudit_search_home(postgresql_t)
|
||||
@ -23031,7 +23048,7 @@ index 0306134..ae0d841 100644
|
||||
files_read_etc_runtime_files(postgresql_t)
|
||||
files_read_usr_files(postgresql_t)
|
||||
|
||||
@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
|
||||
@@ -354,20 +365,28 @@ init_read_utmp(postgresql_t)
|
||||
logging_send_syslog_msg(postgresql_t)
|
||||
logging_send_audit_msgs(postgresql_t)
|
||||
|
||||
@ -23063,7 +23080,7 @@ index 0306134..ae0d841 100644
|
||||
allow postgresql_t self:process execmem;
|
||||
')
|
||||
|
||||
@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
|
||||
@@ -485,10 +504,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
|
||||
# It is always allowed to operate temporary objects for any database client.
|
||||
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
|
||||
|
||||
@ -23120,7 +23137,7 @@ index 0306134..ae0d841 100644
|
||||
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
|
||||
')
|
||||
|
||||
@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
|
||||
@@ -536,7 +597,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
|
||||
|
||||
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
|
||||
|
||||
@ -23129,7 +23146,7 @@ index 0306134..ae0d841 100644
|
||||
allow sepgsql_admin_type sepgsql_database_type:db_database *;
|
||||
|
||||
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
|
||||
@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
|
||||
@@ -589,3 +650,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
|
||||
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
|
||||
|
||||
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
|
||||
|
@ -55734,7 +55734,7 @@ index 86dc29d..68f7cb1 100644
|
||||
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
||||
')
|
||||
diff --git a/networkmanager.te b/networkmanager.te
|
||||
index 55f2009..0d4e38a 100644
|
||||
index 55f2009..eab3fe0 100644
|
||||
--- a/networkmanager.te
|
||||
+++ b/networkmanager.te
|
||||
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
||||
@ -55852,7 +55852,7 @@ index 55f2009..0d4e38a 100644
|
||||
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
||||
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
|
||||
corenet_udp_sendrecv_generic_if(NetworkManager_t)
|
||||
@@ -102,22 +134,16 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
|
||||
@@ -102,36 +134,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
|
||||
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
|
||||
corenet_udp_sendrecv_all_ports(NetworkManager_t)
|
||||
corenet_udp_bind_generic_node(NetworkManager_t)
|
||||
@ -55877,9 +55877,10 @@ index 55f2009..0d4e38a 100644
|
||||
-
|
||||
+dev_access_check_sysfs(NetworkManager_t)
|
||||
dev_rw_sysfs(NetworkManager_t)
|
||||
+dev_write_sysfs_dirs(NetworkManager_t)
|
||||
dev_read_rand(NetworkManager_t)
|
||||
dev_read_urand(NetworkManager_t)
|
||||
@@ -125,13 +151,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
|
||||
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
|
||||
dev_getattr_all_chr_files(NetworkManager_t)
|
||||
dev_rw_wireless(NetworkManager_t)
|
||||
|
||||
@ -55893,7 +55894,7 @@ index 55f2009..0d4e38a 100644
|
||||
fs_getattr_all_fs(NetworkManager_t)
|
||||
fs_search_auto_mountpoints(NetworkManager_t)
|
||||
fs_list_inotifyfs(NetworkManager_t)
|
||||
@@ -140,18 +159,35 @@ mls_file_read_all_levels(NetworkManager_t)
|
||||
@@ -140,18 +160,35 @@ mls_file_read_all_levels(NetworkManager_t)
|
||||
|
||||
selinux_dontaudit_search_fs(NetworkManager_t)
|
||||
|
||||
@ -55930,7 +55931,7 @@ index 55f2009..0d4e38a 100644
|
||||
|
||||
seutil_read_config(NetworkManager_t)
|
||||
|
||||
@@ -166,21 +202,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
||||
@@ -166,21 +203,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
||||
sysnet_read_dhcpc_state(NetworkManager_t)
|
||||
sysnet_delete_dhcpc_state(NetworkManager_t)
|
||||
sysnet_search_dhcp_state(NetworkManager_t)
|
||||
@ -55968,7 +55969,7 @@ index 55f2009..0d4e38a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -196,10 +243,6 @@ optional_policy(`
|
||||
@@ -196,10 +244,6 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -55979,7 +55980,7 @@ index 55f2009..0d4e38a 100644
|
||||
consoletype_exec(NetworkManager_t)
|
||||
')
|
||||
|
||||
@@ -210,17 +253,16 @@ optional_policy(`
|
||||
@@ -210,17 +254,16 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
||||
|
||||
@ -56002,7 +56003,7 @@ index 55f2009..0d4e38a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -231,10 +273,11 @@ optional_policy(`
|
||||
@@ -231,10 +274,11 @@ optional_policy(`
|
||||
dnsmasq_kill(NetworkManager_t)
|
||||
dnsmasq_signal(NetworkManager_t)
|
||||
dnsmasq_signull(NetworkManager_t)
|
||||
@ -56015,7 +56016,7 @@ index 55f2009..0d4e38a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -246,10 +289,26 @@ optional_policy(`
|
||||
@@ -246,10 +290,26 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -56042,7 +56043,7 @@ index 55f2009..0d4e38a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -257,15 +316,19 @@ optional_policy(`
|
||||
@@ -257,15 +317,19 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -56064,7 +56065,7 @@ index 55f2009..0d4e38a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -274,10 +337,17 @@ optional_policy(`
|
||||
@@ -274,10 +338,17 @@ optional_policy(`
|
||||
nscd_signull(NetworkManager_t)
|
||||
nscd_kill(NetworkManager_t)
|
||||
nscd_initrc_domtrans(NetworkManager_t)
|
||||
@ -56082,7 +56083,7 @@ index 55f2009..0d4e38a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -286,9 +356,12 @@ optional_policy(`
|
||||
@@ -286,9 +357,12 @@ optional_policy(`
|
||||
openvpn_kill(NetworkManager_t)
|
||||
openvpn_signal(NetworkManager_t)
|
||||
openvpn_signull(NetworkManager_t)
|
||||
@ -56095,7 +56096,7 @@ index 55f2009..0d4e38a 100644
|
||||
policykit_domtrans_auth(NetworkManager_t)
|
||||
policykit_read_lib(NetworkManager_t)
|
||||
policykit_read_reload(NetworkManager_t)
|
||||
@@ -296,7 +369,7 @@ optional_policy(`
|
||||
@@ -296,7 +370,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -56104,7 +56105,7 @@ index 55f2009..0d4e38a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -307,6 +380,7 @@ optional_policy(`
|
||||
@@ -307,6 +381,7 @@ optional_policy(`
|
||||
ppp_signal(NetworkManager_t)
|
||||
ppp_signull(NetworkManager_t)
|
||||
ppp_read_config(NetworkManager_t)
|
||||
@ -56112,7 +56113,7 @@ index 55f2009..0d4e38a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -320,14 +394,20 @@ optional_policy(`
|
||||
@@ -320,14 +395,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -56138,7 +56139,7 @@ index 55f2009..0d4e38a 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -357,6 +437,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
@@ -357,6 +438,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
||||
init_dontaudit_use_fds(wpa_cli_t)
|
||||
init_use_script_ptys(wpa_cli_t)
|
||||
|
||||
|
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 130%{?dist}
|
||||
Release: 131%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -602,6 +602,16 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
|
||||
- Allow NetworkManager write to sysfs. BZ(1234086)
|
||||
- Fix bogus line in logrotate.fc.
|
||||
- Add dontaudit interface for kdumpctl_tmp_t
|
||||
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
|
||||
- Add postgresql support for systemd unit files.
|
||||
- Fix missing bracket
|
||||
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
|
||||
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
|
||||
|
||||
* Thu Jun 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-130
|
||||
- Allow glusterd to interact with gluster tools running in a user domain
|
||||
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.
|
||||
|
Loading…
Reference in New Issue
Block a user