* Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131

- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
- Add postgresql support for systemd unit files.
- Fix missing bracket
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
This commit is contained in:
Lukas Vrabec 2015-06-23 18:07:14 +02:00
parent 4e49e36893
commit 7100c57b1f
3 changed files with 58 additions and 30 deletions

View File

@ -22567,10 +22567,10 @@ index 6d77e81..656a8c4 100644
+ ')
')
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..59fe535 100644
index a26f84f..f4a44eb 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -10,6 +10,9 @@
@@ -10,11 +10,16 @@
#
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
@ -22580,7 +22580,14 @@ index a26f84f..59fe535 100644
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
@@ -28,9 +31,10 @@ ifdef(`distro_redhat', `
/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/systemd/system/postgresql.* -- gen_context(system_u:object_r:postgresql_unit_file_t,s0)
+
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
')
@@ -28,9 +33,10 @@ ifdef(`distro_redhat', `
#
/var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
@ -22593,7 +22600,7 @@ index a26f84f..59fe535 100644
/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
@@ -45,4 +49,4 @@ ifdef(`distro_redhat', `
@@ -45,4 +51,4 @@ ifdef(`distro_redhat', `
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
@ -22933,7 +22940,7 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0306134..ae0d841 100644
index 0306134..bb5f3dd 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@ -22975,7 +22982,17 @@ index 0306134..ae0d841 100644
type postgresql_t;
type postgresql_exec_t;
@@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
@@ -52,6 +59,9 @@ files_config_file(postgresql_etc_t)
type postgresql_initrc_exec_t;
init_script_file(postgresql_initrc_exec_t)
+type postgresql_unit_file_t;
+systemd_unit_file(postgresql_unit_file_t)
+
type postgresql_lock_t;
files_lock_file(postgresql_lock_t)
@@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
@ -22985,7 +23002,7 @@ index 0306134..ae0d841 100644
allow postgresql_t self:process { setsockcreate };
')
@@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
@@ -270,18 +281,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
@ -23007,7 +23024,7 @@ index 0306134..ae0d841 100644
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
@@ -299,12 +311,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
kernel_read_kernel_sysctls(postgresql_t)
@ -23021,7 +23038,7 @@ index 0306134..ae0d841 100644
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
@@ -342,8 +354,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@ -23031,7 +23048,7 @@ index 0306134..ae0d841 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
@@ -354,20 +365,28 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
@ -23063,7 +23080,7 @@ index 0306134..ae0d841 100644
allow postgresql_t self:process execmem;
')
@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
@@ -485,10 +504,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@ -23120,7 +23137,7 @@ index 0306134..ae0d841 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
@@ -536,7 +597,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@ -23129,7 +23146,7 @@ index 0306134..ae0d841 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
@@ -589,3 +650,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)

View File

@ -55734,7 +55734,7 @@ index 86dc29d..68f7cb1 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
index 55f2009..0d4e38a 100644
index 55f2009..eab3fe0 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -9,15 +9,18 @@ type NetworkManager_t;
@ -55852,7 +55852,7 @@ index 55f2009..0d4e38a 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
@@ -102,22 +134,16 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
@@ -102,36 +134,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@ -55877,9 +55877,10 @@ index 55f2009..0d4e38a 100644
-
+dev_access_check_sysfs(NetworkManager_t)
dev_rw_sysfs(NetworkManager_t)
+dev_write_sysfs_dirs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
@@ -125,13 +151,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@ -55893,7 +55894,7 @@ index 55f2009..0d4e38a 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
@@ -140,18 +159,35 @@ mls_file_read_all_levels(NetworkManager_t)
@@ -140,18 +160,35 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@ -55930,7 +55931,7 @@ index 55f2009..0d4e38a 100644
seutil_read_config(NetworkManager_t)
@@ -166,21 +202,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
@@ -166,21 +203,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@ -55968,7 +55969,7 @@ index 55f2009..0d4e38a 100644
')
optional_policy(`
@@ -196,10 +243,6 @@ optional_policy(`
@@ -196,10 +244,6 @@ optional_policy(`
')
optional_policy(`
@ -55979,7 +55980,7 @@ index 55f2009..0d4e38a 100644
consoletype_exec(NetworkManager_t)
')
@@ -210,17 +253,16 @@ optional_policy(`
@@ -210,17 +254,16 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@ -56002,7 +56003,7 @@ index 55f2009..0d4e38a 100644
')
optional_policy(`
@@ -231,10 +273,11 @@ optional_policy(`
@@ -231,10 +274,11 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@ -56015,7 +56016,7 @@ index 55f2009..0d4e38a 100644
')
optional_policy(`
@@ -246,10 +289,26 @@ optional_policy(`
@@ -246,10 +290,26 @@ optional_policy(`
')
optional_policy(`
@ -56042,7 +56043,7 @@ index 55f2009..0d4e38a 100644
')
optional_policy(`
@@ -257,15 +316,19 @@ optional_policy(`
@@ -257,15 +317,19 @@ optional_policy(`
')
optional_policy(`
@ -56064,7 +56065,7 @@ index 55f2009..0d4e38a 100644
')
optional_policy(`
@@ -274,10 +337,17 @@ optional_policy(`
@@ -274,10 +338,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@ -56082,7 +56083,7 @@ index 55f2009..0d4e38a 100644
')
optional_policy(`
@@ -286,9 +356,12 @@ optional_policy(`
@@ -286,9 +357,12 @@ optional_policy(`
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
openvpn_signull(NetworkManager_t)
@ -56095,7 +56096,7 @@ index 55f2009..0d4e38a 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
@@ -296,7 +369,7 @@ optional_policy(`
@@ -296,7 +370,7 @@ optional_policy(`
')
optional_policy(`
@ -56104,7 +56105,7 @@ index 55f2009..0d4e38a 100644
')
optional_policy(`
@@ -307,6 +380,7 @@ optional_policy(`
@@ -307,6 +381,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@ -56112,7 +56113,7 @@ index 55f2009..0d4e38a 100644
')
optional_policy(`
@@ -320,14 +394,20 @@ optional_policy(`
@@ -320,14 +395,20 @@ optional_policy(`
')
optional_policy(`
@ -56138,7 +56139,7 @@ index 55f2009..0d4e38a 100644
')
optional_policy(`
@@ -357,6 +437,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
@@ -357,6 +438,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 130%{?dist}
Release: 131%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -602,6 +602,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Jun 23 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-131
- Allow NetworkManager write to sysfs. BZ(1234086)
- Fix bogus line in logrotate.fc.
- Add dontaudit interface for kdumpctl_tmp_t
- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te
- Add postgresql support for systemd unit files.
- Fix missing bracket
- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18
- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface
* Thu Jun 18 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-130
- Allow glusterd to interact with gluster tools running in a user domain
- rpm_transition_script() is called from rpm_run. Update cloud-init rules.