From 7100c57b1feb4cec44a5a433aca66f4b09e2488f Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Tue, 23 Jun 2015 18:07:14 +0200 Subject: [PATCH] * Tue Jun 23 2015 Lukas Vrabec 3.13.1-131 - Allow NetworkManager write to sysfs. BZ(1234086) - Fix bogus line in logrotate.fc. - Add dontaudit interface for kdumpctl_tmp_t - Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te - Add postgresql support for systemd unit files. - Fix missing bracket - Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18 - Fixed obsoleted userdom_delete_user_tmpfs_files() inteface --- policy-rawhide-base.patch | 43 +++++++++++++++++++++++++----------- policy-rawhide-contrib.patch | 33 +++++++++++++-------------- selinux-policy.spec | 12 +++++++++- 3 files changed, 58 insertions(+), 30 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2360fe05..8364df08 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -22567,10 +22567,10 @@ index 6d77e81..656a8c4 100644 + ') ') diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc -index a26f84f..59fe535 100644 +index a26f84f..f4a44eb 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc -@@ -10,6 +10,9 @@ +@@ -10,11 +10,16 @@ # /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0) /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) @@ -22580,7 +22580,14 @@ index a26f84f..59fe535 100644 /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) -@@ -28,9 +31,10 @@ ifdef(`distro_redhat', ` + /usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) + ++/usr/lib/systemd/system/postgresql.* -- gen_context(system_u:object_r:postgresql_unit_file_t,s0) ++ + ifdef(`distro_debian', ` + /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) + ') +@@ -28,9 +33,10 @@ ifdef(`distro_redhat', ` # /var/lib/postgres(ql)?(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) @@ -22593,7 +22600,7 @@ index a26f84f..59fe535 100644 /var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0) -@@ -45,4 +49,4 @@ ifdef(`distro_redhat', ` +@@ -45,4 +51,4 @@ ifdef(`distro_redhat', ` /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) @@ -22933,7 +22940,7 @@ index 9d2f311..9e87525 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 0306134..ae0d841 100644 +index 0306134..bb5f3dd 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -22975,7 +22982,17 @@ index 0306134..ae0d841 100644 type postgresql_t; type postgresql_exec_t; -@@ -236,7 +243,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; +@@ -52,6 +59,9 @@ files_config_file(postgresql_etc_t) + type postgresql_initrc_exec_t; + init_script_file(postgresql_initrc_exec_t) + ++type postgresql_unit_file_t; ++systemd_unit_file(postgresql_unit_file_t) ++ + type postgresql_lock_t; + files_lock_file(postgresql_lock_t) + +@@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow postgresql_t self:netlink_selinux_socket create_socket_perms; @@ -22985,7 +23002,7 @@ index 0306134..ae0d841 100644 allow postgresql_t self:process { setsockcreate }; ') -@@ -270,18 +278,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) +@@ -270,18 +281,19 @@ manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) @@ -23007,7 +23024,7 @@ index 0306134..ae0d841 100644 manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) -@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run +@@ -299,12 +311,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file }) kernel_read_kernel_sysctls(postgresql_t) @@ -23021,7 +23038,7 @@ index 0306134..ae0d841 100644 corenet_all_recvfrom_netlabel(postgresql_t) corenet_tcp_sendrecv_generic_if(postgresql_t) corenet_udp_sendrecv_generic_if(postgresql_t) -@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) +@@ -342,8 +354,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) @@ -23031,7 +23048,7 @@ index 0306134..ae0d841 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) -@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t) +@@ -354,20 +365,28 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) @@ -23063,7 +23080,7 @@ index 0306134..ae0d841 100644 allow postgresql_t self:process execmem; ') -@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin +@@ -485,10 +504,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin # It is always allowed to operate temporary objects for any database client. allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; @@ -23120,7 +23137,7 @@ index 0306134..ae0d841 100644 allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') -@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; +@@ -536,7 +597,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) @@ -23129,7 +23146,7 @@ index 0306134..ae0d841 100644 allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +@@ -589,3 +650,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d3881d21..bb990ce1 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -55734,7 +55734,7 @@ index 86dc29d..68f7cb1 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..0d4e38a 100644 +index 55f2009..eab3fe0 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -55852,7 +55852,7 @@ index 55f2009..0d4e38a 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +134,16 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,36 +134,24 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -55877,9 +55877,10 @@ index 55f2009..0d4e38a 100644 - +dev_access_check_sysfs(NetworkManager_t) dev_rw_sysfs(NetworkManager_t) ++dev_write_sysfs_dirs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +151,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) + dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -55893,7 +55894,7 @@ index 55f2009..0d4e38a 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +159,35 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +160,35 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -55930,7 +55931,7 @@ index 55f2009..0d4e38a 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +202,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +203,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -55968,7 +55969,7 @@ index 55f2009..0d4e38a 100644 ') optional_policy(` -@@ -196,10 +243,6 @@ optional_policy(` +@@ -196,10 +244,6 @@ optional_policy(` ') optional_policy(` @@ -55979,7 +55980,7 @@ index 55f2009..0d4e38a 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,17 +253,16 @@ optional_policy(` +@@ -210,17 +254,16 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -56002,7 +56003,7 @@ index 55f2009..0d4e38a 100644 ') optional_policy(` -@@ -231,10 +273,11 @@ optional_policy(` +@@ -231,10 +274,11 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -56015,7 +56016,7 @@ index 55f2009..0d4e38a 100644 ') optional_policy(` -@@ -246,10 +289,26 @@ optional_policy(` +@@ -246,10 +290,26 @@ optional_policy(` ') optional_policy(` @@ -56042,7 +56043,7 @@ index 55f2009..0d4e38a 100644 ') optional_policy(` -@@ -257,15 +316,19 @@ optional_policy(` +@@ -257,15 +317,19 @@ optional_policy(` ') optional_policy(` @@ -56064,7 +56065,7 @@ index 55f2009..0d4e38a 100644 ') optional_policy(` -@@ -274,10 +337,17 @@ optional_policy(` +@@ -274,10 +338,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -56082,7 +56083,7 @@ index 55f2009..0d4e38a 100644 ') optional_policy(` -@@ -286,9 +356,12 @@ optional_policy(` +@@ -286,9 +357,12 @@ optional_policy(` openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) openvpn_signull(NetworkManager_t) @@ -56095,7 +56096,7 @@ index 55f2009..0d4e38a 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +369,7 @@ optional_policy(` +@@ -296,7 +370,7 @@ optional_policy(` ') optional_policy(` @@ -56104,7 +56105,7 @@ index 55f2009..0d4e38a 100644 ') optional_policy(` -@@ -307,6 +380,7 @@ optional_policy(` +@@ -307,6 +381,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -56112,7 +56113,7 @@ index 55f2009..0d4e38a 100644 ') optional_policy(` -@@ -320,14 +394,20 @@ optional_policy(` +@@ -320,14 +395,20 @@ optional_policy(` ') optional_policy(` @@ -56138,7 +56139,7 @@ index 55f2009..0d4e38a 100644 ') optional_policy(` -@@ -357,6 +437,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +438,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index d096f2b4..50042c7a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 130%{?dist} +Release: 131%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -602,6 +602,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jun 23 2015 Lukas Vrabec 3.13.1-131 +- Allow NetworkManager write to sysfs. BZ(1234086) +- Fix bogus line in logrotate.fc. +- Add dontaudit interface for kdumpctl_tmp_t +- Use userdom_rw_user_tmp_files() instead of userdom_rw_user_tmpfs_files() in gluster.te +- Add postgresql support for systemd unit files. +- Fix missing bracket +- Pull request by ssekidde. https://github.com/fedora-selinux/selinux-policy/pull/18 +- Fixed obsoleted userdom_delete_user_tmpfs_files() inteface + * Thu Jun 18 2015 Miroslav Grepl 3.13.1-130 - Allow glusterd to interact with gluster tools running in a user domain - rpm_transition_script() is called from rpm_run. Update cloud-init rules.