* Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104

- remove duplicate filename transition rules. - Call proper interface in sosreport.te. - Allow fetchmail to manage its keyring - Allow mail munin to create udp_sockets - Allow couchdb to sendto kernel unix domain sockets
2015-01-15 14:22:27 +01:00 · 2015-01-15 14:22:27 +01:00 · 72c96b37c5
commit 72c96b37c5
parent 525ad6557a
3 changed files with 29 additions and 19 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -3222,7 +3222,7 @@ index 1dc7a85..c6f4da0 100644
 +	corecmd_shell_domtrans($1_seunshare_t, $1_t)
 ')
 diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..85186a9 100644
+index 7590165..d81185e 100644
 --- a/policy/modules/apps/seunshare.te
 +++ b/policy/modules/apps/seunshare.te
@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
@ -3240,7 +3240,7 @@ index 7590165..85186a9 100644
 # seunshare local policy
 #
 +allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
-+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched };
 
 -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
 -allow seunshare_t self:process { setexec signal getcap setcap };
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -16390,7 +16390,7 @@ index 715a826..a1cbdb2 100644
 +	')
 ')
 diff --git a/couchdb.te b/couchdb.te
-index ae1c1b1..6238c82 100644
+index ae1c1b1..a3af6c9 100644
 --- a/couchdb.te
 +++ b/couchdb.te
@@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t)
@ -16418,7 +16418,7 @@ index ae1c1b1..6238c82 100644
 
 manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
 append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-@@ -56,11 +59,12 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
+@@ -56,11 +59,13 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
 
 manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
 manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
@ -16429,10 +16429,11 @@ index ae1c1b1..6238c82 100644
 
 kernel_read_system_state(couchdb_t)
 +kernel_read_fs_sysctls(couchdb_t)
+kernel_dgram_send(couchdb_t)
 
 corecmd_exec_bin(couchdb_t)
 corecmd_exec_shell(couchdb_t)
-@@ -75,14 +79,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +80,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
 corenet_tcp_bind_couchdb_port(couchdb_t)
 corenet_tcp_sendrecv_couchdb_port(couchdb_t)
 
@ -27906,10 +27907,10 @@ index c3f7916..cab3954 100644
 	admin_pattern($1, fetchmail_etc_t)
 
 diff --git a/fetchmail.te b/fetchmail.te
-index 742559a..a6c5c24 100644
+index 742559a..57711b3 100644
 --- a/fetchmail.te
 +++ b/fetchmail.te
-@@ -32,14 +32,17 @@ files_type(fetchmail_uidl_cache_t)
+@@ -32,14 +32,18 @@ files_type(fetchmail_uidl_cache_t)
 #
 # Local policy
 #
@ -27918,6 +27919,7 @@ index 742559a..a6c5c24 100644
 dontaudit fetchmail_t self:capability sys_tty_config;
 allow fetchmail_t self:process { signal_perms setrlimit };
 allow fetchmail_t self:unix_stream_socket { accept listen };
+allow fetchmail_t self:key manage_key_perms;
 
 allow fetchmail_t fetchmail_etc_t:file read_file_perms;
 
@ -27928,7 +27930,7 @@ index 742559a..a6c5c24 100644
 
 manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
+@@ -63,7 +67,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
 corecmd_exec_bin(fetchmail_t)
 corecmd_exec_shell(fetchmail_t)
 
@ -27936,7 +27938,7 @@ index 742559a..a6c5c24 100644
 corenet_all_recvfrom_netlabel(fetchmail_t)
 corenet_tcp_sendrecv_generic_if(fetchmail_t)
 corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +87,23 @@ fs_search_auto_mountpoints(fetchmail_t)
 
 domain_use_interactive_fds(fetchmail_t)
 
@ -47378,7 +47380,7 @@ index 6fcfc31..91adcaf 100644
 +/var/run/mongo.*	                gen_context(system_u:object_r:mongod_var_run_t,s0)
 +/var/run/aeolus/dbomatic\.pid   --  gen_context(system_u:object_r:mongod_var_run_t,s0)
 diff --git a/mongodb.te b/mongodb.te
-index 169f236..dec8a95 100644
+index 169f236..907b24c 100644
 --- a/mongodb.te
 +++ b/mongodb.te
@@ -21,19 +21,25 @@ files_type(mongod_var_lib_t)
@ -47395,7 +47397,7 @@ index 169f236..dec8a95 100644
 
 -allow mongod_t self:process signal;
 +
-+allow mongod_t self:process { setsched signal };
+allow mongod_t self:process { setsched signal execmem };
 allow mongod_t self:fifo_file rw_fifo_file_perms;
 
 -manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
@ -52207,7 +52209,7 @@ index b744fe3..cb0e2af 100644
 +	admin_pattern($1, munin_content_t)
 ')
 diff --git a/munin.te b/munin.te
-index b708708..aebb4c1 100644
+index b708708..dd6e04b 100644
 --- a/munin.te
 +++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@ -52353,12 +52355,13 @@ index b708708..aebb4c1 100644
 ####################################
 #
 # Mail local policy
-@@ -279,27 +273,38 @@ optional_policy(`
+@@ -279,27 +273,39 @@ optional_policy(`
 
 allow mail_munin_plugin_t self:capability dac_override;
 
 +allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
 +allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mail_munin_plugin_t self:udp_socket create_socket_perms;
 +
 rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
@ -52396,7 +52399,7 @@ index b708708..aebb4c1 100644
 ')
 
 optional_policy(`
-@@ -339,7 +344,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +345,7 @@ dev_read_rand(services_munin_plugin_t)
 sysnet_read_config(services_munin_plugin_t)
 
 optional_policy(`
@ -52405,7 +52408,7 @@ index b708708..aebb4c1 100644
 ')
 
 optional_policy(`
-@@ -348,6 +353,10 @@ optional_policy(`
+@@ -348,6 +354,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -52416,7 +52419,7 @@ index b708708..aebb4c1 100644
 	lpd_exec_lpr(services_munin_plugin_t)
 ')
 
-@@ -361,7 +370,11 @@ optional_policy(`
+@@ -361,7 +371,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -52429,7 +52432,7 @@ index b708708..aebb4c1 100644
 ')
 
 optional_policy(`
-@@ -393,6 +406,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +407,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
 
 kernel_read_network_state(system_munin_plugin_t)
 kernel_read_all_sysctls(system_munin_plugin_t)
@ -52437,7 +52440,7 @@ index b708708..aebb4c1 100644
 
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +435,33 @@ optional_policy(`
+@@ -421,3 +436,33 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(unconfined_munin_plugin_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 103%{?dist}
+Release: 104%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -605,6 +605,13 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Thu Jan 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-104
+- remove duplicate filename transition rules.
+- Call proper interface in sosreport.te.
+- Allow fetchmail to manage its keyring
+- Allow mail munin to create udp_sockets
+- Allow couchdb to sendto kernel unix domain sockets
+
 * Sat Jan 3 2015 Dan Walsh <dwalsh@redhat.com> 3.13.1-103
 - Add /etc/selinux/targeted/contexts/openssh_contexts