From 8e18cc2081f91b8bd7241ad566470aecc57f8114 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 17 Mar 2014 17:29:57 +0100 Subject: [PATCH] - Label sddm as xdm_exec_t to make KDE working again - Allow postgresql to read network state - Allow java running as pki_tomcat to read network sysctls - Fix cgroup.te to allow cgred to read cgconfig_etc_t - Allow beam.smp to use ephemeral ports - Allow winbind to use the nis to authenticate passwords --- policy-rawhide-base.patch | 31 +++++--- policy-rawhide-contrib.patch | 149 +++++++++++++++++++---------------- selinux-policy.spec | 10 ++- 3 files changed, 108 insertions(+), 82 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 88466e42..0d7ca0b6 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -21013,7 +21013,7 @@ index 9d2f311..9e87525 100644 + postgresql_filetrans_named_content($1) ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 0306134..68598c7 100644 +index 0306134..ae0d841 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,25 +19,32 @@ gen_require(` @@ -21087,7 +21087,13 @@ index 0306134..68598c7 100644 manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) -@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t) +@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run + files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file }) + + kernel_read_kernel_sysctls(postgresql_t) ++kernel_read_network_state(postgresql_t) + kernel_read_system_state(postgresql_t) + kernel_list_proc(postgresql_t) kernel_read_all_sysctls(postgresql_t) kernel_read_proc_symlinks(postgresql_t) @@ -21095,7 +21101,7 @@ index 0306134..68598c7 100644 corenet_all_recvfrom_netlabel(postgresql_t) corenet_tcp_sendrecv_generic_if(postgresql_t) corenet_udp_sendrecv_generic_if(postgresql_t) -@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) +@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t) domain_use_interactive_fds(postgresql_t) files_dontaudit_search_home(postgresql_t) @@ -21105,7 +21111,7 @@ index 0306134..68598c7 100644 files_read_etc_runtime_files(postgresql_t) files_read_usr_files(postgresql_t) -@@ -354,20 +361,28 @@ init_read_utmp(postgresql_t) +@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) @@ -21137,7 +21143,7 @@ index 0306134..68598c7 100644 allow postgresql_t self:process execmem; ') -@@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin +@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin # It is always allowed to operate temporary objects for any database client. allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; @@ -21194,7 +21200,7 @@ index 0306134..68598c7 100644 allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; ') -@@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; +@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) @@ -21203,7 +21209,7 @@ index 0306134..68598c7 100644 allow sepgsql_admin_type sepgsql_database_type:db_database *; allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -@@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; +@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) @@ -22607,7 +22613,7 @@ index cc877c7..a8b01bf 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..0069d82 100644 +index 8274418..522a2f0 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -22669,7 +22675,7 @@ index 8274418..0069d82 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +76,33 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -22695,7 +22701,8 @@ index 8274418..0069d82 100644 -/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) +/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + -+/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) +/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) @@ -22709,7 +22716,7 @@ index 8274418..0069d82 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -92,18 +129,31 @@ ifndef(`distro_debian',` +@@ -92,18 +130,31 @@ ifndef(`distro_debian',` /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -22745,7 +22752,7 @@ index 8274418..0069d82 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -112,6 +162,16 @@ ifndef(`distro_debian',` +@@ -112,6 +163,16 @@ ifndef(`distro_debian',` /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 5449d471..3f9cc30a 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -11226,7 +11226,7 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index 80a88a2..7cebead 100644 +index 80a88a2..ec869f5 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -11279,7 +11279,7 @@ index 80a88a2..7cebead 100644 allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; -+allow cgred_t cgconfig_t:file read_file_perms; ++allow cgred_t cgconfig_etc_t:file read_file_perms; allow cgred_t cgrules_etc_t:file read_file_perms; allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms }; @@ -40690,10 +40690,10 @@ index e08c55d..24b56e9 100644 + files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file }) +') diff --git a/mandb.fc b/mandb.fc -index 8ae78b5..16e55cd 100644 +index 8ae78b5..b365cdd 100644 --- a/mandb.fc +++ b/mandb.fc -@@ -1 +1,11 @@ +@@ -1 +1,12 @@ +HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) + /etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0) @@ -40705,6 +40705,7 @@ index 8ae78b5..16e55cd 100644 + +/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0) + ++/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) diff --git a/mandb.if b/mandb.if index 327f3f7..4f61561 100644 --- a/mandb.if @@ -52430,7 +52431,7 @@ index 8f2ab09..bc2c7fe 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index bcd7d0a..8cc5de9 100644 +index bcd7d0a..0188086 100644 --- a/nscd.te +++ b/nscd.te @@ -4,33 +4,34 @@ gen_require(` @@ -52580,44 +52581,45 @@ index bcd7d0a..8cc5de9 100644 userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) -@@ -121,20 +131,31 @@ optional_policy(` +@@ -121,13 +131,11 @@ optional_policy(` ') optional_policy(` +- tunable_policy(`samba_domain_controller',` +- samba_append_log(nscd_t) +- samba_dontaudit_use_fds(nscd_t) +- ') + kerberos_use(nscd_t) +') -+ -+optional_policy(` -+ udev_read_db(nscd_t) -+') -+ -+optional_policy(` -+ xen_dontaudit_rw_unix_stream_sockets(nscd_t) -+ xen_append_log(nscd_t) -+') -+ -+optional_policy(` - tunable_policy(`samba_domain_controller',` - samba_append_log(nscd_t) - samba_dontaudit_use_fds(nscd_t) - ') -- + - samba_read_config(nscd_t) - samba_read_var_files(nscd_t) ++optional_policy(` ++ nis_authenticate(nscd_t) ') optional_policy(` -- udev_read_db(nscd_t) +@@ -138,3 +146,20 @@ optional_policy(` + xen_dontaudit_rw_unix_stream_sockets(nscd_t) + xen_append_log(nscd_t) + ') ++ ++optional_policy(` ++ tunable_policy(`samba_domain_controller',` ++ samba_append_log(nscd_t) ++ samba_dontaudit_use_fds(nscd_t) ++ ') ++') ++ ++optional_policy(` + samba_read_config(nscd_t) + samba_read_var_files(nscd_t) + samba_stream_connect_nmbd(nscd_t) - ') - - optional_policy(` -- xen_dontaudit_rw_unix_stream_sockets(nscd_t) -- xen_append_log(nscd_t) ++') ++ ++optional_policy(` + unconfined_dontaudit_rw_packet_sockets(nscd_t) - ') ++') diff --git a/nsd.fc b/nsd.fc index 4f2b1b6..5348e92 100644 --- a/nsd.fc @@ -61401,10 +61403,10 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..5c64daf +index 0000000..e8c6156 --- /dev/null +++ b/pki.te -@@ -0,0 +1,272 @@ +@@ -0,0 +1,273 @@ +policy_module(pki,10.0.11) + +######################################## @@ -61516,6 +61518,7 @@ index 0000000..5c64daf +search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t) + +kernel_read_kernel_sysctls(pki_tomcat_t) ++kernel_read_net_sysctls(pki_tomcat_t) + +corenet_tcp_connect_http_cache_port(pki_tomcat_t) +corenet_tcp_connect_ldap_port(pki_tomcat_t) @@ -72742,7 +72745,7 @@ index 2c3d338..cf3e5ad 100644 ######################################## diff --git a/rabbitmq.te b/rabbitmq.te -index dc3b0ed..c77c09c 100644 +index dc3b0ed..e0806a1 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t) @@ -72785,7 +72788,7 @@ index dc3b0ed..c77c09c 100644 can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t) domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t) -@@ -55,51 +64,63 @@ kernel_read_fs_sysctls(rabbitmq_beam_t) +@@ -55,51 +64,64 @@ kernel_read_fs_sysctls(rabbitmq_beam_t) corecmd_exec_bin(rabbitmq_beam_t) corecmd_exec_shell(rabbitmq_beam_t) @@ -72797,6 +72800,7 @@ index dc3b0ed..c77c09c 100644 corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t) corenet_tcp_bind_generic_node(rabbitmq_beam_t) +corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t) ++corenet_tcp_bind_all_ephemeral_ports(rabbitmq_beam_t) corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t) -corenet_tcp_bind_amqp_port(rabbitmq_beam_t) @@ -72865,7 +72869,7 @@ index dc3b0ed..c77c09c 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -107,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; +@@ -107,6 +129,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; @@ -72874,7 +72878,7 @@ index dc3b0ed..c77c09c 100644 corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t) -@@ -117,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -117,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -79183,7 +79187,7 @@ index 0bf13c2..d59aef7 100644 type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; diff --git a/rpc.te b/rpc.te -index 2da9fca..09e0307 100644 +index 2da9fca..f47a20e 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1) @@ -79334,35 +79338,38 @@ index 2da9fca..09e0307 100644 ifdef(`distro_debian',` term_dontaudit_use_unallocated_ttys(rpcd_t) -@@ -181,19 +180,23 @@ optional_policy(` +@@ -181,19 +180,27 @@ optional_policy(` ') optional_policy(` -- nis_read_ypserv_config(rpcd_t) + domain_unconfined_signal(rpcd_t) ++') ++ ++optional_policy(` ++ quota_manage_db(rpcd_t) ++') ++ ++optional_policy(` + nis_read_ypserv_config(rpcd_t) ') optional_policy(` - quota_manage_db_files(rpcd_t) -+ quota_manage_db(rpcd_t) ++ quota_read_db(rpcd_t) ') optional_policy(` - rgmanager_manage_tmp_files(rpcd_t) -+ nis_read_ypserv_config(rpcd_t) ++ rhcs_manage_cluster_tmp_files(rpcd_t) ') optional_policy(` - unconfined_signal(rpcd_t) -+ quota_read_db(rpcd_t) -+') -+ -+optional_policy(` -+ rhcs_manage_cluster_tmp_files(rpcd_t) ++ samba_stream_connect_nmbd(rpcd_t) ') ######################################## -@@ -202,41 +205,56 @@ optional_policy(` +@@ -202,41 +209,56 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -79428,7 +79435,7 @@ index 2da9fca..09e0307 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -245,7 +263,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -245,7 +267,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -79436,7 +79443,7 @@ index 2da9fca..09e0307 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -257,12 +274,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -257,12 +278,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -79451,7 +79458,7 @@ index 2da9fca..09e0307 100644 ') ######################################## -@@ -270,7 +287,7 @@ optional_policy(` +@@ -270,7 +291,7 @@ optional_policy(` # GSSD local policy # @@ -79460,7 +79467,7 @@ index 2da9fca..09e0307 100644 allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; -@@ -280,6 +297,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -280,6 +301,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -79468,7 +79475,7 @@ index 2da9fca..09e0307 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -288,25 +306,30 @@ kernel_signal(gssd_t) +@@ -288,25 +310,30 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -79502,7 +79509,7 @@ index 2da9fca..09e0307 100644 ') optional_policy(` -@@ -314,9 +337,12 @@ optional_policy(` +@@ -314,9 +341,12 @@ optional_policy(` ') optional_policy(` @@ -82870,7 +82877,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..c80c3f6 100644 +index 2b7c441..127ac9e 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -83591,14 +83598,14 @@ index 2b7c441..c80c3f6 100644 - userdom_use_unpriv_users_fds(nmbd_t) -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -- ++userdom_dontaudit_search_user_home_dirs(nmbd_t) + -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(nmbd_t) - files_list_non_auth_dirs(nmbd_t) - files_read_non_auth_files(nmbd_t) -') -+userdom_dontaudit_search_user_home_dirs(nmbd_t) - +- -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) @@ -83774,13 +83781,13 @@ index 2b7c441..c80c3f6 100644 -allow swat_t { nmbd_t smbd_t }:process { signal signull }; +samba_domtrans_smbd(swat_t) +allow swat_t smbd_t:process { signal signull }; -+ -+samba_domtrans_nmbd(swat_t) -+allow swat_t nmbd_t:process { signal signull }; -+allow nmbd_t swat_t:process signal; -allow swat_t smbd_var_run_t:file read_file_perms; -allow swat_t smbd_var_run_t:file { lock delete_file_perms }; ++samba_domtrans_nmbd(swat_t) ++allow swat_t nmbd_t:process { signal signull }; ++allow nmbd_t swat_t:process signal; ++ +read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) +stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) + @@ -83994,7 +84001,7 @@ index 2b7c441..c80c3f6 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -924,26 +954,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -924,26 +954,43 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -84033,10 +84040,14 @@ index 2b7c441..c80c3f6 100644 optional_policy(` kerberos_use(winbind_t) + kerberos_filetrans_named_content(winbind_t) ++') ++ ++optional_policy(` ++ nis_authenticate(winbind_t) ') optional_policy(` -@@ -959,31 +1002,29 @@ optional_policy(` +@@ -959,31 +1006,29 @@ optional_policy(` # Winbind helper local policy # @@ -84074,7 +84085,7 @@ index 2b7c441..c80c3f6 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1038,38 @@ optional_policy(` +@@ -997,25 +1042,38 @@ optional_policy(` ######################################## # @@ -84095,24 +84106,24 @@ index 2b7c441..c80c3f6 100644 + role system_r types samba_unconfined_net_t; + + unconfined_domain(samba_unconfined_net_t) -+ + +- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +- allow smbd_t samba_unconfined_script_exec_t:file ioctl; + manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t) + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + userdom_use_inherited_user_terminals(samba_unconfined_net_t) +') -+ + +type samba_unconfined_script_t; +type samba_unconfined_script_exec_t; +domain_type(samba_unconfined_script_t) +domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) +corecmd_shell_entry_type(samba_unconfined_script_t) +role system_r types samba_unconfined_script_t; - -- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; -- allow smbd_t samba_unconfined_script_exec_t:file ioctl; ++ +allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +allow smbd_t samba_unconfined_script_exec_t:file ioctl; - ++ +optional_policy(` unconfined_domain(samba_unconfined_script_t) +') diff --git a/selinux-policy.spec b/selinux-policy.spec index 29241e91..0dc12db1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 37%{?dist} +Release: 38%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -580,6 +580,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Mar 17 2014 Miroslav Grepl 3.13.1-38 +- Label sddm as xdm_exec_t to make KDE working again +- Allow postgresql to read network state +- Allow java running as pki_tomcat to read network sysctls +- Fix cgroup.te to allow cgred to read cgconfig_etc_t +- Allow beam.smp to use ephemeral ports +- Allow winbind to use the nis to authenticate passwords + * Mon Mar 17 2014 Miroslav Grepl 3.13.1-37 - Allow collectd to talk to libvirt - Allow chrome_sandbox to use leaked unix_stream_sockets