- Label sddm as xdm_exec_t to make KDE working again

- Allow postgresql to read network state
- Allow java running as pki_tomcat to read network sysctls
- Fix cgroup.te to allow cgred to read cgconfig_etc_t
- Allow beam.smp to use ephemeral ports
- Allow winbind to use the nis to authenticate passwords
This commit is contained in:
Miroslav Grepl 2014-03-17 17:29:57 +01:00
parent 6337678e76
commit 8e18cc2081
3 changed files with 108 additions and 82 deletions

View File

@ -21013,7 +21013,7 @@ index 9d2f311..9e87525 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0306134..68598c7 100644
index 0306134..ae0d841 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@ -21087,7 +21087,13 @@ index 0306134..68598c7 100644
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t)
@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
kernel_read_kernel_sysctls(postgresql_t)
+kernel_read_network_state(postgresql_t)
kernel_read_system_state(postgresql_t)
kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
@ -21095,7 +21101,7 @@ index 0306134..68598c7 100644
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@ -21105,7 +21111,7 @@ index 0306134..68598c7 100644
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
@@ -354,20 +361,28 @@ init_read_utmp(postgresql_t)
@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
@ -21137,7 +21143,7 @@ index 0306134..68598c7 100644
allow postgresql_t self:process execmem;
')
@@ -485,10 +500,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@ -21194,7 +21200,7 @@ index 0306134..68598c7 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
@@ -536,7 +593,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@ -21203,7 +21209,7 @@ index 0306134..68598c7 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
@@ -589,3 +646,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@ -22607,7 +22613,7 @@ index cc877c7..a8b01bf 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 8274418..0069d82 100644
index 8274418..522a2f0 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -22669,7 +22675,7 @@ index 8274418..0069d82 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
@@ -46,26 +76,33 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@ -22695,7 +22701,8 @@ index 8274418..0069d82 100644
-/usr/s?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
+/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
+/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
@ -22709,7 +22716,7 @@ index 8274418..0069d82 100644
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -92,18 +129,31 @@ ifndef(`distro_debian',`
@@ -92,18 +130,31 @@ ifndef(`distro_debian',`
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
@ -22745,7 +22752,7 @@ index 8274418..0069d82 100644
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -112,6 +162,16 @@ ifndef(`distro_debian',`
@@ -112,6 +163,16 @@ ifndef(`distro_debian',`
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)

View File

@ -11226,7 +11226,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
index 80a88a2..7cebead 100644
index 80a88a2..ec869f5 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@ -11279,7 +11279,7 @@ index 80a88a2..7cebead 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
+allow cgred_t cgconfig_t:file read_file_perms;
+allow cgred_t cgconfig_etc_t:file read_file_perms;
allow cgred_t cgrules_etc_t:file read_file_perms;
allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
@ -40690,10 +40690,10 @@ index e08c55d..24b56e9 100644
+ files_var_filetrans(man2html_script_t, man2html_rw_content_t, { dir file })
+')
diff --git a/mandb.fc b/mandb.fc
index 8ae78b5..16e55cd 100644
index 8ae78b5..b365cdd 100644
--- a/mandb.fc
+++ b/mandb.fc
@@ -1 +1,11 @@
@@ -1 +1,12 @@
+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
+
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
@ -40705,6 +40705,7 @@ index 8ae78b5..16e55cd 100644
+
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
+
+/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
diff --git a/mandb.if b/mandb.if
index 327f3f7..4f61561 100644
--- a/mandb.if
@ -52430,7 +52431,7 @@ index 8f2ab09..bc2c7fe 100644
+ allow $1 nscd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
index bcd7d0a..8cc5de9 100644
index bcd7d0a..0188086 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,33 +4,34 @@ gen_require(`
@ -52580,44 +52581,45 @@ index bcd7d0a..8cc5de9 100644
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
@@ -121,20 +131,31 @@ optional_policy(`
@@ -121,13 +131,11 @@ optional_policy(`
')
optional_policy(`
- tunable_policy(`samba_domain_controller',`
- samba_append_log(nscd_t)
- samba_dontaudit_use_fds(nscd_t)
- ')
+ kerberos_use(nscd_t)
+')
+
+optional_policy(`
+ udev_read_db(nscd_t)
+')
+
+optional_policy(`
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+ xen_append_log(nscd_t)
+')
+
+optional_policy(`
tunable_policy(`samba_domain_controller',`
samba_append_log(nscd_t)
samba_dontaudit_use_fds(nscd_t)
')
-
- samba_read_config(nscd_t)
- samba_read_var_files(nscd_t)
+optional_policy(`
+ nis_authenticate(nscd_t)
')
optional_policy(`
- udev_read_db(nscd_t)
@@ -138,3 +146,20 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
+
+optional_policy(`
+ tunable_policy(`samba_domain_controller',`
+ samba_append_log(nscd_t)
+ samba_dontaudit_use_fds(nscd_t)
+ ')
+')
+
+optional_policy(`
+ samba_read_config(nscd_t)
+ samba_read_var_files(nscd_t)
+ samba_stream_connect_nmbd(nscd_t)
')
optional_policy(`
- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
- xen_append_log(nscd_t)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
')
+')
diff --git a/nsd.fc b/nsd.fc
index 4f2b1b6..5348e92 100644
--- a/nsd.fc
@ -61401,10 +61403,10 @@ index 0000000..798efb6
+')
diff --git a/pki.te b/pki.te
new file mode 100644
index 0000000..5c64daf
index 0000000..e8c6156
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,272 @@
@@ -0,0 +1,273 @@
+policy_module(pki,10.0.11)
+
+########################################
@ -61516,6 +61518,7 @@ index 0000000..5c64daf
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
+kernel_read_net_sysctls(pki_tomcat_t)
+
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
@ -72742,7 +72745,7 @@ index 2c3d338..cf3e5ad 100644
########################################
diff --git a/rabbitmq.te b/rabbitmq.te
index dc3b0ed..c77c09c 100644
index dc3b0ed..e0806a1 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@ -72785,7 +72788,7 @@ index dc3b0ed..c77c09c 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
@@ -55,51 +64,63 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
@@ -55,51 +64,64 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@ -72797,6 +72800,7 @@ index dc3b0ed..c77c09c 100644
corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
corenet_tcp_bind_generic_node(rabbitmq_beam_t)
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
+corenet_tcp_bind_all_ephemeral_ports(rabbitmq_beam_t)
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
@ -72865,7 +72869,7 @@ index dc3b0ed..c77c09c 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
@@ -107,6 +128,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
@@ -107,6 +129,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
@ -72874,7 +72878,7 @@ index dc3b0ed..c77c09c 100644
corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
@@ -117,8 +140,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
@@ -117,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@ -79183,7 +79187,7 @@ index 0bf13c2..d59aef7 100644
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
index 2da9fca..09e0307 100644
index 2da9fca..f47a20e 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@ -79334,35 +79338,38 @@ index 2da9fca..09e0307 100644
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(rpcd_t)
@@ -181,19 +180,23 @@ optional_policy(`
@@ -181,19 +180,27 @@ optional_policy(`
')
optional_policy(`
- nis_read_ypserv_config(rpcd_t)
+ domain_unconfined_signal(rpcd_t)
+')
+
+optional_policy(`
+ quota_manage_db(rpcd_t)
+')
+
+optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
optional_policy(`
- quota_manage_db_files(rpcd_t)
+ quota_manage_db(rpcd_t)
+ quota_read_db(rpcd_t)
')
optional_policy(`
- rgmanager_manage_tmp_files(rpcd_t)
+ nis_read_ypserv_config(rpcd_t)
+ rhcs_manage_cluster_tmp_files(rpcd_t)
')
optional_policy(`
- unconfined_signal(rpcd_t)
+ quota_read_db(rpcd_t)
+')
+
+optional_policy(`
+ rhcs_manage_cluster_tmp_files(rpcd_t)
+ samba_stream_connect_nmbd(rpcd_t)
')
########################################
@@ -202,41 +205,56 @@ optional_policy(`
@@ -202,41 +209,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@ -79428,7 +79435,7 @@ index 2da9fca..09e0307 100644
miscfiles_manage_public_files(nfsd_t)
')
@@ -245,7 +263,6 @@ tunable_policy(`nfs_export_all_rw',`
@@ -245,7 +267,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@ -79436,7 +79443,7 @@ index 2da9fca..09e0307 100644
')
tunable_policy(`nfs_export_all_ro',`
@@ -257,12 +274,12 @@ tunable_policy(`nfs_export_all_ro',`
@@ -257,12 +278,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@ -79451,7 +79458,7 @@ index 2da9fca..09e0307 100644
')
########################################
@@ -270,7 +287,7 @@ optional_policy(`
@@ -270,7 +291,7 @@ optional_policy(`
# GSSD local policy
#
@ -79460,7 +79467,7 @@ index 2da9fca..09e0307 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
@@ -280,6 +297,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
@@ -280,6 +301,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@ -79468,7 +79475,7 @@ index 2da9fca..09e0307 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
@@ -288,25 +306,30 @@ kernel_signal(gssd_t)
@@ -288,25 +310,30 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@ -79502,7 +79509,7 @@ index 2da9fca..09e0307 100644
')
optional_policy(`
@@ -314,9 +337,12 @@ optional_policy(`
@@ -314,9 +341,12 @@ optional_policy(`
')
optional_policy(`
@ -82870,7 +82877,7 @@ index 50d07fb..bada62f 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
index 2b7c441..c80c3f6 100644
index 2b7c441..127ac9e 100644
--- a/samba.te
+++ b/samba.te
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
@ -83591,14 +83598,14 @@ index 2b7c441..c80c3f6 100644
-
userdom_use_unpriv_users_fds(nmbd_t)
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-tunable_policy(`samba_export_all_ro',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_list_non_auth_dirs(nmbd_t)
- files_read_non_auth_files(nmbd_t)
-')
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
-
-tunable_policy(`samba_export_all_rw',`
- fs_read_noxattr_fs_files(nmbd_t)
- files_manage_non_auth_files(nmbd_t)
@ -83774,13 +83781,13 @@ index 2b7c441..c80c3f6 100644
-allow swat_t { nmbd_t smbd_t }:process { signal signull };
+samba_domtrans_smbd(swat_t)
+allow swat_t smbd_t:process { signal signull };
+
+samba_domtrans_nmbd(swat_t)
+allow swat_t nmbd_t:process { signal signull };
+allow nmbd_t swat_t:process signal;
-allow swat_t smbd_var_run_t:file read_file_perms;
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
+samba_domtrans_nmbd(swat_t)
+allow swat_t nmbd_t:process { signal signull };
+allow nmbd_t swat_t:process signal;
+
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
+
@ -83994,7 +84001,7 @@ index 2b7c441..c80c3f6 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -924,26 +954,39 @@ auth_domtrans_chk_passwd(winbind_t)
@@ -924,26 +954,43 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@ -84033,10 +84040,14 @@ index 2b7c441..c80c3f6 100644
optional_policy(`
kerberos_use(winbind_t)
+ kerberos_filetrans_named_content(winbind_t)
+')
+
+optional_policy(`
+ nis_authenticate(winbind_t)
')
optional_policy(`
@@ -959,31 +1002,29 @@ optional_policy(`
@@ -959,31 +1006,29 @@ optional_policy(`
# Winbind helper local policy
#
@ -84074,7 +84085,7 @@ index 2b7c441..c80c3f6 100644
optional_policy(`
apache_append_log(winbind_helper_t)
@@ -997,25 +1038,38 @@ optional_policy(`
@@ -997,25 +1042,38 @@ optional_policy(`
########################################
#
@ -84095,24 +84106,24 @@ index 2b7c441..c80c3f6 100644
+ role system_r types samba_unconfined_net_t;
+
+ unconfined_domain(samba_unconfined_net_t)
+
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
+
+type samba_unconfined_script_t;
+type samba_unconfined_script_exec_t;
+domain_type(samba_unconfined_script_t)
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+optional_policy(`
unconfined_domain(samba_unconfined_script_t)
+')

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 37%{?dist}
Release: 38%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -580,6 +580,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-38
- Label sddm as xdm_exec_t to make KDE working again
- Allow postgresql to read network state
- Allow java running as pki_tomcat to read network sysctls
- Fix cgroup.te to allow cgred to read cgconfig_etc_t
- Allow beam.smp to use ephemeral ports
- Allow winbind to use the nis to authenticate passwords
* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-37
- Allow collectd to talk to libvirt
- Allow chrome_sandbox to use leaked unix_stream_sockets