* Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90

- Add support for /dev/nvme controllerdevice nodes created by nvme driver. - Add 15672 as amqp_port_t - Allow wine domains to read user homedir content - Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc - Allow winbind to read usermodehelper - Allow telepathy domains to execute shells and bin_t - Allow gpgdomains to create netlink_kobject_uevent_sockets - Allow abrt to read software raid state. BZ (1157770) - Fix rhcs_signull_haproxy() interface. - Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability. - Allow snapperd to dbus chat with system cron jobs. - Allow nslcd to read /dev/urandom. - Allow dovecot to create user's home directory when they log into IMAP. - Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
2014-11-03 15:03:44 +01:00 · 2014-11-03 15:03:44 +01:00 · a38ffbf425
commit a38ffbf425
parent 4dfcf7b0d0
3 changed files with 311 additions and 180 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5930,7 +5930,7 @@ index 3f6e168..51ad69a 100644
 ')
 
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..50bfabf 100644
+index b31c054..872ff1b 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
@@ -15,15 +15,18 @@
@ -5981,7 +5981,16 @@ index b31c054..50bfabf 100644
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/net/vhost		-c	gen_context(system_u:object_r:vhost_device_t,s0)
-@@ -106,6 +113,7 @@
+@@ -80,6 +87,8 @@
+ /dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
+ /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/nvme.*     -c  gen_context(system_u:object_r:nvme_device_t,s0)
+/dev/nvme.*     -b  gen_context(system_u:object_r:nvme_device_t,s0)
+ /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+ /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -106,6 +115,7 @@
 /dev/snapshot		-c	gen_context(system_u:object_r:apm_bios_t,s0)
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@ -5989,7 +5998,7 @@ index b31c054..50bfabf 100644
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
 /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +126,11 @@
+@@ -118,6 +128,11 @@
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
@ -6001,7 +6010,7 @@ index b31c054..50bfabf 100644
 /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +142,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +144,14 @@ ifdef(`distro_suse', `
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@ -6016,7 +6025,7 @@ index b31c054..50bfabf 100644
 /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
 
-@@ -172,6 +187,8 @@ ifdef(`distro_suse', `
+@@ -172,6 +189,8 @@ ifdef(`distro_suse', `
 /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 
@ -6025,7 +6034,7 @@ index b31c054..50bfabf 100644
 /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -198,12 +215,27 @@ ifdef(`distro_debian',`
+@@ -198,12 +217,27 @@ ifdef(`distro_debian',`
 /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 
@ -8586,7 +8595,7 @@ index 76f285e..d36451a 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 0b1a871..f52e603 100644
+index 0b1a871..f260e6f 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
@@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@ -8667,7 +8676,20 @@ index 0b1a871..f52e603 100644
 # A more general type for mouse devices.
 #
 type mouse_device_t;
-@@ -227,6 +244,10 @@ files_mountpoint(sysfs_t)
+@@ -183,6 +200,12 @@ type nvram_device_t;
+ dev_node(nvram_device_t)
+ 
+ #
+# Type for controller device nodes
+#
+type nvme_device_t;
+dev_node(nvme_device_t)
+
+#
+ # Type for /dev/pmu
+ #
+ type power_device_t;
+@@ -227,6 +250,10 @@ files_mountpoint(sysfs_t)
 fs_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
@ -8678,7 +8700,7 @@ index 0b1a871..f52e603 100644
 #
 # Type for /dev/tpm
 #
-@@ -266,6 +287,15 @@ dev_node(usbmon_device_t)
+@@ -266,6 +293,15 @@ dev_node(usbmon_device_t)
 type userio_device_t;
 dev_node(userio_device_t)
 
@ -8694,7 +8716,7 @@ index 0b1a871..f52e603 100644
 type v4l_device_t;
 dev_node(v4l_device_t)
 
-@@ -274,6 +304,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +310,7 @@ dev_node(v4l_device_t)
 #
 type vhost_device_t;
 dev_node(vhost_device_t)
@ -8702,7 +8724,7 @@ index 0b1a871..f52e603 100644
 
 # Type for vmware devices.
 type vmware_device_t;
-@@ -319,5 +350,6 @@ files_associate_tmp(device_node)
+@@ -319,5 +356,6 @@ files_associate_tmp(device_node)
 #
 
 allow devices_unconfined_type self:capability sys_rawio;
@ -29277,7 +29299,7 @@ index bc0ffc8..7198bd9 100644
 ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..f142c45 100644
+index 79a45f6..b88e8a2 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@ -30744,7 +30766,7 @@ index 79a45f6..f142c45 100644
 +		type init_t;
 +	')
 +
-+	allow $1 init_t:service { start stop reload status };
+	allow $1 init_t:service manage_service_perms;
 +')
 +
 +########################################
@ -41157,10 +41179,10 @@ index 0000000..d2a8fc7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..5b904b0
+index 0000000..a75ffd3
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,699 @@
+@@ -0,0 +1,700 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@ -41812,6 +41834,7 @@ index 0000000..5b904b0
 +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_sysctl_t)
+kernel_request_load_module(systemd_sysctl_t)
 +kernel_rw_all_sysctls(systemd_sysctl_t)
 +kernel_write_security_state(systemd_sysctl_t)
 +
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 89%{?dist}
+Release: 90%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -604,6 +604,22 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Nov 03 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-90
+- Add support for /dev/nvme controllerdevice nodes created by nvme driver.
+- Add 15672 as amqp_port_t
+- Allow wine domains to read user homedir content
+- Add fixes to allow docker to create more content in tmpfs ,and donaudit reading /proc
+- Allow winbind to read usermodehelper
+- Allow telepathy domains to execute shells and bin_t
+- Allow gpgdomains to create netlink_kobject_uevent_sockets
+- Allow abrt to read software raid state. BZ (1157770)
+- Fix rhcs_signull_haproxy() interface.
+-  Add suppor for keepalived unconfined scripts and allow keepalived to read all domain state and kill capability.
+- Allow snapperd to dbus chat with system cron jobs.
+- Allow nslcd to read /dev/urandom.
+- Allow dovecot to create user's home directory when they log into IMAP.
+- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835)
+
 * Wed Oct 29 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-89
 - Allow keystone_cgi_script_t to bind on commplex_main_port. BZ (#1138424)
 - Allow freeipmi_bmc_watchdog rw_sem_perms to freeipmi_ipmiseld