* Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3

- Allow gnomeclock to talk to puppet over dbus - Allow numad access discovered by Dominic - Add support for HOME_DIR/.maildir - Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this d - Allow udev to relabel udev_var_run_t lnk_files - New bin_t file in mcelog
2013-01-11 19:30:57 +01:00 · 2013-01-11 19:30:57 +01:00 · a7dce2ac5c
parent 0c265c3817
commit a7dce2ac5c
3 changed files with 349 additions and 293 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -112432,7 +112432,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..0c58f76 100644
+index 644d4d7..f079522 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@ -112455,7 +112455,7 @@ index 644d4d7..0c58f76 100644
 /etc/avahi/.*\.action 		--	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -69,6 +71,13 @@ ifdef(`distro_redhat',`
+@@ -69,16 +71,25 @@ ifdef(`distro_redhat',`
 /etc/kde/env(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
@ -112469,7 +112469,11 @@ index 644d4d7..0c58f76 100644
 /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -79,6 +88,7 @@ ifdef(`distro_redhat',`
+ /etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/.*\.setup		--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ ifdef(`distro_redhat',`
+ /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 ')
 
 /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
@ -112477,7 +112481,7 @@ index 644d4d7..0c58f76 100644
 
 /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
 
-@@ -101,8 +111,6 @@ ifdef(`distro_redhat',`
+@@ -101,8 +112,6 @@ ifdef(`distro_redhat',`
 
 /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
 
@ -112486,7 +112490,7 @@ index 644d4d7..0c58f76 100644
 /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +142,11 @@ ifdef(`distro_debian',`
+@@ -134,10 +143,11 @@ ifdef(`distro_debian',`
 
 /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@ -112499,7 +112503,7 @@ index 644d4d7..0c58f76 100644
 
 ifdef(`distro_gentoo',`
 /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +160,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +161,7 @@ ifdef(`distro_gentoo',`
 #
 # /sbin
 #
@ -112508,7 +112512,7 @@ index 644d4d7..0c58f76 100644
 /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
 /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
 /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +176,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +177,7 @@ ifdef(`distro_gentoo',`
 /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -112516,7 +112520,7 @@ index 644d4d7..0c58f76 100644
 
 /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 
-@@ -178,33 +188,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +189,49 @@ ifdef(`distro_gentoo',`
 /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
 ')
 
@ -112575,7 +112579,7 @@ index 644d4d7..0c58f76 100644
 /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +241,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +242,28 @@ ifdef(`distro_gentoo',`
 /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@ -112611,7 +112615,7 @@ index 644d4d7..0c58f76 100644
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +277,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +278,15 @@ ifdef(`distro_gentoo',`
 /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@ -112627,7 +112631,7 @@ index 644d4d7..0c58f76 100644
 /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +298,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +299,17 @@ ifdef(`distro_gentoo',`
 
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
@ -112648,7 +112652,7 @@ index 644d4d7..0c58f76 100644
 /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +324,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +325,15 @@ ifdef(`distro_gentoo',`
 /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@ -112664,7 +112668,7 @@ index 644d4d7..0c58f76 100644
 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +347,21 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +348,21 @@ ifdef(`distro_gentoo',`
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@ -112688,7 +112692,7 @@ index 644d4d7..0c58f76 100644
 
 ifdef(`distro_debian',`
 /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -321,8 +379,12 @@ ifdef(`distro_redhat', `
+@@ -321,8 +380,12 @@ ifdef(`distro_redhat', `
 /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
 /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
 
@ -112701,7 +112705,7 @@ index 644d4d7..0c58f76 100644
 /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -332,9 +394,11 @@ ifdef(`distro_redhat', `
+@@ -332,9 +395,11 @@ ifdef(`distro_redhat', `
 /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@ -112713,7 +112717,7 @@ index 644d4d7..0c58f76 100644
 /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +447,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +448,15 @@ ifdef(`distro_suse', `
 #
 # /var
 #
@ -112730,7 +112734,7 @@ index 644d4d7..0c58f76 100644
 /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
 
 /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +465,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +466,12 @@ ifdef(`distro_suse', `
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -142913,7 +142917,7 @@ index 0f64692..d7e8a01 100644
 
 ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..6e4726f 100644
+index a5ec88b..99fd5da 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@ -142954,7 +142958,7 @@ index a5ec88b..6e4726f 100644
 
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
-@@ -63,31 +64,35 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -63,31 +64,36 @@ can_exec(udev_t, udev_helper_exec_t)
 # read udev config
 allow udev_t udev_etc_t:file read_file_perms;
 
@ -142974,6 +142978,7 @@ index a5ec88b..6e4726f 100644
 -files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 +files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
 +allow udev_t udev_var_run_t:file mounton;
+allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms;
 +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
 
 +kernel_load_module(udev_t)
@ -142997,7 +143002,7 @@ index a5ec88b..6e4726f 100644
 
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
-@@ -98,6 +103,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -98,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
 
 dev_rw_sysfs(udev_t)
 dev_manage_all_dev_nodes(udev_t)
@ -143005,7 +143010,7 @@ index a5ec88b..6e4726f 100644
 dev_rw_generic_files(udev_t)
 dev_delete_generic_files(udev_t)
 dev_search_usbfs(udev_t)
-@@ -106,23 +112,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -106,23 +113,31 @@ dev_relabel_all_dev_nodes(udev_t)
 # preserved, instead of short circuiting the relabel
 dev_relabel_generic_symlinks(udev_t)
 dev_manage_generic_symlinks(udev_t)
@ -143041,7 +143046,7 @@ index a5ec88b..6e4726f 100644
 
 mls_file_read_all_levels(udev_t)
 mls_file_write_all_levels(udev_t)
-@@ -144,17 +158,20 @@ auth_use_nsswitch(udev_t)
+@@ -144,17 +159,20 @@ auth_use_nsswitch(udev_t)
 init_read_utmp(udev_t)
 init_dontaudit_write_utmp(udev_t)
 init_getattr_initctl(udev_t)
@ -143063,7 +143068,7 @@ index a5ec88b..6e4726f 100644
 
 seutil_read_config(udev_t)
 seutil_read_default_contexts(udev_t)
-@@ -170,6 +187,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -170,6 +188,8 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
@ -143072,7 +143077,7 @@ index a5ec88b..6e4726f 100644
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_gentoo',`
-@@ -179,16 +198,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +199,9 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_redhat',`
@ -143091,7 +143096,7 @@ index a5ec88b..6e4726f 100644
 
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
-@@ -217,6 +229,10 @@ optional_policy(`
+@@ -217,6 +230,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -143102,7 +143107,7 @@ index a5ec88b..6e4726f 100644
 	consoletype_exec(udev_t)
 ')
 
-@@ -226,6 +242,7 @@ optional_policy(`
+@@ -226,6 +243,7 @@ optional_policy(`
 
 optional_policy(`
 	cups_domtrans_config(udev_t)
@ -143110,7 +143115,7 @@ index a5ec88b..6e4726f 100644
 ')
 
 optional_policy(`
-@@ -235,10 +252,20 @@ optional_policy(`
+@@ -235,10 +253,20 @@ optional_policy(`
 optional_policy(`
 	devicekit_read_pid_files(udev_t)
 	devicekit_dgram_send(udev_t)
@ -143131,7 +143136,7 @@ index a5ec88b..6e4726f 100644
 ')
 
 optional_policy(`
-@@ -264,6 +291,10 @@ optional_policy(`
+@@ -264,6 +292,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -143142,7 +143147,7 @@ index a5ec88b..6e4726f 100644
 	openct_read_pid_files(udev_t)
 	openct_domtrans(udev_t)
 ')
-@@ -278,6 +309,15 @@ optional_policy(`
+@@ -278,6 +310,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -143158,7 +143163,7 @@ index a5ec88b..6e4726f 100644
 	unconfined_signal(udev_t)
 ')
 
-@@ -290,6 +330,7 @@ optional_policy(`
+@@ -290,6 +331,7 @@ optional_policy(`
 	kernel_read_xen_state(udev_t)
 	xen_manage_log(udev_t)
 	xen_read_image_files(udev_t)
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -524,6 +524,14 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
+- Allow gnomeclock to talk to puppet over dbus
+- Allow numad access discovered by Dominic
+- Add support for HOME_DIR/.maildir
+- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain
+- Allow udev to relabel udev_var_run_t lnk_files
+- New bin_t file in mcelog
+
 * Thu Jan 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-2
 - Remove all mcs overrides and replace with t1 != mcs_constrained_types
 - Add attribute_role for iptables