Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

2014-01-25 14:52:05 -05:00 · 2014-01-25 14:52:05 -05:00 · aae7e9fea1
commit aae7e9fea1
parent cafa00d43f f8d85476fd
3 changed files with 914 additions and 469 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -42699,10 +42699,10 @@ index 0000000..b694afc
 +')
 +
 diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..7995fce 100644
+index 6ffaba2..7128926 100644
 --- a/mozilla.fc
 +++ b/mozilla.fc
-@@ -1,38 +1,68 @@
+@@ -1,38 +1,71 @@
 -HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@ -42760,7 +42760,7 @@ index 6ffaba2..7995fce 100644
 -/usr/bin/netscape	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 -/usr/bin/nspluginscan	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 -/usr/bin/nspluginviewer	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
- 
+-
 -/usr/lib/[^/]*firefox[^/]*/firefox	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 -/usr/lib/[^/]*firefox[^/]*/firefox-bin	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 -/usr/lib/firefox[^/]*/mozilla-.*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
@ -42771,6 +42771,7 @@ index 6ffaba2..7995fce 100644
 -/usr/lib/mozilla/plugins-wrapped(/.*)?	gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
 -/usr/lib/netscape/base-4/wrapper	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 -/usr/lib/netscape/.+/communicator/communicator-smotif\.real	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 +
 +ifdef(`distro_redhat',`
 +/usr/bin/nspluginscan		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 +/usr/bin/nspluginviewer		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
@ -42795,12 +42796,15 @@ index 6ffaba2..7995fce 100644
 +/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib/firefox/plugin-container   --  gen_context(system_u:object_r:mozilla_exec_t,s0)
 +
 +/usr/lib/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 +
 +/usr/lib/firefox/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 +
 +/usr/lib/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
 +
 +/usr/libexec/WebKitPluginProcess    --   gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 +
 +ifdef(`distro_redhat',`
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
@ -75168,10 +75172,10 @@ index c8bdea2..1337d42 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
 ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..8ee9185 100644
+index 6cf79c4..e7fe8c7 100644
 --- a/rhcs.te
 +++ b/rhcs.te
-@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
+@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
 ## </desc>
 gen_tunable(fenced_can_ssh, false)
@ -75195,11 +75199,19 @@ index 6cf79c4..8ee9185 100644
 +## </p>
 +## </desc>
 +gen_tunable(cluster_use_execmem, false)
 +
 +## <desc>
 +##	<p>
 +##	Determine whether haproxy can
 +##	connect to all TCP ports.
 +##	</p>
 +## </desc>
 +gen_tunable(haproxy_connect_any, false)
 +
 attribute cluster_domain;
 attribute cluster_log;
 attribute cluster_pid;
-@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t;
 init_script_file(foghorn_initrc_exec_t)
 rhcs_domain_template(gfs_controld)
@ -75487,7 +75499,7 @@ index 6cf79c4..8ee9185 100644
 ')
 #####################################
-@@ -79,9 +349,11 @@ optional_policy(`
+@@ -79,9 +357,11 @@ optional_policy(`
 # dlm_controld local policy
 #
@ -75500,7 +75512,7 @@ index 6cf79c4..8ee9185 100644
 stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
 stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-@@ -98,16 +370,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
 init_rw_script_tmp_files(dlm_controld_t)
@ -75533,7 +75545,7 @@ index 6cf79c4..8ee9185 100644
 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
 files_lock_filetrans(fenced_t, fenced_lock_t, file)
-@@ -118,9 +404,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
 stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
@ -75544,7 +75556,7 @@ index 6cf79c4..8ee9185 100644
 corecmd_exec_bin(fenced_t)
 corecmd_exec_shell(fenced_t)
-@@ -140,6 +425,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
 corenet_sendrecv_zented_server_packets(fenced_t)
 corenet_tcp_bind_zented_port(fenced_t)
@ -75553,7 +75565,7 @@ index 6cf79c4..8ee9185 100644
 corenet_tcp_sendrecv_zented_port(fenced_t)
 corenet_sendrecv_http_client_packets(fenced_t)
-@@ -148,9 +435,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -148,9 +443,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
 dev_read_sysfs(fenced_t)
 dev_read_urand(fenced_t)
@ -75564,7 +75576,7 @@ index 6cf79c4..8ee9185 100644
 storage_raw_read_fixed_disk(fenced_t)
 storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +445,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t)
 term_use_generic_ptys(fenced_t)
 term_use_ptmx(fenced_t)
@ -75573,7 +75585,7 @@ index 6cf79c4..8ee9185 100644
 tunable_policy(`fenced_can_network_connect',`
 	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +467,8 @@ optional_policy(`
+@@ -182,7 +475,8 @@ optional_policy(`
 ')
 optional_policy(`
@ -75583,7 +75595,7 @@ index 6cf79c4..8ee9185 100644
 ')
 optional_policy(`
-@@ -190,12 +476,12 @@ optional_policy(`
+@@ -190,12 +484,12 @@ optional_policy(`
 ')
 optional_policy(`
@ -75599,7 +75611,7 @@ index 6cf79c4..8ee9185 100644
 ')
 optional_policy(`
-@@ -203,6 +489,13 @@ optional_policy(`
+@@ -203,6 +497,13 @@ optional_policy(`
 	snmp_manage_var_lib_dirs(fenced_t)
 ')
@ -75613,7 +75625,7 @@ index 6cf79c4..8ee9185 100644
 #######################################
 #
 # foghorn local policy
-@@ -221,16 +514,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +522,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
 corenet_tcp_connect_agentx_port(foghorn_t)
 corenet_tcp_sendrecv_agentx_port(foghorn_t)
@ -75634,7 +75646,7 @@ index 6cf79c4..8ee9185 100644
 	snmp_stream_connect(foghorn_t)
 ')
-@@ -257,6 +552,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t)
 init_rw_script_tmp_files(gfs_controld_t)
@ -75643,7 +75655,7 @@ index 6cf79c4..8ee9185 100644
 optional_policy(`
 	lvm_exec(gfs_controld_t)
 	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +572,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,50 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
 dev_list_sysfs(groupd_t)
@ -75676,16 +75688,27 @@ index 6cf79c4..8ee9185 100644
 +corenet_tcp_connect_commplex_link_port(haproxy_t)
 +corenet_tcp_connect_commplex_main_port(haproxy_t)
 +corenet_tcp_bind_commplex_main_port(haproxy_t)
 +corenet_tcp_bind_http_port(haproxy_t)
 +corenet_tcp_bind_http_cache_port(haproxy_t)
 +
 +corenet_tcp_connect_fmpro_internal_port(haproxy_t)
 +corenet_tcp_connect_http_port(haproxy_t)
 +corenet_tcp_connect_http_cache_port(haproxy_t)
 +corenet_tcp_connect_rtp_media_port(haproxy_t)
 +
 +sysnet_dns_name_resolve(haproxy_t)
 +
 +tunable_policy(`haproxy_connect_any',`
 +	corenet_tcp_connect_all_ports(haproxy_t)
 +	corenet_tcp_bind_all_ports(haproxy_t)
 +	corenet_sendrecv_all_packets(haproxy_t)
 +	corenet_tcp_sendrecv_all_ports(haproxy_t)
 +')
 +
 ######################################
 #
 # qdiskd local policy
-@@ -321,6 +647,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +666,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
 auth_use_nsswitch(qdiskd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -578,6 +578,20 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Jan 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-18
 - Add haproxy_connect_any boolean
 - Allow haproxy also to use http cache port by default
 - Fix /usr/lib/firefox/plugin-container decl
 - Allow haproxy to work as simple HTTP proxy. HAProxy For TCP And HTTP Based Applications
 - Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t
 - Fix type in docker.te
 - Fix bs_filetrans_named_content() to have support for /usr/lib/debug directory
 - Adding a new service script to enable setcheckreqprot
 - Add interface to getattr on an isid_type for any type of file
 - Allow initrc_t domtrans to authconfig if unconfined is enabled
 type in docker.te
 - Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container
 * Thu Jan 23 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-17
 - init calling needs to be optional in domain.te
 - Allow docker and mount on devpts chr_file