From cd5d972925b580bcea6d73f4a2e0f1fba087d652 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 30 Oct 2013 20:24:38 +0100 Subject: [PATCH] scratch build --- policy-rawhide-base.patch | 42 +++++++----- policy-rawhide-contrib.patch | 126 ++++++++++++++++++++++------------- selinux-policy.spec | 11 ++- 3 files changed, 113 insertions(+), 66 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 9f673edd..2e87836b 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5461,7 +5461,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..9455a13 100644 +index 4edc40d..cc71e95 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5714,7 +5714,7 @@ index 4edc40d..9455a13 100644 network_port(puppet, tcp, 8140, s0) network_port(pxe, udp,4011,s0) network_port(pyzor, udp,24441,s0) -+network_port(quantum, tcp,9696,s0) ++network_port(neutron, tcp,9696,s0) network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) @@ -5810,7 +5810,7 @@ index 4edc40d..9455a13 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +400,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +400,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -5837,6 +5837,10 @@ index 4edc40d..9455a13 100644 +allow netlabel_peer_type netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; +allow netlabel_peer_t netif_t:netif { rawip_recv egress ingress }; +allow netlabel_peer_t node_t:node recvfrom; ++ ++typealias neutron_port_t alias quantum_port_t; ++typealias neutron_server_packet_t alias quantum_server_packet_t; ++typealias neutron_client_packet_t alias quantum_client_packet_t; diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 3f6e168..51ad69a 100644 --- a/policy/modules/kernel/corenetwork.te.m4 @@ -14159,10 +14163,10 @@ index 8416beb..c6cd3eb 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..e0209df 100644 +index 9e603f5..1198b51 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); +@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); @@ -14170,9 +14174,11 @@ index 9e603f5..e0209df 100644 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr fuse.glusterfs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem -@@ -53,6 +55,7 @@ type anon_inodefs_t; + # types, and label the filesystem itself with the specified context. +@@ -53,6 +56,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -14180,7 +14186,7 @@ index 9e603f5..e0209df 100644 type bdev_t; fs_type(bdev_t) -@@ -63,12 +66,17 @@ fs_type(binfmt_misc_fs_t) +@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) @@ -14199,7 +14205,7 @@ index 9e603f5..e0209df 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -89,6 +97,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -14211,7 +14217,7 @@ index 9e603f5..e0209df 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -97,6 +110,7 @@ type hugetlbfs_t; +@@ -97,6 +111,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -14219,7 +14225,7 @@ index 9e603f5..e0209df 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -119,12 +133,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -14237,7 +14243,7 @@ index 9e603f5..e0209df 100644 type ramfs_t; fs_type(ramfs_t) files_mountpoint(ramfs_t) -@@ -145,11 +164,6 @@ fs_type(spufs_t) +@@ -145,11 +165,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -14249,7 +14255,7 @@ index 9e603f5..e0209df 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -167,6 +181,8 @@ type vxfs_t; +@@ -167,6 +182,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -14258,7 +14264,7 @@ index 9e603f5..e0209df 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +192,8 @@ fs_type(tmpfs_t) +@@ -176,6 +193,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -14267,7 +14273,7 @@ index 9e603f5..e0209df 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +273,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -14276,7 +14282,7 @@ index 9e603f5..e0209df 100644 files_mountpoint(removable_t) # -@@ -274,6 +294,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -35461,7 +35467,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..b82ccf1 100644 +index 6944526..0bd8d93 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -35736,7 +35742,7 @@ index 6944526..b82ccf1 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -35804,6 +35810,8 @@ index 6944526..b82ccf1 100644 + + files_etc_filetrans($1, net_conf_t, file, "resolv.conf") + files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved") + files_etc_filetrans($1, net_conf_t, file, "denyhosts") + files_etc_filetrans($1, net_conf_t, file, "hosts") + files_etc_filetrans($1, net_conf_t, file, "hosts.deny") diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f11fea67..2e9e5633 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2728,7 +2728,7 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..784557c +index 0000000..8ba9c95 --- /dev/null +++ b/antivirus.te @@ -0,0 +1,274 @@ @@ -2825,7 +2825,7 @@ index 0000000..784557c +manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t) +files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } ) + -+allow antivirus_domain antivirus_log_t:dir setattr_dir_perms; ++manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) +manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) +manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t) +logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir }) @@ -55084,7 +55084,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..c1e0a6f 100644 +index 7bcf327..c19ce47 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -55108,7 +55108,7 @@ index 7bcf327..c1e0a6f 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,262 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,266 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -55242,6 +55242,10 @@ index 7bcf327..c1e0a6f 100644 + realmd_dbus_chat(pegasus_openlmi_services_t) +') + ++optional_policy(` ++ sssd_stream_connect(pegasus_openlmi_services_t) ++') ++ +###################################### +# +# pegasus openlmi system (networking) local policy @@ -55376,7 +55380,7 @@ index 7bcf327..c1e0a6f 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +295,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +299,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -55407,7 +55411,7 @@ index 7bcf327..c1e0a6f 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +321,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +325,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -55440,7 +55444,7 @@ index 7bcf327..c1e0a6f 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +349,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +353,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -55448,7 +55452,7 @@ index 7bcf327..c1e0a6f 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +364,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +368,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -55480,7 +55484,7 @@ index 7bcf327..c1e0a6f 100644 ') optional_policy(` -@@ -151,16 +394,24 @@ optional_policy(` +@@ -151,16 +398,24 @@ optional_policy(` ') optional_policy(` @@ -55509,7 +55513,7 @@ index 7bcf327..c1e0a6f 100644 ') optional_policy(` -@@ -168,7 +419,7 @@ optional_policy(` +@@ -168,7 +423,7 @@ optional_policy(` ') optional_policy(` @@ -67640,7 +67644,7 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..801835e 100644 +index 769d1fd..acee489 100644 --- a/quantum.te +++ b/quantum.te @@ -1,96 +1,109 @@ @@ -67661,7 +67665,7 @@ index 769d1fd..801835e 100644 -type quantum_initrc_exec_t; -init_script_file(quantum_initrc_exec_t) -+type neutron_initrc_exec_t alias qauntum_initrc_exec_t; ++type neutron_initrc_exec_t alias quantum_initrc_exec_t; +init_script_file(neutron_initrc_exec_t) -type quantum_log_t; @@ -67751,7 +67755,7 @@ index 769d1fd..801835e 100644 -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) -+corenet_tcp_bind_quantum_port(neutron_t) ++corenet_tcp_bind_neutron_port(neutron_t) +corenet_tcp_connect_keystone_port(neutron_t) +corenet_tcp_connect_amqp_port(neutron_t) +corenet_tcp_connect_mysqld_port(neutron_t) @@ -85923,7 +85927,7 @@ index dbb005a..45291bb 100644 -/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) diff --git a/sssd.if b/sssd.if -index a240455..54c5c1f 100644 +index a240455..02ad8a9 100644 --- a/sssd.if +++ b/sssd.if @@ -1,21 +1,21 @@ @@ -86051,7 +86055,9 @@ index a240455..54c5c1f 100644 + gen_require(` + type sssd_conf_t; + ') -+ + +- files_search_etc($1) +- write_files_pattern($1, sssd_conf_t, sssd_conf_t) + files_search_etc($1) + write_files_pattern($1, sssd_conf_t, sssd_conf_t) +') @@ -86070,9 +86076,7 @@ index a240455..54c5c1f 100644 + gen_require(` + type sssd_conf_t; + ') - -- files_search_etc($1) -- write_files_pattern($1, sssd_conf_t, sssd_conf_t) ++ + files_search_etc($1) + create_files_pattern($1, sssd_conf_t, sssd_conf_t) ') @@ -86168,7 +86172,32 @@ index a240455..54c5c1f 100644 ## ## ## -@@ -297,8 +333,7 @@ interface(`sssd_dbus_chat',` +@@ -235,6 +271,24 @@ interface(`sssd_dontaudit_search_lib',` + + ######################################## + ## ++## Do not audit attempts to read sssd lib files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`sssd_dontaudit_read_lib',` ++ gen_require(` ++ type sssd_var_lib_t; ++ ') ++ ++ dontaudit $1 sssd_var_lib_t:file read_file_perms; ++') ++ ++######################################## ++## + ## Read sssd lib files. + ## + ## +@@ -297,8 +351,7 @@ interface(`sssd_dbus_chat',` ######################################## ## @@ -86178,7 +86207,7 @@ index a240455..54c5c1f 100644 ## ## ## -@@ -317,8 +352,27 @@ interface(`sssd_stream_connect',` +@@ -317,8 +370,27 @@ interface(`sssd_stream_connect',` ######################################## ## @@ -86198,7 +86227,7 @@ index a240455..54c5c1f 100644 + ') + + dontaudit $1 sssd_t:unix_stream_socket connectto; -+ dontaudit $1 sssd_var_lib_t:sock_file write; ++ dontaudit $1 sssd_var_lib_t:sock_file { read write }; +') + +######################################## @@ -86208,7 +86237,7 @@ index a240455..54c5c1f 100644 ## ## ## -@@ -327,7 +381,7 @@ interface(`sssd_stream_connect',` +@@ -327,7 +399,7 @@ interface(`sssd_stream_connect',` ## ## ## @@ -86217,7 +86246,7 @@ index a240455..54c5c1f 100644 ## ## ## -@@ -335,27 +389,29 @@ interface(`sssd_stream_connect',` +@@ -335,27 +407,29 @@ interface(`sssd_stream_connect',` interface(`sssd_admin',` gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; @@ -93995,7 +94024,7 @@ index 9dec06c..73549fd 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..a77dab1 100644 +index 1f22fba..d798c85 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,167 @@ @@ -94239,7 +94268,7 @@ index 1f22fba..a77dab1 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -150,295 +170,140 @@ ifdef(`enable_mls',` +@@ -150,295 +170,141 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -94497,6 +94526,7 @@ index 1f22fba..a77dab1 100644 optional_policy(` - xen_rw_image_files(virt_domain) + sssd_dontaudit_stream_connect(svirt_t) ++ sssd_dontaudit_read_lib(svirt_t) ') -######################################## @@ -94619,7 +94649,7 @@ index 1f22fba..a77dab1 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +313,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +314,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -94666,7 +94696,7 @@ index 1f22fba..a77dab1 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +348,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +349,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -94688,7 +94718,7 @@ index 1f22fba..a77dab1 100644 kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +361,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +362,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -94696,7 +94726,7 @@ index 1f22fba..a77dab1 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +369,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +370,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -94724,7 +94754,7 @@ index 1f22fba..a77dab1 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +389,27 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +390,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -94757,7 +94787,7 @@ index 1f22fba..a77dab1 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +440,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +441,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -94777,7 +94807,7 @@ index 1f22fba..a77dab1 100644 selinux_validate_context(virtd_t) -@@ -613,18 +462,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +463,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -94814,7 +94844,7 @@ index 1f22fba..a77dab1 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +490,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +491,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -94823,7 +94853,7 @@ index 1f22fba..a77dab1 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,20 +515,12 @@ optional_policy(` +@@ -658,20 +516,12 @@ optional_policy(` ') optional_policy(` @@ -94844,7 +94874,7 @@ index 1f22fba..a77dab1 100644 ') optional_policy(` -@@ -684,14 +533,20 @@ optional_policy(` +@@ -684,14 +534,20 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -94867,7 +94897,7 @@ index 1f22fba..a77dab1 100644 iptables_manage_config(virtd_t) ') -@@ -704,11 +559,13 @@ optional_policy(` +@@ -704,11 +560,13 @@ optional_policy(` ') optional_policy(` @@ -94881,7 +94911,7 @@ index 1f22fba..a77dab1 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -719,10 +576,18 @@ optional_policy(` +@@ -719,10 +577,18 @@ optional_policy(` ') optional_policy(` @@ -94900,7 +94930,7 @@ index 1f22fba..a77dab1 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +602,264 @@ optional_policy(` +@@ -737,44 +603,264 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -95187,7 +95217,7 @@ index 1f22fba..a77dab1 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +870,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +871,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -95214,7 +95244,7 @@ index 1f22fba..a77dab1 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,23 +890,23 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,23 +891,23 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -95247,7 +95277,7 @@ index 1f22fba..a77dab1 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -847,14 +925,20 @@ optional_policy(` +@@ -847,14 +926,20 @@ optional_policy(` ') optional_policy(` @@ -95269,7 +95299,7 @@ index 1f22fba..a77dab1 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +963,65 @@ optional_policy(` +@@ -879,49 +964,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -95353,7 +95383,7 @@ index 1f22fba..a77dab1 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1033,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1034,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -95373,7 +95403,7 @@ index 1f22fba..a77dab1 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1054,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1055,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -95397,7 +95427,7 @@ index 1f22fba..a77dab1 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1079,238 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1080,238 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -95772,7 +95802,7 @@ index 1f22fba..a77dab1 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1323,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1324,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -95787,7 +95817,7 @@ index 1f22fba..a77dab1 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1341,8 @@ optional_policy(` +@@ -1183,9 +1342,8 @@ optional_policy(` ######################################## # @@ -95798,7 +95828,7 @@ index 1f22fba..a77dab1 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1355,194 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1356,194 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 5834f466..54e894e8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 94%{?dist} +Release: 95%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -573,6 +573,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Oct 30 2013 Miroslav Grepl 3.12.1-95 +- Fix alias decl in corenetwork.te.in +- Add support for fuse.glusterfs +- Add file transition rules for content created by f5link +- Rename quantum_port information to neutron +- Allow all antivirus domains to manage also own log dirs +- Rename quantum_port information to neutron +- Allow pegasus_openlmi_services_t to stream connect to sssd_t + * Mon Oct 28 2013 Miroslav Grepl 3.12.1-94 - Allow sysadm_t to read login information - Allow systemd_tmpfiles to setattr on var_log_t directories