- Add prosody policy written by Michael Scherer

- Allow nagios plugins to read /sys info - ntpd needs to manage own log files - Add support for HOME_DIR/.IBMERS - Allow iptables commands to read firewalld config - Allow consolekit_t to read utmp - Fix filename transitions on .razor directory - Add additional fixes to make DSPAM with LDA working - Allow snort to read /etc/passwd - Allow fail2ban to communicate with firewalld over dbus - Dontaudit openshift_cgreoup_file_t read/write leaked dev - Allow nfsd to use mountd port - Call th proper interface - Allow openvswitch to read sys and execute plymouth - Allow tmpwatch to read /var/spool/cups/tmp - Add support for /usr/libexec/telepathy-rakia - Add systemd support for zoneminder - Allow mysql to create files/directories under /var/log/mysql - Allow zoneminder apache scripts to rw zoneminder tmpfs - Allow httpd to manage zoneminder lib files - Add zoneminder_run_sudo boolean to allow to start zoneminder - Allow zoneminder to send mails - gssproxy_t sock_file can be under /var/lib - Allow web domains to connect to whois port. - Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t. - We really need to add an interface to corenet to define what a web_client_domain i - then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain - Add labeling for cmpiLMI_LogicalFile-cimprovagt - Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain at - Update policy rules for pegasus_openlmi_logicalfile_t - Add initial types for logicalfile/unconfined OpenLMI providers - mailmanctl needs to read own log - Allow logwatch manage own lock files - Allow nrpe to read meminfo - Allow httpd to read certs located in pki-ca - Add pki_read_tomcat_cert() interface - Add support for nagios openshift plugins - Add port definition for redis port - fix selinuxuser_use_ssh_chroot boolean
2013-07-08 09:18:11 +02:00 · 2013-07-08 09:18:11 +02:00 · d1027c54b9
parent 961ad881ae
commit d1027c54b9
4 changed files with 892 additions and 214 deletions
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@ -2250,3 +2250,10 @@ pesign = module
 # Fast and lean authoritative DNS Name Server
 #
 nsd = module   
+
+# Layer: contrib
+# Module: iodine
+#
+# Fast and lean authoritative DNS Name Server
+#
+iodine = module
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -5170,7 +5170,7 @@ index 8e0f9cd..b9f45b9 100644
 
 define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..68176bb 100644
+index 4edc40d..b48abbe 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@ -5400,7 +5400,7 @@ index 4edc40d..68176bb 100644
 network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +255,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
@ -5415,6 +5415,7 @@ index 4edc40d..68176bb 100644
 network_port(radsec, tcp,2083,s0)
 network_port(razor, tcp,2703,s0)
 +network_port(time, tcp,37,s0, udp,37,s0)
+network_port(redis, tcp,6379,s0)
 network_port(repository, tcp, 6363, s0)
 network_port(ricci, tcp,11111,s0, udp,11111,s0)
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@ -5449,7 +5450,7 @@ index 4edc40d..68176bb 100644
 network_port(ssh, tcp,22,s0)
 network_port(stunnel) # no defined portcon
 network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +303,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
 network_port(tcs, tcp, 30003, s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
@ -5460,7 +5461,7 @@ index 4edc40d..68176bb 100644
 network_port(transproxy, tcp,8081,s0)
 network_port(trisoap, tcp,10200,s0, udp,10200,s0)
 network_port(ups, tcp,3493,s0)
-@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +315,10 @@ network_port(varnishd, tcp,6081-6082,s0)
 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
 network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
 network_port(virt_migration, tcp,49152-49216,s0)
@ -5473,7 +5474,7 @@ index 4edc40d..68176bb 100644
 network_port(winshadow, tcp,3161,s0, udp,3261,s0)
 network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
 network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +339,16 @@ network_port(zope, tcp,8021,s0)
 # Defaults for reserved ports.	Earlier portcon entries take precedence;
 # these entries just cover any remaining reserved ports not otherwise declared.
 
@ -5492,7 +5493,7 @@ index 4edc40d..68176bb 100644
 
 ########################################
 #
-@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +381,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
 build_option(`enable_mls',`
 network_interface(lo, lo, s0 - mls_systemhigh)
@ -5501,7 +5502,7 @@ index 4edc40d..68176bb 100644
 ',`
 typealias netif_t alias { lo_netif_t netif_lo_t };
 ')
-@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +395,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
 allow corenet_unconfined_type packet_type:packet *;
@ -33356,15 +33357,14 @@ index 3822072..1029e3b 100644
 +    userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..64db314 100644
+index ec01d0b..e2b829b 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -11,14 +11,17 @@ gen_require(`
+@@ -11,14 +11,16 @@ gen_require(`
 
 attribute can_write_binary_policy;
 attribute can_relabelto_binary_policy;
 +attribute setfiles_domain;
-+attribute seutil_semanage_domain;
 +attribute policy_manager_domain;
 
 -attribute_role newrole_roles;
@ -33382,7 +33382,7 @@ index ec01d0b..64db314 100644
 
 #
 # selinux_config_t is the type applied to
-@@ -28,7 +31,13 @@ roleattribute system_r semanage_roles;
+@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles;
 # in the domain_type interface
 # (fix dup decl)
 type selinux_config_t;
@ -33397,7 +33397,7 @@ index ec01d0b..64db314 100644
 
 type checkpolicy_t, can_write_binary_policy;
 type checkpolicy_exec_t;
-@@ -40,14 +49,14 @@ role system_r types checkpolicy_t;
+@@ -40,14 +48,14 @@ role system_r types checkpolicy_t;
 # /etc/selinux/*/contexts/*
 #
 type default_context_t;
@ -33414,7 +33414,7 @@ index ec01d0b..64db314 100644
 
 type load_policy_t;
 type load_policy_exec_t;
-@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
+@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t)
 domain_role_change_exemption(newrole_t)
 domain_obj_id_change_exemption(newrole_t)
 domain_interactive_fd(newrole_t)
@ -33438,7 +33438,7 @@ index ec01d0b..64db314 100644
 
 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
 #neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -83,7 +98,6 @@ type restorecond_t;
+@@ -83,7 +97,6 @@ type restorecond_t;
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t, restorecond_exec_t)
 domain_obj_id_change_exemption(restorecond_t)
@ -33446,7 +33446,7 @@ index ec01d0b..64db314 100644
 
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
-@@ -92,25 +106,32 @@ type run_init_t;
+@@ -92,25 +105,32 @@ type run_init_t;
 type run_init_exec_t;
 application_domain(run_init_t, run_init_exec_t)
 domain_system_change_exemption(run_init_t)
@ -33485,7 +33485,7 @@ index ec01d0b..64db314 100644
 
 type semanage_var_lib_t;
 files_type(semanage_var_lib_t)
-@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
+@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t;
 init_system_domain(setfiles_t, setfiles_exec_t)
 domain_obj_id_change_exemption(setfiles_t)
 
@ -33497,7 +33497,7 @@ index ec01d0b..64db314 100644
 ########################################
 #
 # Checkpolicy local policy
-@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
+@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
 read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
 read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
 allow checkpolicy_t selinux_config_t:dir search_dir_perms;
@ -33505,7 +33505,7 @@ index ec01d0b..64db314 100644
 
 domain_use_interactive_fds(checkpolicy_t)
 
-@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
+@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t)
 init_use_fds(checkpolicy_t)
 init_use_script_ptys(checkpolicy_t)
 
@ -33514,7 +33514,7 @@ index ec01d0b..64db314 100644
 userdom_use_all_users_fds(checkpolicy_t)
 
 ifdef(`distro_ubuntu',`
-@@ -188,13 +215,13 @@ term_list_ptys(load_policy_t)
+@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t)
 
 init_use_script_fds(load_policy_t)
 init_use_script_ptys(load_policy_t)
@ -33531,7 +33531,7 @@ index ec01d0b..64db314 100644
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
-@@ -205,6 +232,7 @@ ifdef(`distro_ubuntu',`
+@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',`
 ifdef(`hide_broken_symptoms',`
 	# cjp: cover up stray file descriptors.
 	dontaudit load_policy_t selinux_config_t:file write;
@ -33539,7 +33539,7 @@ index ec01d0b..64db314 100644
 
 	optional_policy(`
 		unconfined_dontaudit_read_pipes(load_policy_t)
-@@ -215,12 +243,17 @@ optional_policy(`
+@@ -215,12 +242,17 @@ optional_policy(`
 	portage_dontaudit_use_fds(load_policy_t)
 ')
 
@ -33558,7 +33558,7 @@ index ec01d0b..64db314 100644
 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
-@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms;
 allow newrole_t self:msg { send receive };
 allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -33567,7 +33567,7 @@ index ec01d0b..64db314 100644
 
 read_files_pattern(newrole_t, default_context_t, default_context_t)
 read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t)
 # for when the user types "exec newrole" at the command line:
 domain_sigchld_interactive_fds(newrole_t)
 
@ -33575,7 +33575,7 @@ index ec01d0b..64db314 100644
 files_read_etc_files(newrole_t)
 files_read_var_files(newrole_t)
 files_read_var_symlinks(newrole_t)
-@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t)
+@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t)
 term_getattr_unallocated_ttys(newrole_t)
 term_dontaudit_use_unallocated_ttys(newrole_t)
 
@ -33617,7 +33617,7 @@ index ec01d0b..64db314 100644
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(newrole_t)
-@@ -309,7 +352,7 @@ if(secure_mode) {
+@@ -309,7 +351,7 @@ if(secure_mode) {
 	userdom_spec_domtrans_all_users(newrole_t)
 }
 
@ -33626,7 +33626,7 @@ index ec01d0b..64db314 100644
 	files_polyinstantiate_all(newrole_t)
 ')
 
-@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t)
+@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t)
 kernel_rw_pipes(restorecond_t)
 kernel_read_system_state(restorecond_t)
 
@ -33641,7 +33641,7 @@ index ec01d0b..64db314 100644
 fs_list_inotifyfs(restorecond_t)
 
 selinux_validate_context(restorecond_t)
-@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t)
+@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t)
 
 files_relabel_non_auth_files(restorecond_t )
 files_read_non_auth_files(restorecond_t)
@ -33661,7 +33661,7 @@ index ec01d0b..64db314 100644
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(restorecond_t)
-@@ -366,21 +414,24 @@ optional_policy(`
+@@ -366,21 +413,24 @@ optional_policy(`
 # Run_init local policy
 #
 
@ -33688,7 +33688,7 @@ index ec01d0b..64db314 100644
 dev_dontaudit_list_all_dev_nodes(run_init_t)
 
 domain_use_interactive_fds(run_init_t)
-@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t)
+@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t)
 selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)
 
@ -33724,7 +33724,7 @@ index ec01d0b..64db314 100644
 
 ifndef(`direct_sysadm_daemon',`
 	ifdef(`distro_gentoo',`
-@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',`
 	')
 ')
 
@ -33744,7 +33744,7 @@ index ec01d0b..64db314 100644
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(run_init_t)
-@@ -440,81 +511,87 @@ optional_policy(`
+@@ -440,81 +510,87 @@ optional_policy(`
 # semodule local policy
 #
 
@ -33885,7 +33885,7 @@ index ec01d0b..64db314 100644
 ')
 
 ########################################
-@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,181 @@ ifdef(`distro_ubuntu',`
 # Setfiles local policy
 #
 
@ -34151,7 +34151,7 @@ index ec01d0b..64db314 100644
 +userdom_use_user_ptys(policy_manager_domain)
 +
 +files_rw_inherited_generic_pid_files(setfiles_domain)
-+files_rw_inherited_generic_pid_files(seutil_semanage_domain)
+files_rw_inherited_generic_pid_files(policy_manager_domain)
 diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
 index bea4629..06e2834 100644
 --- a/policy/modules/system/setrans.fc
@ -38249,7 +38249,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..4f43578 100644
+index 3c5dba7..4129aa6 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -39192,7 +39192,7 @@ index 3c5dba7..4f43578 100644
 +	allow $1_t self:process ~{ ptrace execmem execstack execheap };
 +
 +	tunable_policy(`selinuxuser_use_ssh_chroot',`
-+		allow $1_t self:capability { setuid sys_chroot };
+		allow $1_t self:capability { setuid setgid sys_chroot };
 +	')
 
 -	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 58%{?dist}
+Release: 59%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -539,6 +539,47 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
+- Add prosody policy written by Michael Scherer
+- Allow nagios plugins to read /sys info
+- ntpd needs to manage own log files
+- Add support for HOME_DIR/.IBMERS
+- Allow iptables commands to read firewalld config
+- Allow consolekit_t to read utmp
+- Fix filename transitions on .razor directory
+- Add additional fixes to make DSPAM with LDA working
+- Allow snort to read /etc/passwd
+- Allow fail2ban to communicate with firewalld over dbus
+- Dontaudit openshift_cgreoup_file_t read/write leaked dev
+- Allow nfsd to use mountd port
+- Call th proper interface
+- Allow openvswitch to read sys and execute plymouth
+- Allow tmpwatch to read /var/spool/cups/tmp
+- Add support for /usr/libexec/telepathy-rakia
+- Add systemd support for zoneminder
+- Allow mysql to create files/directories under /var/log/mysql
+- Allow zoneminder apache scripts to rw zoneminder tmpfs
+- Allow httpd to manage zoneminder lib files
+- Add zoneminder_run_sudo boolean to allow to start zoneminder
+- Allow zoneminder to send mails
+- gssproxy_t sock_file can be under /var/lib
+- Allow web domains to connect to whois port.
+- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
+- We really need to add an interface to corenet to define what a web_client_domain is and
+- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
+- Add labeling for cmpiLMI_LogicalFile-cimprovagt
+- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
+- Update policy rules for pegasus_openlmi_logicalfile_t
+- Add initial types for logicalfile/unconfined OpenLMI providers
+- mailmanctl needs to read own log
+- Allow logwatch manage own lock files
+- Allow nrpe to read meminfo
+- Allow httpd to read certs located in pki-ca
+- Add pki_read_tomcat_cert() interface
+- Add support for nagios openshift plugins
+- Add port definition for redis port
+- fix selinuxuser_use_ssh_chroot boolean
+
 * Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
 - Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. 
 - Allow bootloader to manage generic log files