Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy
This commit is contained in:
commit
d3c6b2620c
@ -2255,3 +2255,17 @@ smsd = module
|
||||
# policy for pesign
|
||||
#
|
||||
pesign = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: nsd
|
||||
#
|
||||
# Fast and lean authoritative DNS Name Server
|
||||
#
|
||||
nsd = module
|
||||
|
||||
# Layer: contrib
|
||||
# Module: iodine
|
||||
#
|
||||
# Fast and lean authoritative DNS Name Server
|
||||
#
|
||||
iodine = module
|
||||
|
@ -5170,7 +5170,7 @@ index 8e0f9cd..b9f45b9 100644
|
||||
|
||||
define(`create_packet_interfaces',``
|
||||
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
|
||||
index 4edc40d..68176bb 100644
|
||||
index 4edc40d..b48abbe 100644
|
||||
--- a/policy/modules/kernel/corenetwork.te.in
|
||||
+++ b/policy/modules/kernel/corenetwork.te.in
|
||||
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
|
||||
@ -5400,7 +5400,7 @@ index 4edc40d..68176bb 100644
|
||||
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
|
||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
@@ -214,38 +255,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
|
||||
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
|
||||
network_port(printer, tcp,515,s0)
|
||||
network_port(ptal, tcp,5703,s0)
|
||||
@ -5415,6 +5415,7 @@ index 4edc40d..68176bb 100644
|
||||
network_port(radsec, tcp,2083,s0)
|
||||
network_port(razor, tcp,2703,s0)
|
||||
+network_port(time, tcp,37,s0, udp,37,s0)
|
||||
+network_port(redis, tcp,6379,s0)
|
||||
network_port(repository, tcp, 6363, s0)
|
||||
network_port(ricci, tcp,11111,s0, udp,11111,s0)
|
||||
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
||||
@ -5449,7 +5450,7 @@ index 4edc40d..68176bb 100644
|
||||
network_port(ssh, tcp,22,s0)
|
||||
network_port(stunnel) # no defined portcon
|
||||
network_port(svn, tcp,3690,s0, udp,3690,s0)
|
||||
@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
@@ -257,8 +303,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
|
||||
network_port(tcs, tcp, 30003, s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
@ -5460,7 +5461,7 @@ index 4edc40d..68176bb 100644
|
||||
network_port(transproxy, tcp,8081,s0)
|
||||
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
|
||||
network_port(ups, tcp,3493,s0)
|
||||
@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
||||
@@ -268,10 +315,10 @@ network_port(varnishd, tcp,6081-6082,s0)
|
||||
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
|
||||
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
|
||||
network_port(virt_migration, tcp,49152-49216,s0)
|
||||
@ -5473,7 +5474,7 @@ index 4edc40d..68176bb 100644
|
||||
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
|
||||
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
|
||||
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
|
||||
@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0)
|
||||
@@ -292,12 +339,16 @@ network_port(zope, tcp,8021,s0)
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
# these entries just cover any remaining reserved ports not otherwise declared.
|
||||
|
||||
@ -5492,7 +5493,7 @@ index 4edc40d..68176bb 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
@@ -330,6 +381,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
||||
|
||||
build_option(`enable_mls',`
|
||||
network_interface(lo, lo, s0 - mls_systemhigh)
|
||||
@ -5501,7 +5502,7 @@ index 4edc40d..68176bb 100644
|
||||
',`
|
||||
typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
')
|
||||
@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
@@ -342,9 +395,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
|
||||
allow corenet_unconfined_type node_type:node *;
|
||||
allow corenet_unconfined_type netif_type:netif *;
|
||||
allow corenet_unconfined_type packet_type:packet *;
|
||||
@ -33356,15 +33357,14 @@ index 3822072..1029e3b 100644
|
||||
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
|
||||
+')
|
||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||
index ec01d0b..64db314 100644
|
||||
index ec01d0b..e2b829b 100644
|
||||
--- a/policy/modules/system/selinuxutil.te
|
||||
+++ b/policy/modules/system/selinuxutil.te
|
||||
@@ -11,14 +11,17 @@ gen_require(`
|
||||
@@ -11,14 +11,16 @@ gen_require(`
|
||||
|
||||
attribute can_write_binary_policy;
|
||||
attribute can_relabelto_binary_policy;
|
||||
+attribute setfiles_domain;
|
||||
+attribute seutil_semanage_domain;
|
||||
+attribute policy_manager_domain;
|
||||
|
||||
-attribute_role newrole_roles;
|
||||
@ -33382,7 +33382,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
#
|
||||
# selinux_config_t is the type applied to
|
||||
@@ -28,7 +31,13 @@ roleattribute system_r semanage_roles;
|
||||
@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles;
|
||||
# in the domain_type interface
|
||||
# (fix dup decl)
|
||||
type selinux_config_t;
|
||||
@ -33397,7 +33397,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
type checkpolicy_t, can_write_binary_policy;
|
||||
type checkpolicy_exec_t;
|
||||
@@ -40,14 +49,14 @@ role system_r types checkpolicy_t;
|
||||
@@ -40,14 +48,14 @@ role system_r types checkpolicy_t;
|
||||
# /etc/selinux/*/contexts/*
|
||||
#
|
||||
type default_context_t;
|
||||
@ -33414,7 +33414,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
type load_policy_t;
|
||||
type load_policy_exec_t;
|
||||
@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
|
||||
@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t)
|
||||
domain_role_change_exemption(newrole_t)
|
||||
domain_obj_id_change_exemption(newrole_t)
|
||||
domain_interactive_fd(newrole_t)
|
||||
@ -33438,7 +33438,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
|
||||
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
|
||||
@@ -83,7 +98,6 @@ type restorecond_t;
|
||||
@@ -83,7 +97,6 @@ type restorecond_t;
|
||||
type restorecond_exec_t;
|
||||
init_daemon_domain(restorecond_t, restorecond_exec_t)
|
||||
domain_obj_id_change_exemption(restorecond_t)
|
||||
@ -33446,7 +33446,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
type restorecond_var_run_t;
|
||||
files_pid_file(restorecond_var_run_t)
|
||||
@@ -92,25 +106,32 @@ type run_init_t;
|
||||
@@ -92,25 +105,32 @@ type run_init_t;
|
||||
type run_init_exec_t;
|
||||
application_domain(run_init_t, run_init_exec_t)
|
||||
domain_system_change_exemption(run_init_t)
|
||||
@ -33485,7 +33485,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
type semanage_var_lib_t;
|
||||
files_type(semanage_var_lib_t)
|
||||
@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
|
||||
@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t;
|
||||
init_system_domain(setfiles_t, setfiles_exec_t)
|
||||
domain_obj_id_change_exemption(setfiles_t)
|
||||
|
||||
@ -33497,7 +33497,7 @@ index ec01d0b..64db314 100644
|
||||
########################################
|
||||
#
|
||||
# Checkpolicy local policy
|
||||
@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
|
||||
@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
|
||||
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
|
||||
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
|
||||
@ -33505,7 +33505,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
domain_use_interactive_fds(checkpolicy_t)
|
||||
|
||||
@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
|
||||
@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t)
|
||||
init_use_fds(checkpolicy_t)
|
||||
init_use_script_ptys(checkpolicy_t)
|
||||
|
||||
@ -33514,7 +33514,7 @@ index ec01d0b..64db314 100644
|
||||
userdom_use_all_users_fds(checkpolicy_t)
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
@@ -188,13 +215,13 @@ term_list_ptys(load_policy_t)
|
||||
@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t)
|
||||
|
||||
init_use_script_fds(load_policy_t)
|
||||
init_use_script_ptys(load_policy_t)
|
||||
@ -33531,7 +33531,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
@@ -205,6 +232,7 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',`
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# cjp: cover up stray file descriptors.
|
||||
dontaudit load_policy_t selinux_config_t:file write;
|
||||
@ -33539,7 +33539,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
optional_policy(`
|
||||
unconfined_dontaudit_read_pipes(load_policy_t)
|
||||
@@ -215,12 +243,17 @@ optional_policy(`
|
||||
@@ -215,12 +242,17 @@ optional_policy(`
|
||||
portage_dontaudit_use_fds(load_policy_t)
|
||||
')
|
||||
|
||||
@ -33558,7 +33558,7 @@ index ec01d0b..64db314 100644
|
||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||
allow newrole_t self:process setexec;
|
||||
allow newrole_t self:fd use;
|
||||
@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
||||
@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms;
|
||||
allow newrole_t self:msg { send receive };
|
||||
allow newrole_t self:unix_dgram_socket sendto;
|
||||
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
@ -33567,7 +33567,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
read_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||
@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t)
|
||||
@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t)
|
||||
# for when the user types "exec newrole" at the command line:
|
||||
domain_sigchld_interactive_fds(newrole_t)
|
||||
|
||||
@ -33575,7 +33575,7 @@ index ec01d0b..64db314 100644
|
||||
files_read_etc_files(newrole_t)
|
||||
files_read_var_files(newrole_t)
|
||||
files_read_var_symlinks(newrole_t)
|
||||
@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t)
|
||||
@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t)
|
||||
term_getattr_unallocated_ttys(newrole_t)
|
||||
term_dontaudit_use_unallocated_ttys(newrole_t)
|
||||
|
||||
@ -33617,7 +33617,7 @@ index ec01d0b..64db314 100644
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(newrole_t)
|
||||
@@ -309,7 +352,7 @@ if(secure_mode) {
|
||||
@@ -309,7 +351,7 @@ if(secure_mode) {
|
||||
userdom_spec_domtrans_all_users(newrole_t)
|
||||
}
|
||||
|
||||
@ -33626,7 +33626,7 @@ index ec01d0b..64db314 100644
|
||||
files_polyinstantiate_all(newrole_t)
|
||||
')
|
||||
|
||||
@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t)
|
||||
@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t)
|
||||
kernel_rw_pipes(restorecond_t)
|
||||
kernel_read_system_state(restorecond_t)
|
||||
|
||||
@ -33641,7 +33641,7 @@ index ec01d0b..64db314 100644
|
||||
fs_list_inotifyfs(restorecond_t)
|
||||
|
||||
selinux_validate_context(restorecond_t)
|
||||
@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t)
|
||||
@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t)
|
||||
|
||||
files_relabel_non_auth_files(restorecond_t )
|
||||
files_read_non_auth_files(restorecond_t)
|
||||
@ -33661,7 +33661,7 @@ index ec01d0b..64db314 100644
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(restorecond_t)
|
||||
@@ -366,21 +414,24 @@ optional_policy(`
|
||||
@@ -366,21 +413,24 @@ optional_policy(`
|
||||
# Run_init local policy
|
||||
#
|
||||
|
||||
@ -33688,7 +33688,7 @@ index ec01d0b..64db314 100644
|
||||
dev_dontaudit_list_all_dev_nodes(run_init_t)
|
||||
|
||||
domain_use_interactive_fds(run_init_t)
|
||||
@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t)
|
||||
@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t)
|
||||
selinux_compute_relabel_context(run_init_t)
|
||||
selinux_compute_user_contexts(run_init_t)
|
||||
|
||||
@ -33724,7 +33724,7 @@ index ec01d0b..64db314 100644
|
||||
|
||||
ifndef(`direct_sysadm_daemon',`
|
||||
ifdef(`distro_gentoo',`
|
||||
@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',`
|
||||
@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -33744,7 +33744,7 @@ index ec01d0b..64db314 100644
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
unconfined_domain(run_init_t)
|
||||
@@ -440,81 +511,87 @@ optional_policy(`
|
||||
@@ -440,81 +510,87 @@ optional_policy(`
|
||||
# semodule local policy
|
||||
#
|
||||
|
||||
@ -33885,7 +33885,7 @@ index ec01d0b..64db314 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',`
|
||||
@@ -522,108 +598,181 @@ ifdef(`distro_ubuntu',`
|
||||
# Setfiles local policy
|
||||
#
|
||||
|
||||
@ -34151,7 +34151,7 @@ index ec01d0b..64db314 100644
|
||||
+userdom_use_user_ptys(policy_manager_domain)
|
||||
+
|
||||
+files_rw_inherited_generic_pid_files(setfiles_domain)
|
||||
+files_rw_inherited_generic_pid_files(seutil_semanage_domain)
|
||||
+files_rw_inherited_generic_pid_files(policy_manager_domain)
|
||||
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
|
||||
index bea4629..06e2834 100644
|
||||
--- a/policy/modules/system/setrans.fc
|
||||
@ -38249,7 +38249,7 @@ index db75976..65191bd 100644
|
||||
+
|
||||
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index 3c5dba7..4f43578 100644
|
||||
index 3c5dba7..4129aa6 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
|
||||
@ -39192,7 +39192,7 @@ index 3c5dba7..4f43578 100644
|
||||
+ allow $1_t self:process ~{ ptrace execmem execstack execheap };
|
||||
+
|
||||
+ tunable_policy(`selinuxuser_use_ssh_chroot',`
|
||||
+ allow $1_t self:capability { setuid sys_chroot };
|
||||
+ allow $1_t self:capability { setuid setgid sys_chroot };
|
||||
+ ')
|
||||
|
||||
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.12.1
|
||||
Release: 58%{?dist}
|
||||
Release: 59%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -539,6 +539,47 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
|
||||
- Add prosody policy written by Michael Scherer
|
||||
- Allow nagios plugins to read /sys info
|
||||
- ntpd needs to manage own log files
|
||||
- Add support for HOME_DIR/.IBMERS
|
||||
- Allow iptables commands to read firewalld config
|
||||
- Allow consolekit_t to read utmp
|
||||
- Fix filename transitions on .razor directory
|
||||
- Add additional fixes to make DSPAM with LDA working
|
||||
- Allow snort to read /etc/passwd
|
||||
- Allow fail2ban to communicate with firewalld over dbus
|
||||
- Dontaudit openshift_cgreoup_file_t read/write leaked dev
|
||||
- Allow nfsd to use mountd port
|
||||
- Call th proper interface
|
||||
- Allow openvswitch to read sys and execute plymouth
|
||||
- Allow tmpwatch to read /var/spool/cups/tmp
|
||||
- Add support for /usr/libexec/telepathy-rakia
|
||||
- Add systemd support for zoneminder
|
||||
- Allow mysql to create files/directories under /var/log/mysql
|
||||
- Allow zoneminder apache scripts to rw zoneminder tmpfs
|
||||
- Allow httpd to manage zoneminder lib files
|
||||
- Add zoneminder_run_sudo boolean to allow to start zoneminder
|
||||
- Allow zoneminder to send mails
|
||||
- gssproxy_t sock_file can be under /var/lib
|
||||
- Allow web domains to connect to whois port.
|
||||
- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
|
||||
- We really need to add an interface to corenet to define what a web_client_domain is and
|
||||
- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
|
||||
- Add labeling for cmpiLMI_LogicalFile-cimprovagt
|
||||
- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
|
||||
- Update policy rules for pegasus_openlmi_logicalfile_t
|
||||
- Add initial types for logicalfile/unconfined OpenLMI providers
|
||||
- mailmanctl needs to read own log
|
||||
- Allow logwatch manage own lock files
|
||||
- Allow nrpe to read meminfo
|
||||
- Allow httpd to read certs located in pki-ca
|
||||
- Add pki_read_tomcat_cert() interface
|
||||
- Add support for nagios openshift plugins
|
||||
- Add port definition for redis port
|
||||
- fix selinuxuser_use_ssh_chroot boolean
|
||||
|
||||
* Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
|
||||
- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean.
|
||||
- Allow bootloader to manage generic log files
|
||||
|
Loading…
Reference in New Issue
Block a user