Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

modules-targeted-contrib.conf

@@ -2255,3 +2255,17 @@ smsd = module
 # policy for pesign
 #
 pesign = module
+
+# Layer: contrib
+# Module: nsd
+#
+# Fast and lean authoritative DNS Name Server
+#
+nsd = module   
+
+# Layer: contrib
+# Module: iodine
+#
+# Fast and lean authoritative DNS Name Server
+#
+iodine = module

policy-rawhide-base.patch

@@ -5170,7 +5170,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..68176bb 100644
+index 4edc40d..b48abbe 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5400,7 +5400,7 @@ index 4edc40d..68176bb 100644
  network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +255,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -5415,6 +5415,7 @@ index 4edc40d..68176bb 100644
  network_port(radsec, tcp,2083,s0)
  network_port(razor, tcp,2703,s0)
 +network_port(time, tcp,37,s0, udp,37,s0)
++network_port(redis, tcp,6379,s0)
  network_port(repository, tcp, 6363, s0)
  network_port(ricci, tcp,11111,s0, udp,11111,s0)
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -5449,7 +5450,7 @@ index 4edc40d..68176bb 100644
  network_port(ssh, tcp,22,s0)
  network_port(stunnel) # no defined portcon
  network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +303,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -5460,7 +5461,7 @@ index 4edc40d..68176bb 100644
  network_port(transproxy, tcp,8081,s0)
  network_port(trisoap, tcp,10200,s0, udp,10200,s0)
  network_port(ups, tcp,3493,s0)
-@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +315,10 @@ network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -5473,7 +5474,7 @@ index 4edc40d..68176bb 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0)
+@@ -292,12 +339,16 @@ network_port(zope, tcp,8021,s0)
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
  # these entries just cover any remaining reserved ports not otherwise declared.
  
@@ -5492,7 +5493,7 @@ index 4edc40d..68176bb 100644
  
  ########################################
  #
-@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +381,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5501,7 +5502,7 @@ index 4edc40d..68176bb 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +395,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -33356,15 +33357,14 @@ index 3822072..1029e3b 100644
 +    userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..64db314 100644
+index ec01d0b..e2b829b 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
-@@ -11,14 +11,17 @@ gen_require(`
+@@ -11,14 +11,16 @@ gen_require(`
  
  attribute can_write_binary_policy;
  attribute can_relabelto_binary_policy;
 +attribute setfiles_domain;
-+attribute seutil_semanage_domain;
 +attribute policy_manager_domain;
  
 -attribute_role newrole_roles;
@@ -33382,7 +33382,7 @@ index ec01d0b..64db314 100644
  
  #
  # selinux_config_t is the type applied to
-@@ -28,7 +31,13 @@ roleattribute system_r semanage_roles;
+@@ -28,7 +30,13 @@ roleattribute system_r semanage_roles;
  # in the domain_type interface
  # (fix dup decl)
  type selinux_config_t;
@@ -33397,7 +33397,7 @@ index ec01d0b..64db314 100644
  
  type checkpolicy_t, can_write_binary_policy;
  type checkpolicy_exec_t;
-@@ -40,14 +49,14 @@ role system_r types checkpolicy_t;
+@@ -40,14 +48,14 @@ role system_r types checkpolicy_t;
  # /etc/selinux/*/contexts/*
  #
  type default_context_t;
@@ -33414,7 +33414,7 @@ index ec01d0b..64db314 100644
  
  type load_policy_t;
  type load_policy_exec_t;
-@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
+@@ -60,14 +68,20 @@ application_domain(newrole_t, newrole_exec_t)
  domain_role_change_exemption(newrole_t)
  domain_obj_id_change_exemption(newrole_t)
  domain_interactive_fd(newrole_t)
@@ -33438,7 +33438,7 @@ index ec01d0b..64db314 100644
  
  neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
  #neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -83,7 +98,6 @@ type restorecond_t;
+@@ -83,7 +97,6 @@ type restorecond_t;
  type restorecond_exec_t;
  init_daemon_domain(restorecond_t, restorecond_exec_t)
  domain_obj_id_change_exemption(restorecond_t)
@@ -33446,7 +33446,7 @@ index ec01d0b..64db314 100644
  
  type restorecond_var_run_t;
  files_pid_file(restorecond_var_run_t)
-@@ -92,25 +106,32 @@ type run_init_t;
+@@ -92,25 +105,32 @@ type run_init_t;
  type run_init_exec_t;
  application_domain(run_init_t, run_init_exec_t)
  domain_system_change_exemption(run_init_t)
@@ -33485,7 +33485,7 @@ index ec01d0b..64db314 100644
  
  type semanage_var_lib_t;
  files_type(semanage_var_lib_t)
-@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
+@@ -120,6 +140,11 @@ type setfiles_exec_t alias restorecon_exec_t;
  init_system_domain(setfiles_t, setfiles_exec_t)
  domain_obj_id_change_exemption(setfiles_t)
  
@@ -33497,7 +33497,7 @@ index ec01d0b..64db314 100644
  ########################################
  #
  # Checkpolicy local policy
-@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
+@@ -137,6 +162,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
  read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
  read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
  allow checkpolicy_t selinux_config_t:dir search_dir_perms;
@@ -33505,7 +33505,7 @@ index ec01d0b..64db314 100644
  
  domain_use_interactive_fds(checkpolicy_t)
  
-@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
+@@ -151,7 +177,7 @@ term_use_console(checkpolicy_t)
  init_use_fds(checkpolicy_t)
  init_use_script_ptys(checkpolicy_t)
  
@@ -33514,7 +33514,7 @@ index ec01d0b..64db314 100644
  userdom_use_all_users_fds(checkpolicy_t)
  
  ifdef(`distro_ubuntu',`
-@@ -188,13 +215,13 @@ term_list_ptys(load_policy_t)
+@@ -188,13 +214,13 @@ term_list_ptys(load_policy_t)
  
  init_use_script_fds(load_policy_t)
  init_use_script_ptys(load_policy_t)
@@ -33531,7 +33531,7 @@ index ec01d0b..64db314 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -205,6 +232,7 @@ ifdef(`distro_ubuntu',`
+@@ -205,6 +231,7 @@ ifdef(`distro_ubuntu',`
  ifdef(`hide_broken_symptoms',`
  	# cjp: cover up stray file descriptors.
  	dontaudit load_policy_t selinux_config_t:file write;
@@ -33539,7 +33539,7 @@ index ec01d0b..64db314 100644
  
  	optional_policy(`
  		unconfined_dontaudit_read_pipes(load_policy_t)
-@@ -215,12 +243,17 @@ optional_policy(`
+@@ -215,12 +242,17 @@ optional_policy(`
  	portage_dontaudit_use_fds(load_policy_t)
  ')
  
@@ -33558,7 +33558,7 @@ index ec01d0b..64db314 100644
  allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  allow newrole_t self:process setexec;
  allow newrole_t self:fd use;
-@@ -232,7 +265,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -232,7 +264,7 @@ allow newrole_t self:msgq create_msgq_perms;
  allow newrole_t self:msg { send receive };
  allow newrole_t self:unix_dgram_socket sendto;
  allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -33567,7 +33567,7 @@ index ec01d0b..64db314 100644
  
  read_files_pattern(newrole_t, default_context_t, default_context_t)
  read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -249,6 +282,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -249,6 +281,7 @@ domain_use_interactive_fds(newrole_t)
  # for when the user types "exec newrole" at the command line:
  domain_sigchld_interactive_fds(newrole_t)
  
@@ -33575,7 +33575,7 @@ index ec01d0b..64db314 100644
  files_read_etc_files(newrole_t)
  files_read_var_files(newrole_t)
  files_read_var_symlinks(newrole_t)
-@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t)
+@@ -276,25 +309,34 @@ term_relabel_all_ptys(newrole_t)
  term_getattr_unallocated_ttys(newrole_t)
  term_dontaudit_use_unallocated_ttys(newrole_t)
  
@@ -33617,7 +33617,7 @@ index ec01d0b..64db314 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(newrole_t)
-@@ -309,7 +352,7 @@ if(secure_mode) {
+@@ -309,7 +351,7 @@ if(secure_mode) {
  	userdom_spec_domtrans_all_users(newrole_t)
  }
  
@@ -33626,7 +33626,7 @@ index ec01d0b..64db314 100644
  	files_polyinstantiate_all(newrole_t)
  ')
  
-@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t)
+@@ -328,9 +370,13 @@ kernel_use_fds(restorecond_t)
  kernel_rw_pipes(restorecond_t)
  kernel_read_system_state(restorecond_t)
  
@@ -33641,7 +33641,7 @@ index ec01d0b..64db314 100644
  fs_list_inotifyfs(restorecond_t)
  
  selinux_validate_context(restorecond_t)
-@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t)
+@@ -341,16 +387,17 @@ selinux_compute_user_contexts(restorecond_t)
  
  files_relabel_non_auth_files(restorecond_t )
  files_read_non_auth_files(restorecond_t)
@@ -33661,7 +33661,7 @@ index ec01d0b..64db314 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(restorecond_t)
-@@ -366,21 +414,24 @@ optional_policy(`
+@@ -366,21 +413,24 @@ optional_policy(`
  # Run_init local policy
  #
  
@@ -33688,7 +33688,7 @@ index ec01d0b..64db314 100644
  dev_dontaudit_list_all_dev_nodes(run_init_t)
  
  domain_use_interactive_fds(run_init_t)
-@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t)
+@@ -398,23 +448,30 @@ selinux_compute_create_context(run_init_t)
  selinux_compute_relabel_context(run_init_t)
  selinux_compute_user_contexts(run_init_t)
  
@@ -33724,7 +33724,7 @@ index ec01d0b..64db314 100644
  
  ifndef(`direct_sysadm_daemon',`
  	ifdef(`distro_gentoo',`
-@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -425,6 +482,19 @@ ifndef(`direct_sysadm_daemon',`
  	')
  ')
  
@@ -33744,7 +33744,7 @@ index ec01d0b..64db314 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -440,81 +511,87 @@ optional_policy(`
+@@ -440,81 +510,87 @@ optional_policy(`
  # semodule local policy
  #
  
@@ -33885,7 +33885,7 @@ index ec01d0b..64db314 100644
  ')
  
  ########################################
-@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,181 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -34151,7 +34151,7 @@ index ec01d0b..64db314 100644
 +userdom_use_user_ptys(policy_manager_domain)
 +
 +files_rw_inherited_generic_pid_files(setfiles_domain)
-+files_rw_inherited_generic_pid_files(seutil_semanage_domain)
++files_rw_inherited_generic_pid_files(policy_manager_domain)
 diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
 index bea4629..06e2834 100644
 --- a/policy/modules/system/setrans.fc
@@ -38249,7 +38249,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..4f43578 100644
+index 3c5dba7..4129aa6 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39192,7 +39192,7 @@ index 3c5dba7..4f43578 100644
 +	allow $1_t self:process ~{ ptrace execmem execstack execheap };
 +
 +	tunable_policy(`selinuxuser_use_ssh_chroot',`
-+		allow $1_t self:capability { setuid sys_chroot };
++		allow $1_t self:capability { setuid setgid sys_chroot };
 +	')
  
 -	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };

selinux-policy.spec

@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 58%{?dist}
+Release: 59%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,47 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Jul 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-59
+- Add prosody policy written by Michael Scherer
+- Allow nagios plugins to read /sys info
+- ntpd needs to manage own log files
+- Add support for HOME_DIR/.IBMERS
+- Allow iptables commands to read firewalld config
+- Allow consolekit_t to read utmp
+- Fix filename transitions on .razor directory
+- Add additional fixes to make DSPAM with LDA working
+- Allow snort to read /etc/passwd
+- Allow fail2ban to communicate with firewalld over dbus
+- Dontaudit openshift_cgreoup_file_t read/write leaked dev
+- Allow nfsd to use mountd port
+- Call th proper interface
+- Allow openvswitch to read sys and execute plymouth
+- Allow tmpwatch to read /var/spool/cups/tmp
+- Add support for /usr/libexec/telepathy-rakia
+- Add systemd support for zoneminder
+- Allow mysql to create files/directories under /var/log/mysql
+- Allow zoneminder apache scripts to rw zoneminder tmpfs
+- Allow httpd to manage zoneminder lib files
+- Add zoneminder_run_sudo boolean to allow to start zoneminder
+- Allow zoneminder to send mails
+- gssproxy_t sock_file can be under /var/lib
+- Allow web domains to connect to whois port.
+- Allow sandbox_web_type to connect to the same ports as mozilla_plugin_t.
+- We really need to add an interface to corenet to define what a web_client_domain is and
+- then define chrome_sandbox_t, mozilla_plugin_t and sandbox_web_type to that domain.
+- Add labeling for cmpiLMI_LogicalFile-cimprovagt
+- Also make pegasus_openlmi_logicalfile_t as unconfined to have unconfined_domain attribute for filename trans rules
+- Update policy rules for pegasus_openlmi_logicalfile_t
+- Add initial types for logicalfile/unconfined OpenLMI providers
+- mailmanctl needs to read own log
+- Allow logwatch manage own lock files
+- Allow nrpe to read meminfo
+- Allow httpd to read certs located in pki-ca
+- Add pki_read_tomcat_cert() interface
+- Add support for nagios openshift plugins
+- Add port definition for redis port
+- fix selinuxuser_use_ssh_chroot boolean
+
 * Fri Jun 28 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-58
 - Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. 
 - Allow bootloader to manage generic log files