* Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171

- Allow setroubleshoot_fixit_t to use temporary files
This commit is contained in:
Lukas Vrabec 2016-02-11 14:22:13 +01:00
parent ead49a5633
commit d6823d337b
3 changed files with 29 additions and 10 deletions

Binary file not shown.

View File

@ -97165,10 +97165,10 @@ index 3a9a70b..903109c 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
index ce67935..24c746f 100644
index ce67935..4985c02 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -7,68 +7,95 @@ policy_module(setroubleshoot, 1.12.1)
@@ -7,68 +7,111 @@ policy_module(setroubleshoot, 1.12.1)
type setroubleshootd_t alias setroubleshoot_t;
type setroubleshootd_exec_t;
@ -97197,6 +97197,12 @@ index ce67935..24c746f 100644
+
+type setroubleshoot_tmpfs_t;
+files_tmpfs_file(setroubleshoot_tmpfs_t)
+
+type setroubleshoot_fixit_tmp_t;
+files_tmp_file(setroubleshoot_fixit_tmp_t)
+
+type setroubleshoot_fixit_tmpfs_t;
+files_tmpfs_file(setroubleshoot_fixit_tmpfs_t)
+
########################################
#
@ -97219,8 +97225,7 @@ index ce67935..24c746f 100644
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+
-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
+
+manage_files_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
+files_tmp_filetrans(setroubleshootd_t, setroubleshoot_tmp_t, { file dir })
@ -97231,6 +97236,17 @@ index ce67935..24c746f 100644
+fs_tmpfs_filetrans(setroubleshootd_t, setroubleshoot_tmpfs_t, { file dir })
+allow setroubleshootd_t setroubleshoot_tmpfs_t:file mmap_file_perms;
+
+manage_files_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, setroubleshoot_fixit_tmp_t)
+manage_dirs_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, setroubleshoot_fixit_tmp_t)
+files_tmp_filetrans(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, { file dir })
+allow setroubleshoot_fixit_t setroubleshoot_fixit_tmp_t:file mmap_file_perms;
-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
+manage_files_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, setroubleshoot_fixit_tmpfs_t)
+manage_dirs_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, setroubleshoot_fixit_tmpfs_t)
+fs_tmpfs_filetrans(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, { file dir })
+allow setroubleshoot_fixit_t setroubleshoot_fixit_tmpfs_t:file mmap_file_perms;
+
+# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
@ -97280,7 +97296,7 @@ index ce67935..24c746f 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
@@ -76,10 +103,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
@@ -76,10 +119,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
dev_getattr_all_chr_files(setroubleshootd_t)
dev_getattr_mtrr_dev(setroubleshootd_t)
@ -97292,7 +97308,7 @@ index ce67935..24c746f 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
@@ -109,27 +135,24 @@ init_read_utmp(setroubleshootd_t)
@@ -109,27 +151,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@ -97325,7 +97341,7 @@ index ce67935..24c746f 100644
')
optional_policy(`
@@ -137,10 +160,18 @@ optional_policy(`
@@ -137,10 +176,18 @@ optional_policy(`
')
optional_policy(`
@ -97344,7 +97360,7 @@ index ce67935..24c746f 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
@@ -150,26 +181,36 @@ optional_policy(`
@@ -150,26 +197,36 @@ optional_policy(`
########################################
#
@ -97383,7 +97399,7 @@ index ce67935..24c746f 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
@@ -177,23 +218,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
@@ -177,23 +234,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 170%{?dist}
Release: 171%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -664,6 +664,9 @@ exit 0
%endif
%changelog
* Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
- Allow setroubleshoot_fixit_t to use temporary files
* Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170
- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426