* Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171

- Allow setroubleshoot_fixit_t to use temporary files
This commit is contained in:
Lukas Vrabec 2016-02-11 14:22:13 +01:00
parent ead49a5633
commit d6823d337b
3 changed files with 29 additions and 10 deletions

Binary file not shown.

View File

@ -97165,10 +97165,10 @@ index 3a9a70b..903109c 100644
logging_list_logs($1) logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t) admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te diff --git a/setroubleshoot.te b/setroubleshoot.te
index ce67935..24c746f 100644 index ce67935..4985c02 100644
--- a/setroubleshoot.te --- a/setroubleshoot.te
+++ b/setroubleshoot.te +++ b/setroubleshoot.te
@@ -7,68 +7,95 @@ policy_module(setroubleshoot, 1.12.1) @@ -7,68 +7,111 @@ policy_module(setroubleshoot, 1.12.1)
type setroubleshootd_t alias setroubleshoot_t; type setroubleshootd_t alias setroubleshoot_t;
type setroubleshootd_exec_t; type setroubleshootd_exec_t;
@ -97197,6 +97197,12 @@ index ce67935..24c746f 100644
+ +
+type setroubleshoot_tmpfs_t; +type setroubleshoot_tmpfs_t;
+files_tmpfs_file(setroubleshoot_tmpfs_t) +files_tmpfs_file(setroubleshoot_tmpfs_t)
+
+type setroubleshoot_fixit_tmp_t;
+files_tmp_file(setroubleshoot_fixit_tmp_t)
+
+type setroubleshoot_fixit_tmpfs_t;
+files_tmpfs_file(setroubleshoot_fixit_tmpfs_t)
+ +
######################################## ########################################
# #
@ -97219,8 +97225,7 @@ index ce67935..24c746f 100644
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; +allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+ +
+
-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
+manage_files_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t) +manage_files_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
+manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t) +manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t)
+files_tmp_filetrans(setroubleshootd_t, setroubleshoot_tmp_t, { file dir }) +files_tmp_filetrans(setroubleshootd_t, setroubleshoot_tmp_t, { file dir })
@ -97231,6 +97236,17 @@ index ce67935..24c746f 100644
+fs_tmpfs_filetrans(setroubleshootd_t, setroubleshoot_tmpfs_t, { file dir }) +fs_tmpfs_filetrans(setroubleshootd_t, setroubleshoot_tmpfs_t, { file dir })
+allow setroubleshootd_t setroubleshoot_tmpfs_t:file mmap_file_perms; +allow setroubleshootd_t setroubleshoot_tmpfs_t:file mmap_file_perms;
+ +
+manage_files_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, setroubleshoot_fixit_tmp_t)
+manage_dirs_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, setroubleshoot_fixit_tmp_t)
+files_tmp_filetrans(setroubleshoot_fixit_t, setroubleshoot_fixit_tmp_t, { file dir })
+allow setroubleshoot_fixit_t setroubleshoot_fixit_tmp_t:file mmap_file_perms;
-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
+manage_files_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, setroubleshoot_fixit_tmpfs_t)
+manage_dirs_pattern(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, setroubleshoot_fixit_tmpfs_t)
+fs_tmpfs_filetrans(setroubleshoot_fixit_t, setroubleshoot_fixit_tmpfs_t, { file dir })
+allow setroubleshoot_fixit_t setroubleshoot_fixit_tmpfs_t:file mmap_file_perms;
+
+# database files +# database files
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; +allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
@ -97280,7 +97296,7 @@ index ce67935..24c746f 100644
dev_read_urand(setroubleshootd_t) dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t)
@@ -76,10 +103,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) @@ -76,10 +119,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
dev_getattr_all_chr_files(setroubleshootd_t) dev_getattr_all_chr_files(setroubleshootd_t)
dev_getattr_mtrr_dev(setroubleshootd_t) dev_getattr_mtrr_dev(setroubleshootd_t)
@ -97292,7 +97308,7 @@ index ce67935..24c746f 100644
files_list_all(setroubleshootd_t) files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t)
@@ -109,27 +135,24 @@ init_read_utmp(setroubleshootd_t) @@ -109,27 +151,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t)
@ -97325,7 +97341,7 @@ index ce67935..24c746f 100644
') ')
optional_policy(` optional_policy(`
@@ -137,10 +160,18 @@ optional_policy(` @@ -137,10 +176,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -97344,7 +97360,7 @@ index ce67935..24c746f 100644
rpm_exec(setroubleshootd_t) rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t) rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t) rpm_read_db(setroubleshootd_t)
@@ -150,26 +181,36 @@ optional_policy(` @@ -150,26 +197,36 @@ optional_policy(`
######################################## ########################################
# #
@ -97383,7 +97399,7 @@ index ce67935..24c746f 100644
files_list_tmp(setroubleshoot_fixit_t) files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t)
@@ -177,23 +218,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) @@ -177,23 +234,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 170%{?dist} Release: 171%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -664,6 +664,9 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Feb 11 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-171
- Allow setroubleshoot_fixit_t to use temporary files
* Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170 * Wed Feb 10 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-170
- Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334 - Allow abrt_dump_oops_t to getattr filesystem nsfs files. rhbz#1300334
- Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426 - Allow ulogd_t to create netlink_netfilter sockets. rhbz#1305426