rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136

Browse Source 
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix label openstack-nova-metadata-api binary file
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve
This commit is contained in:
Lukas Vrabec 2015-07-14 18:10:21 +02:00
parent f53ebea7af
commit ee724ad113
3 changed files with 674 additions and 557 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
policy-rawhide-base.patch
View File

@ -5565,7 +5565,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b191055..3812e33 100644
index b191055..bb7bad0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5639,7 +5639,7 @@ index b191055..3812e33 100644
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;
@@ -83,56 +106,71 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
@@ -83,56 +106,72 @@ network_port(agentx, udp,705,s0, tcp,705,s0)
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
@ -5710,6 +5710,7 @@ index b191055..3812e33 100644
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+network_port(gear, tcp,43273,s0, udp,43273,s0)
+network_port(geneve, tcp,6080,s0)
network_port(gdomap, tcp,538,s0, udp,538,s0)
network_port(gds_db, tcp,3050,s0, udp,3050,s0)
network_port(giftd, tcp,1213,s0)
@ -5720,7 +5721,7 @@ index b191055..3812e33 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
@@ -140,45 +178,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
@@ -140,45 +179,55 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@ -5791,7 +5792,7 @@ index b191055..3812e33 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
@@ -186,101 +234,124 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
@@ -186,101 +235,124 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@ -5934,7 +5935,7 @@ index b191055..3812e33 100644
network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0)
@@ -288,19 +359,23 @@ network_port(zabbix_agent, tcp,10050,s0)
@@ -288,19 +360,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@ -5961,7 +5962,7 @@ index b191055..3812e33 100644
########################################
#
@@ -333,6 +408,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
@@ -333,6 +409,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@ -5970,7 +5971,7 @@ index b191055..3812e33 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
@@ -345,9 +422,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
@@ -345,9 +423,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@ -14445,7 +14446,7 @@ index d7c11a0..6b3331d 100644
/var/run/shm/.* <<none>>
-')
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..d7111b8 100644
index 8416beb..a250b32 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -15453,7 +15454,32 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2485,6 +3021,7 @@ interface(`fs_read_nfs_files',`
@@ -2398,6 +2934,24 @@ interface(`fs_getattr_nfs',`
########################################
## <summary>
+## Set the attributes of nfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_setattr_nfs_dirs',`
+ gen_require(`
+ type nfs_t;
+ ')
+
+ allow $1 nfs_t:dir setattr;
+')
+
+########################################
+## <summary>
## Search directories on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -2485,6 +3039,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@ -15461,7 +15487,7 @@ index 8416beb..d7111b8 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
@@ -2523,6 +3060,7 @@ interface(`fs_write_nfs_files',`
@@ -2523,6 +3078,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@ -15469,7 +15495,7 @@ index 8416beb..d7111b8 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
@@ -2549,6 +3087,44 @@ interface(`fs_exec_nfs_files',`
@@ -2549,6 +3105,44 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@ -15514,7 +15540,7 @@ index 8416beb..d7111b8 100644
## Append files
## on a NFS filesystem.
## </summary>
@@ -2569,7 +3145,7 @@ interface(`fs_append_nfs_files',`
@@ -2569,7 +3163,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@ -15523,7 +15549,7 @@ index 8416beb..d7111b8 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -2589,6 +3165,42 @@ interface(`fs_dontaudit_append_nfs_files',`
@@ -2589,6 +3183,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@ -15566,7 +15592,7 @@ index 8416beb..d7111b8 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
@@ -2603,7 +3215,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
@@ -2603,7 +3233,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@ -15575,7 +15601,7 @@ index 8416beb..d7111b8 100644
')
########################################
@@ -2627,7 +3239,7 @@ interface(`fs_read_nfs_symlinks',`
@@ -2627,7 +3257,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@ -15584,7 +15610,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2719,6 +3331,47 @@ interface(`fs_search_rpc',`
@@ -2719,6 +3349,47 @@ interface(`fs_search_rpc',`
########################################
## <summary>
@ -15632,7 +15658,7 @@ index 8416beb..d7111b8 100644
## Search removable storage directories.
## </summary>
## <param name="domain">
@@ -2741,7 +3394,7 @@ interface(`fs_search_removable',`
@@ -2741,7 +3412,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@ -15641,7 +15667,7 @@ index 8416beb..d7111b8 100644
## </summary>
## </param>
#
@@ -2777,7 +3430,7 @@ interface(`fs_read_removable_files',`
@@ -2777,7 +3448,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@ -15650,7 +15676,7 @@ index 8416beb..d7111b8 100644
## </summary>
## </param>
#
@@ -2970,6 +3623,7 @@ interface(`fs_manage_nfs_dirs',`
@@ -2970,6 +3641,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@ -15658,7 +15684,7 @@ index 8416beb..d7111b8 100644
allow $1 nfs_t:dir manage_dir_perms;
')
@@ -3010,6 +3664,7 @@ interface(`fs_manage_nfs_files',`
@@ -3010,6 +3682,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@ -15666,7 +15692,7 @@ index 8416beb..d7111b8 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
@@ -3050,6 +3705,7 @@ interface(`fs_manage_nfs_symlinks',`
@@ -3050,6 +3723,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@ -15674,7 +15700,7 @@ index 8416beb..d7111b8 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -3137,6 +3793,24 @@ interface(`fs_nfs_domtrans',`
@@ -3137,6 +3811,24 @@ interface(`fs_nfs_domtrans',`
########################################
## <summary>
@ -15699,7 +15725,7 @@ index 8416beb..d7111b8 100644
## Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
@@ -3263,6 +3937,24 @@ interface(`fs_getattr_nfsd_files',`
@@ -3263,6 +3955,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@ -15724,7 +15750,7 @@ index 8416beb..d7111b8 100644
########################################
## <summary>
## Read and write NFS server files.
@@ -3283,6 +3975,24 @@ interface(`fs_rw_nfsd_fs',`
@@ -3283,6 +3993,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@ -15749,7 +15775,7 @@ index 8416beb..d7111b8 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
@@ -3392,7 +4102,7 @@ interface(`fs_search_ramfs',`
@@ -3392,7 +4120,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@ -15758,7 +15784,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3429,7 +4139,7 @@ interface(`fs_manage_ramfs_dirs',`
@@ -3429,7 +4157,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@ -15767,7 +15793,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3447,7 +4157,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
@@ -3447,7 +4175,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@ -15776,7 +15802,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3743,25 +4453,61 @@ interface(`fs_getattr_rpc_pipefs',`
@@ -3743,25 +4471,61 @@ interface(`fs_getattr_rpc_pipefs',`
#########################################
## <summary>
@ -15844,7 +15870,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3769,17 +4515,17 @@ interface(`fs_rw_rpc_named_pipes',`
@@ -3769,17 +4533,17 @@ interface(`fs_rw_rpc_named_pipes',`
## </summary>
## </param>
#
@ -15865,7 +15891,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3787,17 +4533,17 @@ interface(`fs_mount_tmpfs',`
@@ -3787,17 +4551,17 @@ interface(`fs_mount_tmpfs',`
## </summary>
## </param>
#
@ -15886,7 +15912,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3805,12 +4551,12 @@ interface(`fs_remount_tmpfs',`
@@ -3805,12 +4569,12 @@ interface(`fs_remount_tmpfs',`
## </summary>
## </param>
#
@ -15901,7 +15927,7 @@ index 8416beb..d7111b8 100644
')
########################################
@@ -3908,7 +4654,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
@@ -3908,7 +4672,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
########################################
## <summary>
@ -15910,7 +15936,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3916,17 +4662,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
@@ -3916,17 +4680,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
## </summary>
## </param>
#
@ -15931,7 +15957,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3934,17 +4680,17 @@ interface(`fs_mounton_tmpfs',`
@@ -3934,17 +4698,17 @@ interface(`fs_mounton_tmpfs',`
## </summary>
## </param>
#
@ -15952,7 +15978,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3952,17 +4698,36 @@ interface(`fs_setattr_tmpfs_dirs',`
@@ -3952,17 +4716,36 @@ interface(`fs_setattr_tmpfs_dirs',`
## </summary>
## </param>
#
@ -15992,7 +16018,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3970,31 +4735,48 @@ interface(`fs_search_tmpfs',`
@@ -3970,31 +4753,48 @@ interface(`fs_search_tmpfs',`
## </summary>
## </param>
#
@ -16048,7 +16074,7 @@ index 8416beb..d7111b8 100644
')
########################################
@@ -4105,7 +4887,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
@@ -4105,7 +4905,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@ -16057,7 +16083,7 @@ index 8416beb..d7111b8 100644
')
########################################
@@ -4165,6 +4947,24 @@ interface(`fs_rw_tmpfs_files',`
@@ -4165,6 +4965,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@ -16082,7 +16108,7 @@ index 8416beb..d7111b8 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
@@ -4202,7 +5002,7 @@ interface(`fs_rw_tmpfs_chr_files',`
@@ -4202,7 +5020,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@ -16091,7 +16117,7 @@ index 8416beb..d7111b8 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4221,6 +5021,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
@@ -4221,6 +5039,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@ -16152,7 +16178,7 @@ index 8416beb..d7111b8 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
@@ -4278,6 +5132,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
@@ -4278,6 +5150,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@ -16197,7 +16223,7 @@ index 8416beb..d7111b8 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
@@ -4297,6 +5189,25 @@ interface(`fs_manage_tmpfs_files',`
@@ -4297,6 +5207,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@ -16223,7 +16249,7 @@ index 8416beb..d7111b8 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
@@ -4503,6 +5414,8 @@ interface(`fs_mount_all_fs',`
@@ -4503,6 +5432,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@ -16232,7 +16258,7 @@ index 8416beb..d7111b8 100644
')
########################################
@@ -4549,7 +5462,7 @@ interface(`fs_unmount_all_fs',`
@@ -4549,7 +5480,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@ -16241,7 +16267,7 @@ index 8416beb..d7111b8 100644
## Example attributes:
## </p>
## <ul>
@@ -4596,6 +5509,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
@@ -4596,6 +5527,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
## <summary>
@ -16268,7 +16294,7 @@ index 8416beb..d7111b8 100644
## Get the quotas of all filesystems.
## </summary>
## <param name="domain">
@@ -4671,6 +5604,25 @@ interface(`fs_getattr_all_dirs',`
@@ -4671,6 +5622,25 @@ interface(`fs_getattr_all_dirs',`
########################################
## <summary>
@ -16294,7 +16320,7 @@ index 8416beb..d7111b8 100644
## Search all directories with a filesystem type.
## </summary>
## <param name="domain">
@@ -4912,3 +5864,43 @@ interface(`fs_unconfined',`
@@ -4912,3 +5882,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@ -35708,7 +35734,7 @@ index 4e94884..7ab6191 100644
+ filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4)
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b04c1..0bdf67e 100644
index 59b04c1..75844b4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@ -35895,7 +35921,7 @@ index 59b04c1..0bdf67e 100644
corenet_all_recvfrom_netlabel(audisp_remote_t)
corenet_tcp_sendrecv_generic_if(audisp_remote_t)
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
@@ -280,10 +325,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
@@ -280,13 +325,23 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@ -35915,7 +35941,12 @@ index 59b04c1..0bdf67e 100644
sysnet_dns_name_resolve(audisp_remote_t)
@@ -326,7 +379,6 @@ files_read_etc_files(klogd_t)
+term_search_ptys(audisp_remote_t)
+
########################################
#
# klogd local policy
@@ -326,7 +381,6 @@ files_read_etc_files(klogd_t)
logging_send_syslog_msg(klogd_t)
@ -35923,7 +35954,7 @@ index 59b04c1..0bdf67e 100644
mls_file_read_all_levels(klogd_t)
@@ -355,13 +407,12 @@ optional_policy(`
@@ -355,13 +409,12 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
@ -35940,7 +35971,7 @@ index 59b04c1..0bdf67e 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -369,11 +420,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
@@ -369,11 +422,15 @@ allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@ -35957,7 +35988,7 @@ index 59b04c1..0bdf67e 100644
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
@@ -389,30 +444,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
@@ -389,30 +446,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@ -36008,7 +36039,7 @@ index 59b04c1..0bdf67e 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
@@ -422,6 +494,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
@@ -422,6 +496,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@ -36017,7 +36048,7 @@ index 59b04c1..0bdf67e 100644
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
@@ -432,9 +506,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
@@ -432,9 +508,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@ -36051,7 +36082,7 @@ index 59b04c1..0bdf67e 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -448,13 +545,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
@@ -448,13 +547,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
@ -36069,7 +36100,7 @@ index 59b04c1..0bdf67e 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
@@ -466,11 +567,12 @@ init_use_fds(syslogd_t)
@@ -466,11 +569,12 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@ -36085,7 +36116,7 @@ index 59b04c1..0bdf67e 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
@@ -497,6 +599,7 @@ optional_policy(`
@@ -497,6 +601,7 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
@ -36093,7 +36124,7 @@ index 59b04c1..0bdf67e 100644
')
optional_policy(`
@@ -507,15 +610,40 @@ optional_policy(`
@@ -507,15 +612,40 @@ optional_policy(`
')
optional_policy(`
@ -36134,7 +36165,7 @@ index 59b04c1..0bdf67e 100644
')
optional_policy(`
@@ -526,3 +654,26 @@ optional_policy(`
@@ -526,3 +656,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')

1055
policy-rawhide-contrib.patch
View File

File diff suppressed because it is too large Load Diff

25
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 135%{?dist}
Release: 136%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -602,6 +602,29 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136
- Add samba_unconfined_script_exec_t to samba_admin header.
- Add jabberd_lock_t label to jabberd_admin header.
- Add rpm_var_run_t label to rpm_admin header.
- Make all interfaces related to openshift_cache_t as deprecated.
- Remove non exits nfsd_ro_t label.
- Label /usr/afs/ as afs_files_t Allow afs_bosserver_t create afs_config_t and afs_dbdir_t dirs under afs_files_t Allow afs_bosserver_t read kerberos config
- Fix *_admin intefaces where body is not consistent with header.
- Allow networkmanager read rfcomm port.
- Fix nova_domain_template interface, Fix typo bugs in nova policy
- Create nova sublabels.
- Merge all nova_* labels under one nova_t.
- Add cobbler_var_lib_t to "/var/lib/tftpboot/boot(/.*)?"
- Allow dnssec_trigger_t relabelfrom dnssec_trigger_var_run_t files.
- Fix label openstack-nova-metadata-api binary file
- Allow nova_t to bind on geneve tcp port, and all udp ports
- Label swift-container-reconciler binary as swift_t.
- Allow glusterd to execute showmount in the showmount domain.
- Allow NetworkManager_t send signull to dnssec_trigger_t.
- Add support for openstack-nova-* packages.
- Allow audisp-remote searching devpts.
- Label 6080 tcp port as geneve
* Thu Jul 09 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-135
- Update mta_filetrans_named_content() interface to cover more db files.
- Revert "Remove ftpd_use_passive_mode boolean. It does not make sense due to ephemeral port handling."