* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95

- Allow networkmanager manage also openvpn sock pid files.
This commit is contained in:
Lukas Vrabec 2014-11-19 19:46:38 +01:00
parent c88e657c3d
commit feb8dbd59b
3 changed files with 98 additions and 85 deletions

View File

@ -27255,7 +27255,7 @@ index 2479587..890e1e2 100644
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 3efd5b6..9e85ea0 100644 index 3efd5b6..f645c21 100644
--- a/policy/modules/system/authlogin.if --- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',` @@ -23,11 +23,17 @@ interface(`auth_role',`
@ -27317,7 +27317,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -95,69 +117,67 @@ interface(`auth_use_pam',` @@ -95,69 +117,68 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',` interface(`auth_login_pgm_domain',`
gen_require(` gen_require(`
type var_auth_t, auth_cache_t; type var_auth_t, auth_cache_t;
@ -27375,6 +27375,7 @@ index 3efd5b6..9e85ea0 100644
mls_file_downgrade($1) mls_file_downgrade($1)
mls_process_set_level($1) mls_process_set_level($1)
+ mls_process_write_to_clearance($1) + mls_process_write_to_clearance($1)
+ mls_process_write_all_levels($1)
mls_fd_share_all_levels($1) mls_fd_share_all_levels($1)
auth_use_pam($1) auth_use_pam($1)
@ -27426,7 +27427,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -231,6 +251,25 @@ interface(`auth_domtrans_login_program',` @@ -231,6 +252,25 @@ interface(`auth_domtrans_login_program',`
######################################## ########################################
## <summary> ## <summary>
@ -27452,7 +27453,7 @@ index 3efd5b6..9e85ea0 100644
## Execute a login_program in the target domain, ## Execute a login_program in the target domain,
## with a range transition. ## with a range transition.
## </summary> ## </summary>
@@ -322,6 +361,24 @@ interface(`auth_rw_cache',` @@ -322,6 +362,24 @@ interface(`auth_rw_cache',`
######################################## ########################################
## <summary> ## <summary>
@ -27477,7 +27478,7 @@ index 3efd5b6..9e85ea0 100644
## Manage authentication cache ## Manage authentication cache
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',` @@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(` optional_policy(`
samba_stream_connect_winbind($1) samba_stream_connect_winbind($1)
') ')
@ -27486,7 +27487,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',` @@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',`
######################################## ########################################
## <summary> ## <summary>
@ -27511,7 +27512,7 @@ index 3efd5b6..9e85ea0 100644
## Execute chkpwd programs in the chkpwd domain. ## Execute chkpwd programs in the chkpwd domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',` @@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1) auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t; role $2 types chkpwd_t;
@ -27537,7 +27538,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',` @@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t) domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1) auth_dontaudit_read_shadow($1)
@ -27545,7 +27546,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -664,6 +759,10 @@ interface(`auth_manage_shadow',` @@ -664,6 +760,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms; allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@ -27556,7 +27557,7 @@ index 3efd5b6..9e85ea0 100644
') ')
####################################### #######################################
@@ -763,7 +862,50 @@ interface(`auth_rw_faillog',` @@ -763,7 +863,50 @@ interface(`auth_rw_faillog',`
') ')
logging_search_logs($1) logging_search_logs($1)
@ -27608,7 +27609,7 @@ index 3efd5b6..9e85ea0 100644
') ')
####################################### #######################################
@@ -824,9 +966,29 @@ interface(`auth_rw_lastlog',` @@ -824,9 +967,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr }; allow $1 lastlog_t:file { rw_file_perms lock setattr };
') ')
@ -27639,7 +27640,7 @@ index 3efd5b6..9e85ea0 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -834,12 +996,27 @@ interface(`auth_rw_lastlog',` @@ -834,12 +997,27 @@ interface(`auth_rw_lastlog',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -27670,7 +27671,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -854,15 +1031,15 @@ interface(`auth_domtrans_pam',` @@ -854,15 +1032,15 @@ interface(`auth_domtrans_pam',`
# #
interface(`auth_signal_pam',` interface(`auth_signal_pam',`
gen_require(` gen_require(`
@ -27689,7 +27690,7 @@ index 3efd5b6..9e85ea0 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -875,13 +1052,33 @@ interface(`auth_signal_pam',` @@ -875,13 +1053,33 @@ interface(`auth_signal_pam',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -27727,7 +27728,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -959,9 +1156,30 @@ interface(`auth_manage_var_auth',` @@ -959,9 +1157,30 @@ interface(`auth_manage_var_auth',`
') ')
files_search_var($1) files_search_var($1)
@ -27761,7 +27762,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -1040,6 +1258,10 @@ interface(`auth_manage_pam_pid',` @@ -1040,6 +1259,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1) files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms; allow $1 pam_var_run_t:file manage_file_perms;
@ -27772,7 +27773,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -1176,6 +1398,7 @@ interface(`auth_manage_pam_console_data',` @@ -1176,6 +1399,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1) files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@ -27780,7 +27781,7 @@ index 3efd5b6..9e85ea0 100644
') ')
####################################### #######################################
@@ -1576,6 +1799,25 @@ interface(`auth_setattr_login_records',` @@ -1576,6 +1800,25 @@ interface(`auth_setattr_login_records',`
######################################## ########################################
## <summary> ## <summary>
@ -27806,7 +27807,7 @@ index 3efd5b6..9e85ea0 100644
## Read login records files (/var/log/wtmp). ## Read login records files (/var/log/wtmp).
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',` @@ -1726,24 +1969,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1) logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms; allow $1 wtmp_t:file manage_file_perms;
@ -27832,7 +27833,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',` @@ -1767,11 +1993,13 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/> ## <infoflow type="both" weight="10"/>
# #
interface(`auth_use_nsswitch',` interface(`auth_use_nsswitch',`
@ -27849,7 +27850,7 @@ index 3efd5b6..9e85ea0 100644
') ')
######################################## ########################################
@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',` @@ -1805,3 +2033,280 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords;
') ')
@ -37269,7 +37270,7 @@ index d43f3b1..870bc36 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3822072..1b9a765 100644 index 3822072..929107c 100644
--- a/policy/modules/system/selinuxutil.if --- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',` @@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@ -37289,7 +37290,7 @@ index 3822072..1b9a765 100644
+ type load_policy_exec_t; + type load_policy_exec_t;
+ ') + ')
+ +
+ allow $1 load_policy_exec_t:file audit_access; + allow $1 load_policy_exec_t:file execute;
+') +')
+ +
+######################################## +########################################
@ -37486,7 +37487,7 @@ index 3822072..1b9a765 100644
+ type setfiles_exec_t; + type setfiles_exec_t;
+ ') + ')
+ +
+ allow $1 setfiles_exec_t:file audit_access; + allow $1 setfiles_exec_t:file execute;
+') +')
+ +
+######################################## +########################################
@ -37863,28 +37864,10 @@ index 3822072..1b9a765 100644
') ')
####################################### #######################################
@@ -1067,6 +1512,42 @@ interface(`seutil_get_semanage_read_lock',` @@ -1067,6 +1512,24 @@ interface(`seutil_get_semanage_read_lock',`
####################################### #######################################
## <summary> ## <summary>
+## Allow access check on module store
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_access_check_semanage_read_lock',`
+ gen_require(`
+ type semanage_read_lock_t;
+ ')
+
+ allow $1 semanage_read_lock_t:file audit_access;
+')
+
+#######################################
+## <summary>
+## Dontaudit access check on module store +## Dontaudit access check on module store
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -37898,7 +37881,7 @@ index 3822072..1b9a765 100644
+ type semanage_read_lock_t; + type semanage_read_lock_t;
+ ') + ')
+ +
+ dontaudit $1 semanage_read_lock_t:file audit_access; + dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access;
+') +')
+ +
+####################################### +#######################################
@ -37906,7 +37889,7 @@ index 3822072..1b9a765 100644
## Get trans lock on module store ## Get trans lock on module store
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1137,3 +1618,122 @@ interface(`seutil_dontaudit_libselinux_linked',` @@ -1137,3 +1600,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1) selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1) seutil_dontaudit_read_config($1)
') ')

View File

@ -21620,7 +21620,7 @@ index 62d22cb..f8ab4af 100644
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") + files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
') ')
diff --git a/dbus.te b/dbus.te diff --git a/dbus.te b/dbus.te
index c9998c8..94ff984 100644 index c9998c8..011faba 100644
--- a/dbus.te --- a/dbus.te
+++ b/dbus.te +++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(` @@ -4,17 +4,15 @@ gen_require(`
@ -21744,7 +21744,7 @@ index c9998c8..94ff984 100644
mls_fd_use_all_levels(system_dbusd_t) mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t) mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t)
@@ -123,66 +122,165 @@ term_dontaudit_use_console(system_dbusd_t) @@ -123,66 +122,166 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t) auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t)
@ -21753,6 +21753,7 @@ index c9998c8..94ff984 100644
+corecmd_read_bin_sockets(system_dbusd_t) +corecmd_read_bin_sockets(system_dbusd_t)
+# needed for system-tools-backends +# needed for system-tools-backends
+corecmd_exec_shell(system_dbusd_t) +corecmd_exec_shell(system_dbusd_t)
+corecmd_exec_bin(system_dbusd_t)
+ +
+domain_use_interactive_fds(system_dbusd_t) +domain_use_interactive_fds(system_dbusd_t)
+domain_read_all_domains_state(system_dbusd_t) +domain_read_all_domains_state(system_dbusd_t)
@ -21924,7 +21925,7 @@ index c9998c8..94ff984 100644
kernel_read_kernel_sysctls(session_bus_type) kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type) corecmd_list_bin(session_bus_type)
@@ -191,23 +289,18 @@ corecmd_read_bin_files(session_bus_type) @@ -191,23 +290,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type) corecmd_read_bin_sockets(session_bus_type)
@ -21949,7 +21950,7 @@ index c9998c8..94ff984 100644
files_dontaudit_search_var(session_bus_type) files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type) fs_getattr_romfs(session_bus_type)
@@ -215,7 +308,6 @@ fs_getattr_xattr_fs(session_bus_type) @@ -215,7 +309,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type) fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type)
@ -21957,7 +21958,7 @@ index c9998c8..94ff984 100644
selinux_validate_context(session_bus_type) selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type) selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type) selinux_compute_create_context(session_bus_type)
@@ -225,18 +317,36 @@ selinux_compute_user_contexts(session_bus_type) @@ -225,18 +318,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type) auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type) logging_send_audit_msgs(session_bus_type)
@ -21999,7 +22000,7 @@ index c9998c8..94ff984 100644
') ')
######################################## ########################################
@@ -244,5 +354,9 @@ optional_policy(` @@ -244,5 +355,9 @@ optional_policy(`
# Unconfined access to this module # Unconfined access to this module
# #
@ -30267,10 +30268,10 @@ index c21a528..a746a2b 100644
/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0) /var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
diff --git a/glance.if b/glance.if diff --git a/glance.if b/glance.if
index 9eacb2c..2f3fa34 100644 index 9eacb2c..7b19ad2 100644
--- a/glance.if --- a/glance.if
+++ b/glance.if +++ b/glance.if
@@ -1,5 +1,36 @@ @@ -1,5 +1,38 @@
## <summary>OpenStack image registry and delivery service.</summary> ## <summary>OpenStack image registry and delivery service.</summary>
+####################################### +#######################################
@ -30302,12 +30303,14 @@ index 9eacb2c..2f3fa34 100644
+ +
+ logging_send_syslog_msg($1_t) + logging_send_syslog_msg($1_t)
+ +
+ auth_use_nsswitch($1_t)
+
+') +')
+ +
######################################## ########################################
## <summary> ## <summary>
## Execute a domain transition to ## Execute a domain transition to
@@ -26,9 +57,9 @@ interface(`glance_domtrans_registry',` @@ -26,9 +59,9 @@ interface(`glance_domtrans_registry',`
## run glance api. ## run glance api.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@ -30319,7 +30322,7 @@ index 9eacb2c..2f3fa34 100644
## </param> ## </param>
# #
interface(`glance_domtrans_api',` interface(`glance_domtrans_api',`
@@ -242,8 +273,13 @@ interface(`glance_admin',` @@ -242,8 +275,13 @@ interface(`glance_admin',`
type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
') ')
@ -39451,7 +39454,7 @@ index f6c00d8..7b777ab 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55") + kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
') ')
diff --git a/kerberos.te b/kerberos.te diff --git a/kerberos.te b/kerberos.te
index 8833d59..534f815 100644 index 8833d59..61910d0 100644
--- a/kerberos.te --- a/kerberos.te
+++ b/kerberos.te +++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@ -39774,8 +39777,12 @@ index 8833d59..534f815 100644
allow kpropd_t krb5_host_rcache_t:file manage_file_perms; allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
@@ -303,26 +341,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) @@ -301,27 +339,25 @@ manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+kernel_read_system_state(kpropd_t)
+
corecmd_exec_bin(kpropd_t) corecmd_exec_bin(kpropd_t)
-corenet_all_recvfrom_unlabeled(kpropd_t) -corenet_all_recvfrom_unlabeled(kpropd_t)
@ -39795,13 +39802,14 @@ index 8833d59..534f815 100644
selinux_validate_context(kpropd_t) selinux_validate_context(kpropd_t)
logging_send_syslog_msg(kpropd_t) -logging_send_syslog_msg(kpropd_t)
+auth_use_nsswitch(kpropd_t)
-miscfiles_read_localization(kpropd_t) -miscfiles_read_localization(kpropd_t)
- +logging_send_syslog_msg(kpropd_t)
seutil_read_file_contexts(kpropd_t) seutil_read_file_contexts(kpropd_t)
sysnet_dns_name_resolve(kpropd_t)
diff --git a/kerneloops.if b/kerneloops.if diff --git a/kerneloops.if b/kerneloops.if
index 714448f..fa0c994 100644 index 714448f..fa0c994 100644
--- a/kerneloops.if --- a/kerneloops.if
@ -42048,10 +42056,10 @@ index 0000000..236707b
+ +
diff --git a/linuxptp.te b/linuxptp.te diff --git a/linuxptp.te b/linuxptp.te
new file mode 100644 new file mode 100644
index 0000000..affa9bd index 0000000..15aea48
--- /dev/null --- /dev/null
+++ b/linuxptp.te +++ b/linuxptp.te
@@ -0,0 +1,173 @@ @@ -0,0 +1,172 @@
+policy_module(linuxptp, 1.0.0) +policy_module(linuxptp, 1.0.0)
+ +
+ +
@ -42224,7 +42232,6 @@ index 0000000..affa9bd
+optional_policy(` +optional_policy(`
+ gpsd_rw_shm(ptp4l_t) + gpsd_rw_shm(ptp4l_t)
+') +')
+
diff --git a/lircd.if b/lircd.if diff --git a/lircd.if b/lircd.if
index dff21a7..b6981c8 100644 index dff21a7..b6981c8 100644
--- a/lircd.if --- a/lircd.if
@ -54533,7 +54540,7 @@ index 94b9734..448a7e8 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if diff --git a/networkmanager.if b/networkmanager.if
index 86dc29d..1cd0d0e 100644 index 86dc29d..98fdac1 100644
--- a/networkmanager.if --- a/networkmanager.if
+++ b/networkmanager.if +++ b/networkmanager.if
@@ -2,7 +2,7 @@ @@ -2,7 +2,7 @@
@ -54757,7 +54764,7 @@ index 86dc29d..1cd0d0e 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -241,13 +306,13 @@ interface(`networkmanager_append_log_files',` @@ -241,13 +306,32 @@ interface(`networkmanager_append_log_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
@ -54770,10 +54777,29 @@ index 86dc29d..1cd0d0e 100644
files_search_pids($1) files_search_pids($1)
- allow $1 NetworkManager_var_run_t:file read_file_perms; - allow $1 NetworkManager_var_run_t:file read_file_perms;
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) + manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage NetworkManager PID sock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_manage_pid_sock_files',`
+ gen_require(`
+ type NetworkManager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
') ')
#################################### ####################################
@@ -272,14 +337,33 @@ interface(`networkmanager_stream_connect',` @@ -272,14 +356,33 @@ interface(`networkmanager_stream_connect',`
######################################## ########################################
## <summary> ## <summary>
@ -54809,7 +54835,7 @@ index 86dc29d..1cd0d0e 100644
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
## Role allowed access. ## Role allowed access.
@@ -287,33 +371,132 @@ interface(`networkmanager_stream_connect',` @@ -287,33 +390,132 @@ interface(`networkmanager_stream_connect',`
## </param> ## </param>
## <rolecap/> ## <rolecap/>
# #
@ -61915,7 +61941,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1) domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r; role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te diff --git a/openvpn.te b/openvpn.te
index 63957a3..ba34f72 100644 index 63957a3..57fbf6d 100644
--- a/openvpn.te --- a/openvpn.te
+++ b/openvpn.te +++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2) @@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@ -62040,7 +62066,7 @@ index 63957a3..ba34f72 100644
') ')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
@@ -164,10 +188,19 @@ tunable_policy(`openvpn_can_network_connect',` @@ -164,10 +188,20 @@ tunable_policy(`openvpn_can_network_connect',`
') ')
optional_policy(` optional_policy(`
@ -62054,13 +62080,14 @@ index 63957a3..ba34f72 100644
optional_policy(` optional_policy(`
+ networkmanager_stream_connect(openvpn_t) + networkmanager_stream_connect(openvpn_t)
+ networkmanager_manage_pid_files(openvpn_t) + networkmanager_manage_pid_files(openvpn_t)
+ networkmanager_manage_pid_sock_files(openvpn_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
dbus_system_bus_client(openvpn_t) dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t) dbus_connect_system_bus(openvpn_t)
@@ -175,3 +208,27 @@ optional_policy(` @@ -175,3 +209,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t) networkmanager_dbus_chat(openvpn_t)
') ')
') ')
@ -73549,10 +73576,10 @@ index 6643b49..dd0c3d3 100644
optional_policy(` optional_policy(`
diff --git a/puppet.fc b/puppet.fc diff --git a/puppet.fc b/puppet.fc
index d68e26d..cad91e2 100644 index d68e26d..d2c4d2a 100644
--- a/puppet.fc --- a/puppet.fc
+++ b/puppet.fc +++ b/puppet.fc
@@ -1,18 +1,20 @@ @@ -1,18 +1,21 @@
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) +/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
@ -73567,6 +73594,7 @@ index d68e26d..cad91e2 100644
+#helper scripts +#helper scripts
+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0) +/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0)
+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/usr/bin/start-puppet-ca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
-/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
@ -85814,7 +85842,7 @@ index ef3b225..d248cd3 100644
init_labeled_script_domtrans($1, rpm_initrc_exec_t) init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1) domain_system_change_exemption($1)
diff --git a/rpm.te b/rpm.te diff --git a/rpm.te b/rpm.te
index 6fc360e..1abda8b 100644 index 6fc360e..15fcd26 100644
--- a/rpm.te --- a/rpm.te
+++ b/rpm.te +++ b/rpm.te
@@ -1,15 +1,13 @@ @@ -1,15 +1,13 @@
@ -86156,7 +86184,7 @@ index 6fc360e..1abda8b 100644
mls_file_read_all_levels(rpm_script_t) mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t)
@@ -331,30 +331,52 @@ storage_raw_write_fixed_disk(rpm_script_t) @@ -331,30 +331,53 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t) term_list_ptys(rpm_script_t)
@ -86186,6 +86214,7 @@ index 6fc360e..1abda8b 100644
+init_disable_services(rpm_script_t) +init_disable_services(rpm_script_t)
+init_enable_services(rpm_script_t) +init_enable_services(rpm_script_t)
+init_reload_services(rpm_script_t) +init_reload_services(rpm_script_t)
+init_manage_transient_unit(rpm_script_t)
init_domtrans_script(rpm_script_t) init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t) init_telinit(rpm_script_t)
@ -86218,7 +86247,7 @@ index 6fc360e..1abda8b 100644
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
optional_policy(` optional_policy(`
@@ -363,41 +385,69 @@ ifdef(`distro_redhat',` @@ -363,41 +386,69 @@ ifdef(`distro_redhat',`
') ')
') ')
@ -86299,7 +86328,7 @@ index 6fc360e..1abda8b 100644
optional_policy(` optional_policy(`
java_domtrans_unconfined(rpm_script_t) java_domtrans_unconfined(rpm_script_t)
@@ -409,6 +459,6 @@ optional_policy(` @@ -409,6 +460,6 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -97492,7 +97521,7 @@ index a240455..f4d8c79 100644
- admin_pattern($1, sssd_log_t) - admin_pattern($1, sssd_log_t)
') ')
diff --git a/sssd.te b/sssd.te diff --git a/sssd.te b/sssd.te
index 2d8db1f..dbb5dd6 100644 index 2d8db1f..fe72f8e 100644
--- a/sssd.te --- a/sssd.te
+++ b/sssd.te +++ b/sssd.te
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t) @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
@ -97550,7 +97579,7 @@ index 2d8db1f..dbb5dd6 100644
corecmd_exec_bin(sssd_t) corecmd_exec_bin(sssd_t)
@@ -83,28 +79,36 @@ domain_read_all_domains_state(sssd_t) @@ -83,28 +79,34 @@ domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t) domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t) files_list_tmp(sssd_t)
@ -97571,11 +97600,9 @@ index 2d8db1f..dbb5dd6 100644
+seutil_rw_login_config_dirs(sssd_t) +seutil_rw_login_config_dirs(sssd_t)
+seutil_manage_login_config_files(sssd_t) +seutil_manage_login_config_files(sssd_t)
+ +
+seutil_access_check_module_store(sssd_t) +seutil_dontaudit_access_check_load_policy(sssd_t)
+ +seutil_dontaudit_access_check_setfiles(sssd_t)
+seutil_access_check_load_policy(sssd_t) +seutil_dontaudit_access_check_semanage_read_lock(sssd_t)
+seutil_access_check_setfiles(sssd_t)
+seutil_access_check_semanage_read_lock(sssd_t)
mls_file_read_to_clearance(sssd_t) mls_file_read_to_clearance(sssd_t)
mls_socket_read_to_clearance(sssd_t) mls_socket_read_to_clearance(sssd_t)
@ -97591,7 +97618,7 @@ index 2d8db1f..dbb5dd6 100644
init_read_utmp(sssd_t) init_read_utmp(sssd_t)
@@ -112,18 +116,36 @@ logging_send_syslog_msg(sssd_t) @@ -112,18 +114,36 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t) logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t) miscfiles_read_generic_certs(sssd_t)

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 94%{?dist} Release: 95%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -604,6 +604,9 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-95
- Allow networkmanager manage also openvpn sock pid files.
* Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94 * Wed Nov 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-94
- Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling. - Allow openvpn to create uuid connections in /var/run/NetworkManager with NM labeling.
- Allow sendmail to create dead.letter. BZ(1165443) - Allow sendmail to create dead.letter. BZ(1165443)