From 2533bf073ca02e615a3a54f65c9c94a552c65f4e Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 16 2013 16:49:27 +0000 Subject: * Mon Sep 16 2013 Lukas Vrabec 3.12.1-74.4 - fix bad labels in puppet.if - Allow tcsd to read utmp file - Define svirt_socket_t as a domain_type - Fix puppet_domtrans_master() interface to make passenger working correctly if it wants to read puppet config file - Allow passenger to execute ifconfig --- diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 35a932e..f2be4bd 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -53423,7 +53423,7 @@ index bf59ef7..c050b37 100644 + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') diff --git a/passenger.te b/passenger.te -index 4e114ff..6691677 100644 +index 4e114ff..1b1cb71 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ @@ -53474,7 +53474,7 @@ index 4e114ff..6691677 100644 manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -@@ -45,19 +50,20 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +@@ -45,19 +50,22 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) @@ -53487,6 +53487,8 @@ index 4e114ff..6691677 100644 kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) ++kernel_read_network_state(passenger_t) ++kernel_read_net_sysctls(passenger_t) corenet_all_recvfrom_netlabel(passenger_t) -corenet_all_recvfrom_unlabeled(passenger_t) @@ -53500,7 +53502,7 @@ index 4e114ff..6691677 100644 corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) -@@ -66,8 +72,6 @@ dev_read_urand(passenger_t) +@@ -66,14 +74,14 @@ dev_read_urand(passenger_t) domain_read_all_domains_state(passenger_t) @@ -53509,7 +53511,15 @@ index 4e114ff..6691677 100644 auth_use_nsswitch(passenger_t) logging_send_syslog_msg(passenger_t) -@@ -90,14 +94,21 @@ optional_policy(` + + miscfiles_read_localization(passenger_t) + ++sysnet_exec_ifconfig(passenger_t) ++ + userdom_dontaudit_use_user_terminals(passenger_t) + + optional_policy(` +@@ -90,14 +98,21 @@ optional_policy(` ') optional_policy(` @@ -62957,7 +62967,7 @@ index 4ecda09..8c0b242 100644 +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 7cb8b1f..46650f0 100644 +index 7cb8b1f..9422c90 100644 --- a/puppet.if +++ b/puppet.if @@ -1,4 +1,32 @@ @@ -62985,11 +62995,11 @@ index 7cb8b1f..46650f0 100644 +# +interface(`puppet_domtrans_master',` + gen_require(` -+ type puppetmaster_t, puppetmaster_t_exec_t; ++ type puppetmaster_t, puppetmaster_exec_t; + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1, puppetmaster_t_exec_t, puppetmaster_t) ++ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t) +') ######################################## @@ -63268,7 +63278,7 @@ index 7cb8b1f..46650f0 100644 - files_search_var_lib($1) - admin_pattern($1, puppet_var_lib_t) -+ logging_search_logs($1) ++ files_search_etc($1) + list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) + read_files_pattern($1, puppet_etc_t, puppet_etc_t) +') @@ -85241,10 +85251,10 @@ index b42ec1d..91b8f71 100644 tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/tcsd.te b/tcsd.te -index ac8213a..20fa71f 100644 +index ac8213a..14da480 100644 --- a/tcsd.te +++ b/tcsd.te -@@ -41,10 +41,6 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t) +@@ -41,10 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t) dev_read_urand(tcsd_t) dev_rw_tpm(tcsd_t) @@ -85252,9 +85262,11 @@ index ac8213a..20fa71f 100644 - auth_use_nsswitch(tcsd_t) - logging_send_syslog_msg(tcsd_t) -- +-logging_send_syslog_msg(tcsd_t) ++init_read_utmp(tcsd_t) + -miscfiles_read_localization(tcsd_t) ++logging_send_syslog_msg(tcsd_t) diff --git a/telepathy.fc b/telepathy.fc index c7de0cf..9813503 100644 --- a/telepathy.fc @@ -91716,7 +91728,7 @@ index 9dec06c..4e31afe 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..6eecffc 100644 +index 1f22fba..89679f0 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,104 @@ @@ -93473,7 +93485,7 @@ index 1f22fba..6eecffc 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1350,121 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -93588,6 +93600,7 @@ index 1f22fba..6eecffc 100644 +# + +type svirt_socket_t; ++domain_type(svirt_socket_t) +role system_r types svirt_socket_t; +allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; +allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; diff --git a/selinux-policy.spec b/selinux-policy.spec index aeb892b..901bb7b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.3%{?dist} +Release: 74.4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Sep 16 2013 Lukas Vrabec 3.12.1-74.4 +- fix bad labels in puppet.if +- Allow tcsd to read utmp file +- Define svirt_socket_t as a domain_type +- Fix puppet_domtrans_master() interface to make passenger working correctly if it wants to read puppet config file +- Allow passenger to execute ifconfig + * Tue Sep 11 2013 Lukas Vrabec 3.12.1-74.3 - Treat usr_t just like bin_t for transitions and executions - Allow memcache to read sysfs data