From 5dba96234217fa9ac022adb1c93af0b7a24d3c87 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 09 2013 14:16:24 +0000 Subject: - Allow mdamd to execute systemctl - Allow mdadm to read /dev/kvm - Allow ipsec_mgmt_t to read l2tpd pid content --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index e4654a0..b2f2392 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -28623,7 +28623,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..468dc31 100644 +index 9e54bf9..9a068f6 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28791,7 +28791,18 @@ index 9e54bf9..468dc31 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -370,13 +397,12 @@ kernel_request_load_module(racoon_t) +@@ -322,6 +349,10 @@ optional_policy(` + ') + + optional_policy(` ++ l2tpd_read_pid_files(ipsec_mgmt_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(ipsec_mgmt_t) + ') + +@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -28811,7 +28822,7 @@ index 9e54bf9..468dc31 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +427,11 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -28824,7 +28835,7 @@ index 9e54bf9..468dc31 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +465,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index d522f2d..69b3776 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -65573,7 +65573,7 @@ index 951db7f..6d6ec1d 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..36f43a3 100644 +index 2c1730b..e9c20b8 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t; @@ -65586,7 +65586,7 @@ index 2c1730b..36f43a3 100644 type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) dev_associate(mdadm_var_run_t) -@@ -25,23 +28,29 @@ dev_associate(mdadm_var_run_t) +@@ -25,23 +28,31 @@ dev_associate(mdadm_var_run_t) # allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; @@ -65610,6 +65610,8 @@ index 2c1730b..36f43a3 100644 -files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file }) +files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) +dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file }) ++ ++can_exec(mdadm_t, mdadm_exec_t) kernel_getattr_core_if(mdadm_t) kernel_read_system_state(mdadm_t) @@ -65620,7 +65622,7 @@ index 2c1730b..36f43a3 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -49,19 +58,24 @@ corecmd_exec_shell(mdadm_t) +@@ -49,19 +60,25 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -65628,6 +65630,7 @@ index 2c1730b..36f43a3 100644 +dev_read_framebuffer(mdadm_t) dev_read_realtime_clock(mdadm_t) dev_read_raw_memory(mdadm_t) ++dev_read_kvm(mdadm_t) +dev_read_nvram(mdadm_t) +dev_read_generic_files(mdadm_t) @@ -65647,7 +65650,7 @@ index 2c1730b..36f43a3 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,16 +84,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +87,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -65664,10 +65667,10 @@ index 2c1730b..36f43a3 100644 logging_send_syslog_msg(mdadm_t) -miscfiles_read_localization(mdadm_t) -- ++systemd_exec_systemctl(mdadm_t) + userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) - userdom_dontaudit_use_user_terminals(mdadm_t) diff --git a/razor.fc b/razor.fc index 6723f4d..6e26673 100644 --- a/razor.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index e018030..03605ec 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 60%{?dist} +Release: 61%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jul 8 2013 Miroslav Grepl 3.12.1-61 +- Allow mdamd to execute systemctl +- Allow mdadm to read /dev/kvm +- Allow ipsec_mgmt_t to read l2tpd pid content + * Mon Jul 8 2013 Miroslav Grepl 3.12.1-60 - Allow nsd_t to read /dev/urand - Allow mdadm_t to read framebuffer