From 5e78b003939663ea460c2b0ff7e3ccd1a1171cf3 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: May 16 2016 15:29:54 +0000 Subject: * Mon May 16 2016 Lukas Vrabec 3.13.1-190 - Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. - Allow zabbix to connect to postgresql port - Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149) - Allow systemd to read efivarfs. Resolve: #121 --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 43d010f..6d06b4c 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index aaade96..35a266a 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -27728,10 +27728,10 @@ index 0306134..bb5f3dd 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..5c271ce 100644 +index 76d9f66..7528851 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,16 +1,41 @@ +@@ -1,16 +1,42 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) @@ -27765,6 +27765,7 @@ index 76d9f66..5c271ce 100644 +/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) ++/usr/libexec/openssh/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) +/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) @@ -36657,7 +36658,7 @@ index 79a45f6..e69fa39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..1522b3c 100644 +index 17eda24..09abd53 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -36882,9 +36883,12 @@ index 17eda24..1522b3c 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +257,64 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +256,67 @@ fs_list_inotifyfs(init_t) + # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) ++fs_read_efivarfs_files(init_t) ++ mcs_process_set_categories(init_t) -mcs_killall(init_t) @@ -36952,7 +36956,7 @@ index 17eda24..1522b3c 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +323,252 @@ ifdef(`distro_gentoo',` +@@ -186,29 +325,252 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37214,7 +37218,7 @@ index 17eda24..1522b3c 100644 ') optional_policy(` -@@ -216,7 +576,30 @@ optional_policy(` +@@ -216,7 +578,30 @@ optional_policy(` ') optional_policy(` @@ -37246,7 +37250,7 @@ index 17eda24..1522b3c 100644 ') ######################################## -@@ -225,9 +608,9 @@ optional_policy(` +@@ -225,9 +610,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37258,7 +37262,7 @@ index 17eda24..1522b3c 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +641,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +643,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37275,7 +37279,7 @@ index 17eda24..1522b3c 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +666,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +668,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37318,7 +37322,7 @@ index 17eda24..1522b3c 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +703,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +705,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37330,7 +37334,7 @@ index 17eda24..1522b3c 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +715,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +717,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37341,7 +37345,7 @@ index 17eda24..1522b3c 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +726,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +728,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37351,7 +37355,7 @@ index 17eda24..1522b3c 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +735,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +737,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37359,7 +37363,7 @@ index 17eda24..1522b3c 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +742,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +744,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37367,7 +37371,7 @@ index 17eda24..1522b3c 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +750,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +752,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37385,7 +37389,7 @@ index 17eda24..1522b3c 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +768,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +770,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37399,7 +37403,7 @@ index 17eda24..1522b3c 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +783,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +785,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37413,7 +37417,7 @@ index 17eda24..1522b3c 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +796,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +798,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37424,7 +37428,7 @@ index 17eda24..1522b3c 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +809,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +811,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37432,7 +37436,7 @@ index 17eda24..1522b3c 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +828,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +830,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37456,7 +37460,7 @@ index 17eda24..1522b3c 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +861,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +863,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37464,7 +37468,7 @@ index 17eda24..1522b3c 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +895,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +897,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37475,7 +37479,7 @@ index 17eda24..1522b3c 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +919,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +921,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37484,7 +37488,7 @@ index 17eda24..1522b3c 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +934,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +936,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37492,7 +37496,7 @@ index 17eda24..1522b3c 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +955,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +957,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37500,7 +37504,7 @@ index 17eda24..1522b3c 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +965,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +967,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37545,7 +37549,7 @@ index 17eda24..1522b3c 100644 ') optional_policy(` -@@ -559,14 +1010,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1012,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37577,7 +37581,7 @@ index 17eda24..1522b3c 100644 ') ') -@@ -577,6 +1045,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1047,39 @@ ifdef(`distro_suse',` ') ') @@ -37617,7 +37621,7 @@ index 17eda24..1522b3c 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1090,8 @@ optional_policy(` +@@ -589,6 +1092,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37626,7 +37630,7 @@ index 17eda24..1522b3c 100644 ') optional_policy(` -@@ -610,6 +1113,7 @@ optional_policy(` +@@ -610,6 +1115,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37634,7 +37638,7 @@ index 17eda24..1522b3c 100644 ') optional_policy(` -@@ -626,6 +1130,17 @@ optional_policy(` +@@ -626,6 +1132,17 @@ optional_policy(` ') optional_policy(` @@ -37652,7 +37656,7 @@ index 17eda24..1522b3c 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1157,13 @@ optional_policy(` +@@ -642,9 +1159,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37666,7 +37670,7 @@ index 17eda24..1522b3c 100644 ') optional_policy(` -@@ -657,15 +1176,11 @@ optional_policy(` +@@ -657,15 +1178,11 @@ optional_policy(` ') optional_policy(` @@ -37684,7 +37688,7 @@ index 17eda24..1522b3c 100644 ') optional_policy(` -@@ -686,6 +1201,15 @@ optional_policy(` +@@ -686,6 +1203,15 @@ optional_policy(` ') optional_policy(` @@ -37700,7 +37704,7 @@ index 17eda24..1522b3c 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1250,7 @@ optional_policy(` +@@ -726,6 +1252,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37708,7 +37712,7 @@ index 17eda24..1522b3c 100644 ') optional_policy(` -@@ -743,7 +1268,13 @@ optional_policy(` +@@ -743,7 +1270,13 @@ optional_policy(` ') optional_policy(` @@ -37723,7 +37727,7 @@ index 17eda24..1522b3c 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1297,10 @@ optional_policy(` +@@ -766,6 +1299,10 @@ optional_policy(` ') optional_policy(` @@ -37734,7 +37738,7 @@ index 17eda24..1522b3c 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1310,20 @@ optional_policy(` +@@ -775,10 +1312,20 @@ optional_policy(` ') optional_policy(` @@ -37755,7 +37759,7 @@ index 17eda24..1522b3c 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1332,10 @@ optional_policy(` +@@ -787,6 +1334,10 @@ optional_policy(` ') optional_policy(` @@ -37766,7 +37770,7 @@ index 17eda24..1522b3c 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1357,6 @@ optional_policy(` +@@ -808,8 +1359,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37775,7 +37779,7 @@ index 17eda24..1522b3c 100644 ') optional_policy(` -@@ -818,6 +1365,10 @@ optional_policy(` +@@ -818,6 +1367,10 @@ optional_policy(` ') optional_policy(` @@ -37786,7 +37790,7 @@ index 17eda24..1522b3c 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1378,12 @@ optional_policy(` +@@ -827,10 +1380,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37799,7 +37803,7 @@ index 17eda24..1522b3c 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1410,62 @@ optional_policy(` +@@ -857,21 +1412,62 @@ optional_policy(` ') optional_policy(` @@ -37863,7 +37867,7 @@ index 17eda24..1522b3c 100644 ') optional_policy(` -@@ -887,6 +1481,10 @@ optional_policy(` +@@ -887,6 +1483,10 @@ optional_policy(` ') optional_policy(` @@ -37874,7 +37878,7 @@ index 17eda24..1522b3c 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1495,218 @@ optional_policy(` +@@ -897,3 +1497,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -39558,7 +39562,7 @@ index 808ba93..57a68da 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 54f8fa5..1584203 100644 +index 54f8fa5..544b8e3 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -39652,10 +39656,14 @@ index 54f8fa5..1584203 100644 optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +150,14 @@ optional_policy(` +@@ -131,6 +150,18 @@ optional_policy(` ') optional_policy(` ++ glusterd_dontaudit_read_lib_dirs(ldconfig_t) ++') ++ ++optional_policy(` + gnome_append_generic_cache_files(ldconfig_t) +') + @@ -39667,7 +39675,7 @@ index 54f8fa5..1584203 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +168,3 @@ optional_policy(` +@@ -141,6 +172,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 58b2d15..fc313f0 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -31640,10 +31640,10 @@ index 5cd0909..bd3c3d2 100644 +corenet_tcp_connect_glance_registry_port(glance_scrubber_t) diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..cbd6aa4 +index 0000000..52b4110 --- /dev/null +++ b/glusterd.fc -@@ -0,0 +1,20 @@ +@@ -0,0 +1,22 @@ +/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) + +/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) @@ -31659,17 +31659,19 @@ index 0000000..cbd6aa4 +/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) + +/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) ++/var/log/ganesha.log -- gen_context(system_u:object_r:glusterd_log_t,s0) + +/var/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) +/var/run/glusterd.* -s gen_context(system_u:object_r:glusterd_var_run_t,s0) ++/var/run/ganesha.* -- gen_context(system_u:object_r:glusterd_var_run_t,s0) diff --git a/glusterd.if b/glusterd.if new file mode 100644 -index 0000000..fc9bf19 +index 0000000..764ae00 --- /dev/null +++ b/glusterd.if -@@ -0,0 +1,243 @@ +@@ -0,0 +1,261 @@ + +## policy for glusterd + @@ -31830,6 +31832,24 @@ index 0000000..fc9bf19 + +###################################### +## ++## Dontaudit Read /var/lib/glusterd files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_dontaudit_read_lib_dirs',` ++ gen_require(` ++ type glusterd_var_lib_t; ++ ') ++ ++ dontaudit $1 glusterd_var_lib_t:dir list_dir_perms; ++') ++ ++###################################### ++## +## Read and write /var/lib/glusterd files. +## +## @@ -31915,10 +31935,10 @@ index 0000000..fc9bf19 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..afabf8c +index 0000000..59e84ca --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,297 @@ +@@ -0,0 +1,295 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32002,10 +32022,8 @@ index 0000000..afabf8c +allow glusterd_t glusterd_tmp_t:dir mounton; + +manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) -+logging_log_filetrans(glusterd_t, glusterd_log_t, dir) ++manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++logging_log_filetrans(glusterd_t, glusterd_log_t, { file dir }) + +manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) +manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) @@ -45368,7 +45386,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..3c99496 100644 +index be0ab84..688605e 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -45493,7 +45511,7 @@ index be0ab84..3c99496 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +126,52 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +126,54 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -45524,6 +45542,8 @@ index be0ab84..3c99496 100644 +miscfiles_read_hwdata(logrotate_t) -userdom_use_user_terminals(logrotate_t) ++term_dontaudit_use_unallocated_ttys(logrotate_t) ++ +userdom_use_inherited_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) @@ -45552,7 +45572,7 @@ index be0ab84..3c99496 100644 ') optional_policy(` -@@ -135,16 +186,17 @@ optional_policy(` +@@ -135,16 +188,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -45572,7 +45592,7 @@ index be0ab84..3c99496 100644 ') optional_policy(` -@@ -170,6 +222,11 @@ optional_policy(` +@@ -170,6 +224,11 @@ optional_policy(` ') optional_policy(` @@ -45584,7 +45604,7 @@ index be0ab84..3c99496 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +235,7 @@ optional_policy(` +@@ -178,7 +237,7 @@ optional_policy(` ') optional_policy(` @@ -45593,7 +45613,7 @@ index be0ab84..3c99496 100644 ') optional_policy(` -@@ -198,17 +255,18 @@ optional_policy(` +@@ -198,17 +257,18 @@ optional_policy(` ') optional_policy(` @@ -45615,7 +45635,7 @@ index be0ab84..3c99496 100644 ') optional_policy(` -@@ -216,6 +274,14 @@ optional_policy(` +@@ -216,6 +276,14 @@ optional_policy(` ') optional_policy(` @@ -45630,7 +45650,7 @@ index be0ab84..3c99496 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +294,43 @@ optional_policy(` +@@ -228,26 +296,43 @@ optional_policy(` ') optional_policy(` @@ -117642,7 +117662,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..b23f29d 100644 +index 7f496c6..fccb7b1 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -117860,7 +117880,7 @@ index 7f496c6..b23f29d 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -170,6 +185,26 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) +@@ -170,6 +185,30 @@ corenet_sendrecv_ssh_client_packets(zabbix_agent_t) corenet_tcp_connect_ssh_port(zabbix_agent_t) corenet_tcp_sendrecv_ssh_port(zabbix_agent_t) @@ -117880,6 +117900,10 @@ index 7f496c6..b23f29d 100644 +corenet_tcp_connect_pop_port(zabbix_agent_t) +corenet_tcp_sendrecv_pop_port(zabbix_agent_t) + ++corenet_sendrecv_postgresql_client_packets(zabbix_agent_t) ++corenet_tcp_connect_postgresql_port(zabbix_agent_t) ++corenet_tcp_sendrecv_postgresql_port(zabbix_agent_t) ++ +corenet_sendrecv_smtp_client_packets(zabbix_agent_t) +corenet_tcp_connect_smtp_port(zabbix_agent_t) +corenet_tcp_sendrecv_smtp_port(zabbix_agent_t) @@ -117887,7 +117911,7 @@ index 7f496c6..b23f29d 100644 corenet_sendrecv_zabbix_client_packets(zabbix_agent_t) corenet_tcp_connect_zabbix_port(zabbix_agent_t) corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) -@@ -177,21 +212,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +216,49 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6adb153..bdb1cab 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 189%{?dist} +Release: 190%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,12 @@ exit 0 %endif %changelog +* Mon May 16 2016 Lukas Vrabec 3.13.1-190 +- Label /var/log/ganesha.log as gluster_log_t Allow glusterd_t domain to create glusterd_log_t files. Label /var/run/ganesha.pid as gluster_var_run_t. +- Allow zabbix to connect to postgresql port +- Label /usr/libexec/openssh/sshd-keygen as sshd_keygen_exec_t. BZ(1335149) +- Allow systemd to read efivarfs. Resolve: #121 + * Tue May 10 2016 Lukas Vrabec 3.13.1-189 - Revert temporary fix: Replace generating man/html pages with pages from actual build. This is due to broken userspace with python3 in F23/Rawhide. Please Revert when userspace will be fixed