From 672bb57a5ef27caf380f47304ca2cfe919383aea Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Dec 20 2013 09:41:27 +0000 Subject: * Fri Dec 20 2013 Lukas Vrabec 3.12.1-74.16 - Allow amanda to do backups over UDP - Add log support for sensord --- diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 5344e2c..55302d1 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -2038,7 +2038,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index ed45974..ec7bb41 100644 +index ed45974..f367ba0 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2076,7 +2076,7 @@ index ed45974..ec7bb41 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2088,11 +2088,12 @@ index ed45974..ec7bb41 100644 corenet_tcp_bind_generic_node(amanda_t) +corenet_tcp_bind_amanda_port(amanda_t) ++corenet_udp_bind_amanda_port(amanda_t) + corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) +@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) @@ -2100,7 +2101,7 @@ index ed45974..ec7bb41 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2108,7 +2109,7 @@ index ed45974..ec7bb41 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -80398,20 +80399,24 @@ index 5f35d78..50651d2 100644 + uucp_domtrans_uux(sendmail_t) ') diff --git a/sensord.fc b/sensord.fc -index 8185d5a..719ac47 100644 +index 8185d5a..97926d2 100644 --- a/sensord.fc +++ b/sensord.fc -@@ -1,3 +1,5 @@ +@@ -1,5 +1,9 @@ +/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0) + /etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0) /usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0) + ++/var/log/sensord\.rrd -- gen_context(system_u:object_r:sensord_log_t,s0) ++ + /var/run/sensord\.pid -- gen_context(system_u:object_r:sensord_var_run_t,s0) diff --git a/sensord.if b/sensord.if -index d204752..5eba5fd 100644 +index d204752..31cc6e6 100644 --- a/sensord.if +++ b/sensord.if -@@ -1,35 +1,75 @@ +@@ -1,35 +1,80 @@ -## Sensor information logging daemon. + +## Sensor information logging daemon @@ -80479,7 +80484,9 @@ index d204752..5eba5fd 100644 gen_require(` - type sensord_t, sensord_initrc_exec_t, sensord_var_run_t; + type sensord_t; -+ type sensord_unit_file_t; ++ type sensord_unit_file_t; ++ type sensord_log_t; ++ type sensord_var_run_t; ') allow $1 sensord_t:process { ptrace signal_perms }; @@ -80494,17 +80501,19 @@ index d204752..5eba5fd 100644 + allow $1 sensord_unit_file_t:service all_service_perms; - files_search_pids($1) -- admin_pattern($1, sensord_var_run_t) ++ admin_pattern($1, sensord_log_t) + admin_pattern($1, sensord_var_run_t) ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') ') diff --git a/sensord.te b/sensord.te -index 5e82fd6..fa352d8 100644 +index 5e82fd6..f3e5808 100644 --- a/sensord.te +++ b/sensord.te -@@ -9,6 +9,9 @@ type sensord_t; +@@ -9,12 +9,18 @@ type sensord_t; type sensord_exec_t; init_daemon_domain(sensord_t, sensord_exec_t) @@ -80514,7 +80523,24 @@ index 5e82fd6..fa352d8 100644 type sensord_initrc_exec_t; init_script_file(sensord_initrc_exec_t) -@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file) + type sensord_var_run_t; + files_pid_file(sensord_var_run_t) + ++type sensord_log_t; ++logging_log_file(sensord_log_t) ++ + ######################################## + # + # Local policy +@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t) + allow sensord_t self:fifo_file rw_fifo_file_perms; + allow sensord_t self:unix_stream_socket create_stream_socket_perms; + ++manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t) ++logging_log_filetrans(sensord_t, sensord_log_t, file) ++ + manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t) + files_pid_filetrans(sensord_t, sensord_var_run_t, file) dev_read_sysfs(sensord_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index e202e04..b25825c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.15%{?dist} +Release: 74.16%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Dec 20 2013 Lukas Vrabec 3.12.1-74.16 +- Allow amanda to do backups over UDP +- Add log support for sensord + * Tue Dec 10 2013 Lukas Vrabec 3.12.1-74.15 - Add file transition rules for content created by f5link - Allow cloud_init to transition to rpm_script_t