From 72c96b37c54d226317e4e551656eb323b11f5dbe Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jan 15 2015 13:22:27 +0000 Subject: * Thu Jan 15 2015 Lukas Vrabec 3.13.1-104 - remove duplicate filename transition rules. - Call proper interface in sosreport.te. - Allow fetchmail to manage its keyring - Allow mail munin to create udp_sockets - Allow couchdb to sendto kernel unix domain sockets --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 919513d..b0299f5 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3222,7 +3222,7 @@ index 1dc7a85..c6f4da0 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..85186a9 100644 +index 7590165..d81185e 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te @@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0) @@ -3240,7 +3240,7 @@ index 7590165..85186a9 100644 # seunshare local policy # +allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice }; -+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched }; ++allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched }; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; -allow seunshare_t self:process { setexec signal getcap setcap }; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9dd8656..e24de0a 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -16390,7 +16390,7 @@ index 715a826..a1cbdb2 100644 + ') ') diff --git a/couchdb.te b/couchdb.te -index ae1c1b1..6238c82 100644 +index ae1c1b1..a3af6c9 100644 --- a/couchdb.te +++ b/couchdb.te @@ -27,18 +27,21 @@ files_type(couchdb_var_lib_t) @@ -16418,7 +16418,7 @@ index ae1c1b1..6238c82 100644 manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t) -@@ -56,11 +59,12 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) +@@ -56,11 +59,13 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir) manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t) @@ -16429,10 +16429,11 @@ index ae1c1b1..6238c82 100644 kernel_read_system_state(couchdb_t) +kernel_read_fs_sysctls(couchdb_t) ++kernel_dgram_send(couchdb_t) corecmd_exec_bin(couchdb_t) corecmd_exec_shell(couchdb_t) -@@ -75,14 +79,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) +@@ -75,14 +80,23 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t) corenet_tcp_bind_couchdb_port(couchdb_t) corenet_tcp_sendrecv_couchdb_port(couchdb_t) @@ -27906,10 +27907,10 @@ index c3f7916..cab3954 100644 admin_pattern($1, fetchmail_etc_t) diff --git a/fetchmail.te b/fetchmail.te -index 742559a..a6c5c24 100644 +index 742559a..57711b3 100644 --- a/fetchmail.te +++ b/fetchmail.te -@@ -32,14 +32,17 @@ files_type(fetchmail_uidl_cache_t) +@@ -32,14 +32,18 @@ files_type(fetchmail_uidl_cache_t) # # Local policy # @@ -27918,6 +27919,7 @@ index 742559a..a6c5c24 100644 dontaudit fetchmail_t self:capability sys_tty_config; allow fetchmail_t self:process { signal_perms setrlimit }; allow fetchmail_t self:unix_stream_socket { accept listen }; ++allow fetchmail_t self:key manage_key_perms; allow fetchmail_t fetchmail_etc_t:file read_file_perms; @@ -27928,7 +27930,7 @@ index 742559a..a6c5c24 100644 manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) -@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t) +@@ -63,7 +67,6 @@ kernel_dontaudit_read_system_state(fetchmail_t) corecmd_exec_bin(fetchmail_t) corecmd_exec_shell(fetchmail_t) @@ -27936,7 +27938,7 @@ index 742559a..a6c5c24 100644 corenet_all_recvfrom_netlabel(fetchmail_t) corenet_tcp_sendrecv_generic_if(fetchmail_t) corenet_tcp_sendrecv_generic_node(fetchmail_t) -@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t) +@@ -84,15 +87,23 @@ fs_search_auto_mountpoints(fetchmail_t) domain_use_interactive_fds(fetchmail_t) @@ -47378,7 +47380,7 @@ index 6fcfc31..91adcaf 100644 +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/mongodb.te b/mongodb.te -index 169f236..dec8a95 100644 +index 169f236..907b24c 100644 --- a/mongodb.te +++ b/mongodb.te @@ -21,19 +21,25 @@ files_type(mongod_var_lib_t) @@ -47395,7 +47397,7 @@ index 169f236..dec8a95 100644 -allow mongod_t self:process signal; + -+allow mongod_t self:process { setsched signal }; ++allow mongod_t self:process { setsched signal execmem }; allow mongod_t self:fifo_file rw_fifo_file_perms; -manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) @@ -52207,7 +52209,7 @@ index b744fe3..cb0e2af 100644 + admin_pattern($1, munin_content_t) ') diff --git a/munin.te b/munin.te -index b708708..aebb4c1 100644 +index b708708..dd6e04b 100644 --- a/munin.te +++ b/munin.te @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) @@ -52353,12 +52355,13 @@ index b708708..aebb4c1 100644 #################################### # # Mail local policy -@@ -279,27 +273,38 @@ optional_policy(` +@@ -279,27 +273,39 @@ optional_policy(` allow mail_munin_plugin_t self:capability dac_override; +allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms; +allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow mail_munin_plugin_t self:udp_socket create_socket_perms; + rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -52396,7 +52399,7 @@ index b708708..aebb4c1 100644 ') optional_policy(` -@@ -339,7 +344,7 @@ dev_read_rand(services_munin_plugin_t) +@@ -339,7 +345,7 @@ dev_read_rand(services_munin_plugin_t) sysnet_read_config(services_munin_plugin_t) optional_policy(` @@ -52405,7 +52408,7 @@ index b708708..aebb4c1 100644 ') optional_policy(` -@@ -348,6 +353,10 @@ optional_policy(` +@@ -348,6 +354,10 @@ optional_policy(` ') optional_policy(` @@ -52416,7 +52419,7 @@ index b708708..aebb4c1 100644 lpd_exec_lpr(services_munin_plugin_t) ') -@@ -361,7 +370,11 @@ optional_policy(` +@@ -361,7 +371,11 @@ optional_policy(` ') optional_policy(` @@ -52429,7 +52432,7 @@ index b708708..aebb4c1 100644 ') optional_policy(` -@@ -393,6 +406,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) +@@ -393,6 +407,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -52437,7 +52440,7 @@ index b708708..aebb4c1 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -421,3 +435,33 @@ optional_policy(` +@@ -421,3 +436,33 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 87bf2cc..ab8bb91 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 103%{?dist} +Release: 104%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -605,6 +605,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jan 15 2015 Lukas Vrabec 3.13.1-104 +- remove duplicate filename transition rules. +- Call proper interface in sosreport.te. +- Allow fetchmail to manage its keyring +- Allow mail munin to create udp_sockets +- Allow couchdb to sendto kernel unix domain sockets + * Sat Jan 3 2015 Dan Walsh 3.13.1-103 - Add /etc/selinux/targeted/contexts/openssh_contexts