From 7cf76a55b87e62c28580c6482e891fc7c8fed49a Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Nov 03 2014 13:50:30 +0000 Subject: * Mon Nov 03 2014 Lukas Vrabec 3.12.1-193 - Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835) - xserver_manage_xdm_tmp_files is depracated and replaced with userdom_manage_user_tmp_files - Allow abrt to read software raid state. BZ (1157770) - Allow rabbitmq to read nfs state data. BZ(1122412) - Allow modemmanger to connectto itself --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index aad50ae..cac1fe2 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -15564,7 +15564,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 649e458..d2a0da5 100644 +index 649e458..1debeb2 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -15702,10 +15702,29 @@ index 649e458..d2a0da5 100644 ') ######################################## -@@ -1025,6 +1094,25 @@ interface(`kernel_write_proc_files',` +@@ -1025,6 +1094,44 @@ interface(`kernel_write_proc_files',` ######################################## ## ++## Do not audit attempts to write the ++## file in /proc. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kernel_dontaudit_write_proc_files',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ dontaudit $1 proc_t:file write; ++') ++ ++######################################## ++## +## Do not audit attempts to check the +## access on generic proc entries. +## @@ -15728,7 +15747,7 @@ index 649e458..d2a0da5 100644 ## Do not audit attempts by caller to ## read system state information in proc. ## -@@ -1208,6 +1296,25 @@ interface(`kernel_read_messages',` +@@ -1208,6 +1315,25 @@ interface(`kernel_read_messages',` ######################################## ## @@ -15754,7 +15773,7 @@ index 649e458..d2a0da5 100644 ## Allow caller to get the attributes of kernel message ## interface (/proc/kmsg). ## -@@ -1458,6 +1565,25 @@ interface(`kernel_list_all_proc',` +@@ -1458,6 +1584,25 @@ interface(`kernel_list_all_proc',` ######################################## ## @@ -15780,7 +15799,7 @@ index 649e458..d2a0da5 100644 ## Do not audit attempts to list all proc directories. ## ## -@@ -1477,6 +1603,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1477,6 +1622,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -15805,7 +15824,7 @@ index 649e458..d2a0da5 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -1672,7 +1816,7 @@ interface(`kernel_read_net_sysctls',` +@@ -1672,7 +1835,7 @@ interface(`kernel_read_net_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -15814,7 +15833,7 @@ index 649e458..d2a0da5 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1693,7 +1837,7 @@ interface(`kernel_rw_net_sysctls',` +@@ -1693,7 +1856,7 @@ interface(`kernel_rw_net_sysctls',` ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -15823,7 +15842,7 @@ index 649e458..d2a0da5 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1715,7 +1859,6 @@ interface(`kernel_read_unix_sysctls',` +@@ -1715,7 +1878,6 @@ interface(`kernel_read_unix_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) @@ -15831,7 +15850,7 @@ index 649e458..d2a0da5 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -2085,9 +2228,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,9 +2247,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -15861,7 +15880,7 @@ index 649e458..d2a0da5 100644 ######################################## ## ## Allow caller to read all sysctls. -@@ -2282,6 +2444,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2463,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -15887,7 +15906,7 @@ index 649e458..d2a0da5 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2487,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2506,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -15896,7 +15915,7 @@ index 649e458..d2a0da5 100644 ## ## # -@@ -2488,6 +2669,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2688,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -15921,7 +15940,7 @@ index 649e458..d2a0da5 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2724,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2743,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -15946,7 +15965,7 @@ index 649e458..d2a0da5 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2632,7 +2849,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2632,7 +2868,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -15955,7 +15974,7 @@ index 649e458..d2a0da5 100644 ') ######################################## -@@ -2670,6 +2887,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2670,6 +2906,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -15980,7 +15999,7 @@ index 649e458..d2a0da5 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2697,6 +2932,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2697,6 +2951,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -16006,7 +16025,7 @@ index 649e458..d2a0da5 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2806,6 +3060,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2806,6 +3079,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -16040,7 +16059,7 @@ index 649e458..d2a0da5 100644 ######################################## ## -@@ -2961,6 +3242,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2961,6 +3261,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -16065,7 +16084,7 @@ index 649e458..d2a0da5 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2975,5 +3274,300 @@ interface(`kernel_unconfined',` +@@ -2975,5 +3293,300 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index b7300d6..d341865 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -568,7 +568,7 @@ index 058d908..cf17e67 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..b2e7c34 100644 +index cc43d25..db6136e 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -756,7 +756,7 @@ index cc43d25..b2e7c34 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -112,23 +141,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -112,23 +141,30 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -785,10 +785,11 @@ index cc43d25..b2e7c34 100644 kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) +kernel_read_network_state(abrt_t) ++kernel_read_software_raid_state(abrt_t) kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) -@@ -137,16 +172,14 @@ corecmd_exec_shell(abrt_t) +@@ -137,16 +173,14 @@ corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) @@ -807,7 +808,7 @@ index cc43d25..b2e7c34 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +196,43 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +197,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -854,7 +855,7 @@ index cc43d25..b2e7c34 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +240,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +241,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -871,7 +872,7 @@ index cc43d25..b2e7c34 100644 ') optional_policy(` -@@ -209,6 +252,20 @@ optional_policy(` +@@ -209,6 +253,20 @@ optional_policy(` ') optional_policy(` @@ -892,7 +893,7 @@ index cc43d25..b2e7c34 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -221,6 +278,11 @@ optional_policy(` +@@ -221,6 +279,11 @@ optional_policy(` ') optional_policy(` @@ -904,7 +905,7 @@ index cc43d25..b2e7c34 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -230,6 +292,7 @@ optional_policy(` +@@ -230,6 +293,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -912,7 +913,7 @@ index cc43d25..b2e7c34 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +303,17 @@ optional_policy(` +@@ -240,9 +304,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -931,7 +932,7 @@ index cc43d25..b2e7c34 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +324,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +325,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -946,7 +947,7 @@ index cc43d25..b2e7c34 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +343,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +344,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -954,7 +955,7 @@ index cc43d25..b2e7c34 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +352,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +353,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -975,7 +976,7 @@ index cc43d25..b2e7c34 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +373,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +374,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1002,7 +1003,7 @@ index cc43d25..b2e7c34 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +409,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +410,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1016,7 +1017,7 @@ index cc43d25..b2e7c34 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +427,11 @@ optional_policy(` +@@ -330,10 +428,11 @@ optional_policy(` ####################################### # @@ -1030,7 +1031,7 @@ index cc43d25..b2e7c34 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,46 +450,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,46 +451,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1100,7 +1101,7 @@ index cc43d25..b2e7c34 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +516,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +517,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -10371,10 +10372,10 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..6e058fc +index 0000000..cc9002e --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,65 @@ +@@ -0,0 +1,66 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10410,6 +10411,7 @@ index 0000000..6e058fc + +kernel_read_system_state(bumblebee_t) +kernel_dontaudit_access_check_proc(bumblebee_t) ++kernel_dontaudit_write_proc_files(bumblebee_t) +kernel_manage_debugfs(bumblebee_t) + +corecmd_exec_shell(bumblebee_t) @@ -40664,7 +40666,7 @@ index db87831..30bfb76 100644 +userdom_use_inherited_user_terminals(lockdev_t) + diff --git a/logrotate.fc b/logrotate.fc -index a11d5be..36c8de7 100644 +index a11d5be..4cf59d3 100644 --- a/logrotate.fc +++ b/logrotate.fc @@ -1,6 +1,9 @@ @@ -40677,7 +40679,7 @@ index a11d5be..36c8de7 100644 /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) -/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) +', ` -+/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) ++/var/lib/logrotate\.status.* -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) +') diff --git a/logrotate.if b/logrotate.if index dd8e01a..9cd6b0b 100644 @@ -44762,7 +44764,7 @@ index b1ac8b5..9b22bea 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index cb4c13d..6af07aa 100644 +index cb4c13d..25f2cfe 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -1,4 +1,4 @@ @@ -44781,7 +44783,13 @@ index cb4c13d..6af07aa 100644 ######################################## # # Local policy -@@ -24,15 +27,17 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -19,20 +22,22 @@ typealias modemmanager_exec_t alias ModemManager_exec_t; + allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; + allow modemmanager_t self:process { getsched signal }; + allow modemmanager_t self:fifo_file rw_fifo_file_perms; +-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; ++allow modemmanager_t self:unix_stream_socket {connectto create_stream_socket_perms}; + allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; kernel_read_system_state(modemmanager_t) @@ -71270,7 +71278,7 @@ index fa3dc8e..99cfa95 100644 + ps_process_pattern($1, pulseaudio_t) ') diff --git a/pulseaudio.te b/pulseaudio.te -index e31bbe1..5f0e288 100644 +index e31bbe1..28e206e 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -1,4 +1,4 @@ @@ -71371,7 +71379,7 @@ index e31bbe1..5f0e288 100644 can_exec(pulseaudio_t, pulseaudio_exec_t) -@@ -85,60 +70,51 @@ kernel_read_kernel_sysctls(pulseaudio_t) +@@ -85,60 +70,57 @@ kernel_read_kernel_sysctls(pulseaudio_t) corecmd_exec_bin(pulseaudio_t) @@ -71423,10 +71431,12 @@ index e31bbe1..5f0e288 100644 logging_send_syslog_msg(pulseaudio_t) -miscfiles_read_localization(pulseaudio_t) -- --userdom_search_user_home_dirs(pulseaudio_t) --userdom_write_user_tmp_sockets(pulseaudio_t) -- + + userdom_search_user_home_dirs(pulseaudio_t) + userdom_write_user_tmp_sockets(pulseaudio_t) ++userdom_manage_user_tmp_files(pulseaudio_t) ++userdom_execute_user_tmp_files(pulseaudio_t) + tunable_policy(`use_nfs_home_dirs',` + fs_mount_nfs(pulseaudio_t) + fs_mounton_nfs(pulseaudio_t) @@ -71448,7 +71458,7 @@ index e31bbe1..5f0e288 100644 ') optional_policy(` -@@ -151,8 +127,9 @@ optional_policy(` +@@ -151,8 +133,9 @@ optional_policy(` optional_policy(` dbus_system_domain(pulseaudio_t, pulseaudio_exec_t) @@ -71460,7 +71470,7 @@ index e31bbe1..5f0e288 100644 optional_policy(` consolekit_dbus_chat(pulseaudio_t) -@@ -172,16 +149,33 @@ optional_policy(` +@@ -172,29 +155,49 @@ optional_policy(` ') optional_policy(` @@ -71494,7 +71504,12 @@ index e31bbe1..5f0e288 100644 udev_read_state(pulseaudio_t) udev_read_db(pulseaudio_t) ') -@@ -194,7 +188,11 @@ optional_policy(` + + optional_policy(` + xserver_stream_connect(pulseaudio_t) +- xserver_manage_xdm_tmp_files(pulseaudio_t) + xserver_read_xdm_lib_files(pulseaudio_t) + xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -71507,7 +71522,7 @@ index e31bbe1..5f0e288 100644 # # Client local policy # -@@ -208,8 +206,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi +@@ -208,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi fs_getattr_tmpfs(pulseaudio_client) @@ -71516,7 +71531,7 @@ index e31bbe1..5f0e288 100644 corenet_tcp_sendrecv_generic_if(pulseaudio_client) corenet_tcp_sendrecv_generic_node(pulseaudio_client) -@@ -218,36 +214,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) +@@ -218,36 +219,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client) corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client) pulseaudio_stream_connect(pulseaudio_client) @@ -75704,7 +75719,7 @@ index 2c3d338..7d49554 100644 init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..a904ad9 100644 +index 3698b51..a844a8f 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.0) @@ -75738,7 +75753,7 @@ index 3698b51..a904ad9 100644 type rabbitmq_var_log_t; logging_log_file(rabbitmq_var_log_t) -@@ -27,80 +31,82 @@ files_pid_file(rabbitmq_var_run_t) +@@ -27,80 +31,86 @@ files_pid_file(rabbitmq_var_run_t) ###################################### # @@ -75832,49 +75847,52 @@ index 3698b51..a904ad9 100644 +domain_read_all_domains_state(rabbitmq_t) -miscfiles_read_localization(rabbitmq_beam_t) -- ++auth_read_passwd(rabbitmq_t) ++auth_use_pam(rabbitmq_t) + -sysnet_dns_name_resolve(rabbitmq_beam_t) - -######################################## -# -# Epmd local policy -# -+auth_read_passwd(rabbitmq_t) -+auth_use_pam(rabbitmq_t) - +files_getattr_all_mountpoints(rabbitmq_t) --allow rabbitmq_epmd_t self:process signal; --allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; --allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; --allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; +fs_getattr_all_fs(rabbitmq_t) +fs_getattr_all_dirs(rabbitmq_t) +fs_getattr_cgroup(rabbitmq_t) +fs_search_cgroup_dirs(rabbitmq_t) --allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; +-allow rabbitmq_epmd_t self:process signal; +-allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; +-allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; +-allow rabbitmq_epmd_t self:unix_stream_socket { accept listen }; +dev_read_sysfs(rabbitmq_t) +dev_read_urand(rabbitmq_t) +-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms; ++storage_getattr_fixed_disk_dev(rabbitmq_t) + -corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t) -corenet_all_recvfrom_netlabel(rabbitmq_epmd_t) -corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t) -corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t) -corenet_tcp_bind_generic_node(rabbitmq_epmd_t) -+storage_getattr_fixed_disk_dev(rabbitmq_t) ++sysnet_dns_name_resolve(rabbitmq_t) -corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) -corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) -corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) -+sysnet_dns_name_resolve(rabbitmq_t) ++logging_send_syslog_msg(rabbitmq_t) -files_read_etc_files(rabbitmq_epmd_t) -+logging_send_syslog_msg(rabbitmq_t) ++optional_policy(` ++ dbus_system_bus_client(rabbitmq_t) ++') -logging_send_syslog_msg(rabbitmq_epmd_t) +optional_policy(` -+ dbus_system_bus_client(rabbitmq_t) ++ rpc_read_nfs_state_data(rabbitmq_t) +') -miscfiles_read_localization(rabbitmq_epmd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 498731d..f8d4d1c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 192%{?dist} +Release: 193%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -582,6 +582,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Nov 03 2014 Lukas Vrabec 3.12.1-193 +- Label also logrotate.status.tmp as logrotate_var_lib_t. BZ(1158835) +- xserver_manage_xdm_tmp_files is depracated and replaced with userdom_manage_user_tmp_files +- Allow abrt to read software raid state. BZ (1157770) +- Allow rabbitmq to read nfs state data. BZ(1122412) +- Allow modemmanger to connectto itself + * Tue Oct 21 2014 Lukas Vrabec 3.12.1-192 - Allow couchdb read sysctl_fs_t files. BZ(1154327) - Add fowner cap in usbmuxd_t BZ (1152662)