From 7e5a025fd42dbebcf386fe1ba90c1fde1dd8f671 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jul 23 2014 15:35:06 +0000 Subject: * Wed Jul 23 2014 Lukas Vrabec 3.12.1-179 - Bluejeans wants to connect to port 5000 - Allow zabbix domains to access /proc//net/dev - Dontaudit list /tmp for icecast (#894387) - Allow postfix_smtpd to stream connect to antivirus (#1105889) - Allow gfs_controld_t to getattr on all file systems (#1110886) - Add setpgid process to mip6d - Allow keepalived manage snmp files(#1053450) - Allow certmonger to exec ldconfig to make ipa-server-install working. (#1122110) - Update cockpik policy from cockpit usptream. --- diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 8b246ba..9efc54b 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -10949,7 +10949,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 2354e21..9a5e1fd 100644 +index 2354e21..cc0fe4f 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -11013,8 +11013,12 @@ index 2354e21..9a5e1fd 100644 fs_search_cgroup_dirs(certmonger_t) -@@ -70,16 +84,17 @@ init_getattr_all_script_files(certmonger_t) +@@ -68,18 +82,21 @@ auth_rw_cache(certmonger_t) + init_getattr_all_script_files(certmonger_t) + ++libs_exec_ldconfig(certmonger_t) ++ logging_send_syslog_msg(certmonger_t) -miscfiles_read_localization(certmonger_t) @@ -11034,7 +11038,7 @@ index 2354e21..9a5e1fd 100644 ') optional_policy(` -@@ -92,11 +107,51 @@ optional_policy(` +@@ -92,11 +109,51 @@ optional_policy(` ') optional_policy(` @@ -13420,26 +13424,26 @@ index 2a71346..3a38b11 100644 ') diff --git a/cockpit.fc b/cockpit.fc new file mode 100644 -index 0000000..ee6e817 +index 0000000..276ea8a --- /dev/null +++ b/cockpit.fc -@@ -0,0 +1,9 @@ -+/usr/lib/systemd/system/cockpit.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) +@@ -0,0 +1,10 @@ ++# cockpit stuff + -+/usr/lib/systemd/system/cockpit.socket -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) ++/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) ++/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + -+/usr/lib/systemd/system/cockpitd.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) ++/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + -+/usr/libexec/cockpitd -- gen_context(system_u:object_r:cockpit_exec_t,s0) ++/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) + -+/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0) ++/usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) diff --git a/cockpit.if b/cockpit.if new file mode 100644 -index 0000000..25e3237 +index 0000000..573dcae --- /dev/null +++ b/cockpit.if -@@ -0,0 +1,186 @@ -+ +@@ -0,0 +1,188 @@ +## policy for cockpit + +######################################## @@ -13452,13 +13456,32 @@ index 0000000..25e3237 +## +## +# -+interface(`cockpit_domtrans',` ++interface(`cockpit_ws_domtrans',` + gen_require(` -+ type cockpit_t, cockpit_exec_t; ++ type cockpit_ws_t, cockpit_ws_exec_t; + ') + + corecmd_search_bin($1) -+ domtrans_pattern($1, cockpit_exec_t, cockpit_t) ++ domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t) ++') ++ ++######################################## ++## ++## Execute TEMPLATE in the cockpit domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cockpit_session_domtrans',` ++ gen_require(` ++ type cockpit_session_t, cockpit_session_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t) +') + +######################################## @@ -13549,7 +13572,7 @@ index 0000000..25e3237 +# +interface(`cockpit_systemctl',` + gen_require(` -+ type cockpit_t; ++ type cockpit_ws_t; + type cockpit_unit_file_t; + ') + @@ -13558,33 +13581,12 @@ index 0000000..25e3237 + allow $1 cockpit_unit_file_t:file read_file_perms; + allow $1 cockpit_unit_file_t:service manage_service_perms; + -+ ps_process_pattern($1, cockpit_t) ++ ps_process_pattern($1, cockpit_ws_t) +') + + +######################################## +## -+## Send and receive messages from -+## cockpit over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cockpit_dbus_chat',` -+ gen_require(` -+ type cockpit_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 cockpit_t:dbus send_msg; -+ allow cockpit_t $1:dbus send_msg; -+') -+ -+######################################## -+## +## All of the rules required to administrate +## an cockpit environment +## @@ -13602,17 +13604,22 @@ index 0000000..25e3237 +# +interface(`cockpit_admin',` + gen_require(` -+ type cockpit_t; ++ type cockpit_ws_t; ++ type cockpit_session_t; + type cockpit_var_lib_t; -+ type cockpit_unit_file_t; ++ type cockpit_unit_file_t; + ') + -+ allow $1 cockpit_t:process { signal_perms }; -+ ps_process_pattern($1, cockpit_t) ++ allow $1 cockpit_ws_t:process { signal_perms }; ++ ps_process_pattern($1, cockpit_ws_t) + -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cockpit_t:process ptrace; -+ ') ++ allow $1 cockpit_session_t:process { signal_perms }; ++ ps_process_pattern($1, cockpit_session_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cockpit_ws_t:process ptrace; ++ allow $1 cockpit_session_t:process ptrace; ++ ') + + files_search_var_lib($1) + admin_pattern($1, cockpit_var_lib_t) @@ -13627,10 +13634,10 @@ index 0000000..25e3237 +') diff --git a/cockpit.te b/cockpit.te new file mode 100644 -index 0000000..589262d +index 0000000..cc6201d --- /dev/null +++ b/cockpit.te -@@ -0,0 +1,95 @@ +@@ -0,0 +1,89 @@ +policy_module(cockpit, 1.0.0) + +######################################## @@ -13638,93 +13645,87 @@ index 0000000..589262d +# Declarations +# + -+type cockpit_t; -+type cockpit_exec_t; -+init_daemon_domain(cockpit_t, cockpit_exec_t) ++type cockpit_ws_t; ++type cockpit_ws_exec_t; ++init_daemon_domain(cockpit_ws_t,cockpit_ws_exec_t) + -+type cockpit_var_lib_t; -+files_type(cockpit_var_lib_t) ++type cockpit_tmp_t; ++files_tmp_file(cockpit_tmp_t) + +type cockpit_unit_file_t; +systemd_unit_file(cockpit_unit_file_t) + ++type cockpit_session_t; ++type cockpit_session_exec_t; ++domain_type(cockpit_session_t) ++domain_entry_file(cockpit_session_t,cockpit_session_exec_t) ++ +######################################## +# -+# cockpit local policy ++# cockpit_ws_t local policy +# -+allow cockpit_t self:capability net_admin; -+allow cockpit_t self:fifo_file rw_fifo_file_perms; -+allow cockpit_t self:unix_stream_socket create_stream_socket_perms; -+allow cockpit_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow cockpit_t self:unix_dgram_socket create_socket_perms; -+ -+manage_dirs_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t) -+manage_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t) -+manage_lnk_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t) -+files_var_lib_filetrans(cockpit_t, cockpit_var_lib_t, { dir file lnk_file }) + -+kernel_read_system_state(cockpit_t) -+kernel_read_network_state(cockpit_t) ++allow cockpit_ws_t self:capability net_admin; ++allow cockpit_ws_t self:tcp_socket create_stream_socket_perms; + -+corecmd_exec_bin(cockpit_t) -+corecmd_exec_shell(cockpit_t) ++# cockpit-ws can execute cockpit-session ++can_exec(cockpit_ws_t,cockpit_session_exec_t) + -+corenet_tcp_bind_cockpit_port(cockpit_t) ++# cockpit-ws can read from /dev/urandom ++dev_read_urand(cockpit_ws_t) # for authkey ++dev_read_rand(cockpit_ws_t) # for libssh + -+dev_read_sysfs(cockpit_t) ++# cockpit-ws can read from the cockpit port ++# TODO: disable this until we have it in our f20 selinux-policy-targeted ++# corenet_tcp_bind_cockpit_port(cockpit_ws_t) ++#allow cockpit_ws_t init_t:tcp_socket accept; ++corenet_tcp_bind_all_reserved_ports(cockpit_ws_t) + -+domain_use_interactive_fds(cockpit_t) -+domain_read_all_domains_state(cockpit_t) ++# cockpit-ws can connect to other hosts via ssh ++corenet_tcp_connect_ssh_port(cockpit_ws_t) + -+files_read_etc_files(cockpit_t) -+files_list_tmp(cockpit_t) ++# cockpit-ws can write to its temp files ++manage_dirs_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t) ++manage_files_pattern(cockpit_ws_t, cockpit_tmp_t, cockpit_tmp_t) ++files_tmp_filetrans(cockpit_ws_t, cockpit_tmp_t, { dir file }) + -+fs_read_tmpfs_symlinks(cockpit_t) -+fs_list_cgroup_dirs(cockpit_t) -+fs_read_cgroup_files(cockpit_t) -+fs_getattr_all_fs(cockpit_t) ++auth_use_nsswitch(cockpit_ws_t) + -+auth_use_nsswitch(cockpit_t) ++logging_send_syslog_msg(cockpit_ws_t) + -+init_dbus_chat(cockpit_t) -+init_status(cockpit_t) -+init_read_state(cockpit_t) -+init_list_pid_dirs(cockpit_t) ++# cockpit-ws launches cockpit-session ++cockpit_session_domtrans(cockpit_ws_t) ++allow cockpit_ws_t cockpit_session_t:process signal_perms; + -+logging_send_syslog_msg(cockpit_t) -+ -+miscfiles_read_localization(cockpit_t) -+ -+systemd_status_all_unit_files(cockpit_t) -+systemd_read_logind_sessions_files(cockpit_t) -+ -+udev_read_pid_files(cockpit_t) ++# cockpit-session communicates back with cockpit-ws ++allow cockpit_session_t cockpit_ws_t:unix_stream_socket rw_stream_socket_perms; + +optional_policy(` -+ dbus_system_bus_client(cockpit_t) -+ dbus_connect_system_bus(cockpit_t) ++ ssh_read_user_home_files(cockpit_ws_t) ++') + -+ optional_policy(` -+ accountsd_dbus_chat(cockpit_t) -+ ') ++######################################################### ++# ++# cockpit-session local policy ++# + -+ optional_policy(` -+ devicekit_dbus_chat_disk(cockpit_t) -+ devicekit_dbus_chat_power(cockpit_t) -+ ') ++# cockpit-session changes to the actual logged in user ++allow cockpit_session_t self:capability { sys_admin dac_override setuid setgid }; ++allow cockpit_session_t self:process { setexec setsched signal_perms }; + -+ optional_policy(` -+ networkmanager_dbus_chat(cockpit_t) -+ networkmanager_stream_connect(cockpit_t) -+ ') ++# cockpit-session runs a full pam stack, including pam_selinux.so ++auth_login_pgm_domain(cockpit_session_t) ++auth_write_login_records(cockpit_session_t) + -+ optional_policy(` -+ realmd_dbus_chat(cockpit_t) -+ ') ++# cockpit-session can execute cockpit-agent as the user ++userdom_spec_domtrans_all_users(cockpit_session_t) ++ ++optional_policy(` ++ userdom_signal_all_users(cockpit_session_t) +') + +optional_policy(` -+ docker_stream_connect(cockpit_t) ++ unconfined_domtrans(cockpit_session_t) +') diff --git a/collectd.fc b/collectd.fc index 79a3abe..2e7d7ed 100644 @@ -34183,10 +34184,10 @@ index 580b533..c267cea 100644 domain_system_change_exemption($1) role_transition $2 icecast_initrc_exec_t system_r; diff --git a/icecast.te b/icecast.te -index ac6f9d5..6097225 100644 +index ac6f9d5..bd3a837 100644 --- a/icecast.te +++ b/icecast.te -@@ -65,12 +65,8 @@ dev_read_sysfs(icecast_t) +@@ -65,11 +65,9 @@ dev_read_sysfs(icecast_t) dev_read_urand(icecast_t) dev_read_rand(icecast_t) @@ -34195,10 +34196,10 @@ index ac6f9d5..6097225 100644 auth_use_nsswitch(icecast_t) -miscfiles_read_localization(icecast_t) -- ++files_dontaudit_list_tmp(icecast_t) + tunable_policy(`icecast_use_any_tcp_ports',` corenet_tcp_connect_all_ports(icecast_t) - corenet_sendrecv_all_client_packets(icecast_t) diff --git a/ifplugd.if b/ifplugd.if index 8999899..96909ae 100644 --- a/ifplugd.if @@ -37259,7 +37260,7 @@ index 0000000..0d61849 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..879ab65 +index 0000000..a5b2f96 --- /dev/null +++ b/keepalived.te @@ -0,0 +1,55 @@ @@ -37316,7 +37317,7 @@ index 0000000..879ab65 +logging_send_syslog_msg(keepalived_t) + +optional_policy(` -+ snmp_read_snmp_var_lib_files(keepalived_t) ++ snmp_manage_var_lib_files(keepalived_t) +') diff --git a/kerberos.fc b/kerberos.fc index 4fe75fd..b029c28 100644 @@ -43460,7 +43461,7 @@ index 0000000..8169129 +') diff --git a/mip6d.te b/mip6d.te new file mode 100644 -index 0000000..1d34063 +index 0000000..0f290e9 --- /dev/null +++ b/mip6d.te @@ -0,0 +1,33 @@ @@ -43483,7 +43484,7 @@ index 0000000..1d34063 +# mip6d local policy +# +allow mip6d_t self:capability { net_admin net_raw }; -+allow mip6d_t self:process { fork signal }; ++allow mip6d_t self:process { setpgid fork signal }; +allow mip6d_t self:netlink_route_socket create_netlink_socket_perms; +allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms; +allow mip6d_t self:rawip_socket create_socket_perms; @@ -45875,7 +45876,7 @@ index 6194b80..7490fe3 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..6c2d2fa 100644 +index 6a306ee..7e2d4fc 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -46744,7 +46745,7 @@ index 6a306ee..6c2d2fa 100644 ') optional_policy(` -@@ -568,108 +602,136 @@ optional_policy(` +@@ -568,108 +602,137 @@ optional_policy(` ') optional_policy(` @@ -46939,6 +46940,7 @@ index 6a306ee..6c2d2fa 100644 +tunable_policy(`mozilla_plugin_use_bluejeans',` + corenet_tcp_bind_unreserved_ports(mozilla_plugin_t) + corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t) ++ corenet_tcp_connect_commplex_main_port(mozilla_plugin_t) ') diff --git a/mpd.fc b/mpd.fc index 313ce52..ae93e07 100644 @@ -66832,7 +66834,7 @@ index 2e23946..d8a163f 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..c6cf897 100644 +index 191a66f..f88edc4 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -67014,9 +67016,8 @@ index 191a66f..c6cf897 100644 -######################################## -# -# Common postfix user domain local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_user_domains self:capability dac_override; - -domain_use_interactive_fds(postfix_user_domains) @@ -67024,8 +67025,9 @@ index 191a66f..c6cf897 100644 -######################################## -# -# Master local policy --# -- ++# Postfix master process local policy + # + -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; @@ -67177,10 +67179,6 @@ index 191a66f..c6cf897 100644 -optional_policy(` - cyrus_stream_connect(postfix_master_t) --') -- --optional_policy(` -- kerberos_keytab_template(postfix, postfix_t) +ifdef(`distro_redhat',` + # for newer main.cf that uses /etc/aliases + mta_manage_aliases(postfix_master_t) @@ -67188,6 +67186,10 @@ index 191a66f..c6cf897 100644 ') optional_policy(` +- kerberos_keytab_template(postfix, postfix_t) +-') +- +-optional_policy(` - mailman_manage_data_files(postfix_master_t) + cyrus_stream_connect(postfix_master_t) ') @@ -67631,7 +67633,7 @@ index 191a66f..c6cf897 100644 ') optional_policy(` -@@ -720,28 +658,28 @@ optional_policy(` +@@ -720,28 +658,32 @@ optional_policy(` ######################################## # @@ -67659,17 +67661,20 @@ index 191a66f..c6cf897 100644 - corecmd_exec_bin(postfix_smtpd_t) --fs_getattr_all_dirs(postfix_smtpd_t) --fs_getattr_all_fs(postfix_smtpd_t) +# for OpenSSL certificates ++ ++# postfix checks the size of all mounted file systems + fs_getattr_all_dirs(postfix_smtpd_t) +-fs_getattr_all_fs(postfix_smtpd_t) -mta_read_aliases(postfix_smtpd_t) -+# postfix checks the size of all mounted file systems -+fs_getattr_all_dirs(postfix_smtpd_t) ++optional_policy(` ++ antivirus_stream_connect(postfix_smtpd_t) ++') optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) -@@ -754,6 +692,7 @@ optional_policy(` +@@ -754,6 +696,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -67677,7 +67682,7 @@ index 191a66f..c6cf897 100644 ') optional_policy(` -@@ -764,31 +703,99 @@ optional_policy(` +@@ -764,31 +707,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -79203,7 +79208,7 @@ index 56bc01f..1337d42 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..503838b 100644 +index 2c2de9a..a470f79 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -79678,7 +79683,13 @@ index 2c2de9a..503838b 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -253,10 +556,14 @@ dev_rw_dlm_control(gfs_controld_t) + dev_setattr_dlm_control(gfs_controld_t) + dev_rw_sysfs(gfs_controld_t) + ++fs_getattr_all_fs(gfs_controld_t) ++ + storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -79687,7 +79698,7 @@ index 2c2de9a..503838b 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +580,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +582,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -79744,7 +79755,7 @@ index 2c2de9a..503838b 100644 ###################################### # # qdiskd local policy -@@ -321,6 +670,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +672,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -108212,7 +108223,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 46e4cd3..73ea90f 100644 +index 46e4cd3..bf87704 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3) @@ -108251,7 +108262,7 @@ index 46e4cd3..73ea90f 100644 type zabbix_log_t; logging_log_file(zabbix_log_t) -@@ -36,27 +41,53 @@ files_tmp_file(zabbix_tmp_t) +@@ -36,27 +41,54 @@ files_tmp_file(zabbix_tmp_t) type zabbix_tmpfs_t; files_tmpfs_file(zabbix_tmpfs_t) @@ -108275,6 +108286,7 @@ index 46e4cd3..73ea90f 100644 +allow zabbix_domain self:unix_stream_socket create_stream_socket_perms; + +kernel_read_all_sysctls(zabbix_domain) ++kernel_read_network_state(zabbix_domain) + +corenet_tcp_sendrecv_generic_if(zabbix_domain) +corenet_tcp_sendrecv_generic_node(zabbix_domain) @@ -108317,7 +108329,7 @@ index 46e4cd3..73ea90f 100644 manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t) -@@ -70,13 +101,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +@@ -70,13 +102,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) kernel_read_system_state(zabbix_t) @@ -108331,7 +108343,7 @@ index 46e4cd3..73ea90f 100644 corenet_sendrecv_ftp_client_packets(zabbix_t) corenet_tcp_connect_ftp_port(zabbix_t) -@@ -85,37 +112,30 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) +@@ -85,37 +113,30 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t) corenet_sendrecv_http_client_packets(zabbix_t) corenet_tcp_connect_http_port(zabbix_t) corenet_tcp_sendrecv_http_port(zabbix_t) @@ -108377,7 +108389,7 @@ index 46e4cd3..73ea90f 100644 ') optional_policy(` -@@ -125,6 +145,7 @@ optional_policy(` +@@ -125,6 +146,7 @@ optional_policy(` optional_policy(` snmp_read_snmp_var_lib_files(zabbix_t) @@ -108385,7 +108397,7 @@ index 46e4cd3..73ea90f 100644 ') ######################################## -@@ -132,18 +153,7 @@ optional_policy(` +@@ -132,18 +154,7 @@ optional_policy(` # Agent local policy # @@ -108405,7 +108417,7 @@ index 46e4cd3..73ea90f 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +161,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +162,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) @@ -108425,7 +108437,7 @@ index 46e4cd3..73ea90f 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -177,21 +184,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +185,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 61fcbb1..4702921 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 178%{?dist} +Release: 179%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jul 23 2014 Lukas Vrabec 3.12.1-179 +- Bluejeans wants to connect to port 5000 +- Allow zabbix domains to access /proc//net/dev +- Dontaudit list /tmp for icecast (#894387) +- Allow postfix_smtpd to stream connect to antivirus (#1105889) +- Allow gfs_controld_t to getattr on all file systems (#1110886) +- Add setpgid process to mip6d +- Allow keepalived manage snmp files(#1053450) +- Allow certmonger to exec ldconfig to make ipa-server-install working. (#1122110) +- Update cockpik policy from cockpit usptream. + * Fri Jul 18 2014 Lukas Vrabec 3.12.1-178 - Add logging_dontaudit_search_audit_logs() - Clean up osad policy. Remove additional interfaces/rules