From 81ece166fc22042ebe3383cadbd2b2abca42e7ae Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 21 2014 10:51:23 +0000 Subject: - allow anaconda to dbus chat with systemd-localed - Add fixes for haproxy based on bperkins@redhat.com - Allow cmirrord to make dmsetup working - Allow NM to execute arping - Allow users to send messages through talk - Add userdom_tmp_role for secadm_t --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index e70b33d..e5e93d4 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -20235,10 +20235,10 @@ index 3a45a3e..7499f24 100644 +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index da11120..d67bcca 100644 +index da11120..ece2f7f 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te -@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0) +@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0) role secadm_r; @@ -20248,10 +20248,11 @@ index da11120..d67bcca 100644 +userdom_security_admin(secadm_t, secadm_r) +userdom_inherit_append_admin_home_files(secadm_t) +userdom_read_admin_home_files(secadm_t) ++userdom_manage_tmp_role(secadm_r, secadm_t) ######################################## # -@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t) +@@ -30,8 +33,7 @@ mls_file_upgrade(secadm_t) mls_file_downgrade(secadm_t) auth_role(secadm_r, secadm_t) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index cda26f9..c6a6492 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -2459,7 +2459,7 @@ index 14a61b7..21bbf36 100644 +') + diff --git a/anaconda.te b/anaconda.te -index 6f1384c..4d36f22 100644 +index 6f1384c..f226596 100644 --- a/anaconda.te +++ b/anaconda.te @@ -4,6 +4,10 @@ gen_require(` @@ -2499,7 +2499,7 @@ index 6f1384c..4d36f22 100644 optional_policy(` rpm_domtrans(anaconda_t) -@@ -53,3 +66,32 @@ optional_policy(` +@@ -53,3 +66,34 @@ optional_policy(` optional_policy(` unconfined_domain_noaudit(anaconda_t) ') @@ -2511,6 +2511,8 @@ index 6f1384c..4d36f22 100644 + +allow install_t self:capability2 mac_admin; + ++systemd_dbus_chat_localed(install_t) ++ +tunable_policy(`deny_ptrace',`',` + domain_ptrace_all_domains(install_t) +') @@ -12818,7 +12820,7 @@ index cc4e7cb..f348d27 100644 domain_system_change_exemption($1) role_transition $2 cmirrord_initrc_exec_t system_r; diff --git a/cmirrord.te b/cmirrord.te -index d8e9958..d2303a4 100644 +index d8e9958..e4c023c 100644 --- a/cmirrord.te +++ b/cmirrord.te @@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t) @@ -12830,13 +12832,14 @@ index d8e9958..d2303a4 100644 dontaudit cmirrord_t self:capability sys_tty_config; allow cmirrord_t self:process { setfscreate signal }; allow cmirrord_t self:fifo_file rw_fifo_file_perms; -@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) +@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) domain_use_interactive_fds(cmirrord_t) domain_obj_id_change_exemption(cmirrord_t) -files_read_etc_files(cmirrord_t) - storage_create_fixed_disk_dev(cmirrord_t) ++storage_raw_read_fixed_disk(cmirrord_t) +storage_rw_inherited_fixed_disk_dev(cmirrord_t) seutil_read_file_contexts(cmirrord_t) @@ -37299,7 +37302,7 @@ index 19777b8..55d1556 100644 + ') +') diff --git a/ktalk.te b/ktalk.te -index 2cf3815..a43a4f6 100644 +index 2cf3815..36e6eb0 100644 --- a/ktalk.te +++ b/ktalk.te @@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1) @@ -37318,7 +37321,7 @@ index 2cf3815..a43a4f6 100644 type ktalkd_tmp_t; files_tmp_file(ktalkd_tmp_t) -@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t) +@@ -35,11 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t) kernel_read_system_state(ktalkd_t) kernel_read_network_state(ktalkd_t) @@ -37341,11 +37344,12 @@ index 2cf3815..a43a4f6 100644 auth_use_nsswitch(ktalkd_t) - init_read_utmp(ktalkd_t) +@@ -47,4 +61,4 @@ init_read_utmp(ktalkd_t) logging_send_syslog_msg(ktalkd_t) -- + -miscfiles_read_localization(ktalkd_t) ++userdom_use_user_ptys(ktalkd_t) diff --git a/kudzu.if b/kudzu.if index 5297064..6ba8108 100644 --- a/kudzu.if @@ -50332,7 +50336,7 @@ index 0e8508c..9a7332c 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..f031bc6 100644 +index 0b48a30..5e5d9e7 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -50631,7 +50635,7 @@ index 0b48a30..f031bc6 100644 ') optional_policy(` -@@ -257,11 +296,14 @@ optional_policy(` +@@ -257,15 +296,19 @@ optional_policy(` ') optional_policy(` @@ -50648,7 +50652,12 @@ index 0b48a30..f031bc6 100644 ') optional_policy(` -@@ -274,10 +316,17 @@ optional_policy(` + netutils_exec_ping(NetworkManager_t) ++ netutils_exec(NetworkManager_t) + ') + + optional_policy(` +@@ -274,10 +317,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -50666,7 +50675,7 @@ index 0b48a30..f031bc6 100644 ') optional_policy(` -@@ -289,6 +338,7 @@ optional_policy(` +@@ -289,6 +339,7 @@ optional_policy(` ') optional_policy(` @@ -50674,7 +50683,7 @@ index 0b48a30..f031bc6 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +346,7 @@ optional_policy(` +@@ -296,7 +347,7 @@ optional_policy(` ') optional_policy(` @@ -50683,7 +50692,7 @@ index 0b48a30..f031bc6 100644 ') optional_policy(` -@@ -307,6 +357,7 @@ optional_policy(` +@@ -307,6 +358,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -50691,7 +50700,7 @@ index 0b48a30..f031bc6 100644 ') optional_policy(` -@@ -320,13 +371,19 @@ optional_policy(` +@@ -320,13 +372,19 @@ optional_policy(` ') optional_policy(` @@ -50715,7 +50724,7 @@ index 0b48a30..f031bc6 100644 ') optional_policy(` -@@ -356,6 +413,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +414,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -76011,10 +76020,10 @@ index b418d1c..1ad9c12 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..a7e8263 100644 +index 47de2d6..5ad36aa 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,86 @@ +@@ -1,31 +1,88 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -76073,6 +76082,8 @@ index 47de2d6..a7e8263 100644 +/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) +/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0) +/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0) ++/var/run/haproxy\.stat.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0) ++/var/run/haproxy\.sock.* -- gen_context(system_u:object_r:haproxy_var_run_t,s0) +/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0) + +# cluster administrative domains file spec @@ -76887,7 +76898,7 @@ index 56bc01f..1337d42 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..881a1a9 100644 +index 2c2de9a..4fd3b77 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -77371,7 +77382,7 @@ index 2c2de9a..881a1a9 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +580,50 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +580,53 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -77387,13 +77398,14 @@ index 2c2de9a..881a1a9 100644 +# + +# bug in haproxy and process vs pid owner -+allow haproxy_t self:capability dac_override; ++allow haproxy_t self:capability { dac_override kill }; + +allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource }; +allow haproxy_t self:process { fork setrlimit signal_perms }; +allow haproxy_t self:fifo_file rw_fifo_file_perms; +allow haproxy_t self:unix_stream_socket create_stream_socket_perms; -+allow haproxy_t self:tcp_socket { accept listen }; ++allow haproxy_t self:tcp_socket create_stream_socket_perms; ++allow haproxy_t self: udp_socket create_socket_perms; + +manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) +manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) @@ -77401,6 +77413,8 @@ index 2c2de9a..881a1a9 100644 +manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t) +files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file }) + ++corenet_sendrecv_unlabeled_packets(haproxy_t) ++ +corenet_tcp_connect_commplex_link_port(haproxy_t) +corenet_tcp_connect_commplex_main_port(haproxy_t) +corenet_tcp_bind_commplex_main_port(haproxy_t) @@ -77424,7 +77438,7 @@ index 2c2de9a..881a1a9 100644 ###################################### # # qdiskd local policy -@@ -321,6 +666,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 0c0b04a..67c36ce 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 143%{?dist} +Release: 144%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Mar 21 2014 Miroslav Grepl 3.12.1-144 +- allow anaconda to dbus chat with systemd-localed +- Add fixes for haproxy based on bperkins@redhat.com +- Allow cmirrord to make dmsetup working +- Allow NM to execute arping +- Allow users to send messages through talk +- Add userdom_tmp_role for secadm_t + * Thu Mar 20 2014 Lukas Vrabec 3.12.1-143 - Add additional fixes for rtas_errd - Fix transitions for tmp/tmpfs in rtas.te