From 9496e85c36d0e81ca3968814875299cdcf0a76e4 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Dec 05 2016 15:38:35 +0000 Subject: * Mon Dec 05 2016 Lukas Vrabec 3.13.1-191.23 - Fix some boolean descriptions. - Allow puppetagent_t to access timedated dbus - Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) - Allow systemd to read efivarfs. Resolve: #121 - Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774) - Add interface dev_manage_sysfs() - Allow systemd create /dev/log in own mount-namespace. BZ(1383867) - Add interface fs_dontaudit_getattr_nsfs_files() --- diff --git a/container-selinux.tgz b/container-selinux.tgz index c210bdc..17b17f6 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-f24-base.patch b/policy-f24-base.patch index 45f6191..7152b78 100644 --- a/policy-f24-base.patch +++ b/policy-f24-base.patch @@ -37584,7 +37584,7 @@ index 79a45f6..d4f6066 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..ead65a8 100644 +index 17eda24..f069468 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37810,12 +37810,14 @@ index 17eda24..ead65a8 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +257,69 @@ fs_list_inotifyfs(init_t) +@@ -154,30 +256,71 @@ files_dontaudit_rw_root_chr_files(init_t) + fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) - -+fstools_getattr_swap_files(init_t) ++fs_read_efivarfs_files(init_t) + ++fstools_getattr_swap_files(init_t) + mcs_process_set_categories(init_t) -mcs_killall(init_t) @@ -37885,7 +37887,7 @@ index 17eda24..ead65a8 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +328,269 @@ ifdef(`distro_gentoo',` +@@ -186,29 +329,269 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -38164,7 +38166,7 @@ index 17eda24..ead65a8 100644 ') optional_policy(` -@@ -216,7 +598,30 @@ optional_policy(` +@@ -216,7 +599,30 @@ optional_policy(` ') optional_policy(` @@ -38196,7 +38198,7 @@ index 17eda24..ead65a8 100644 ') ######################################## -@@ -225,9 +630,9 @@ optional_policy(` +@@ -225,9 +631,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38208,7 +38210,7 @@ index 17eda24..ead65a8 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +663,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +664,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38225,7 +38227,7 @@ index 17eda24..ead65a8 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +688,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +689,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38268,7 +38270,7 @@ index 17eda24..ead65a8 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +725,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +726,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38280,7 +38282,7 @@ index 17eda24..ead65a8 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +737,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +738,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38291,7 +38293,7 @@ index 17eda24..ead65a8 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +748,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +749,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38301,7 +38303,7 @@ index 17eda24..ead65a8 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +757,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +758,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38309,7 +38311,7 @@ index 17eda24..ead65a8 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +764,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +765,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38317,7 +38319,7 @@ index 17eda24..ead65a8 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +772,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +773,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38335,7 +38337,7 @@ index 17eda24..ead65a8 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +790,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +791,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38349,7 +38351,7 @@ index 17eda24..ead65a8 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +805,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +806,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38363,7 +38365,7 @@ index 17eda24..ead65a8 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +818,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +819,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38374,7 +38376,7 @@ index 17eda24..ead65a8 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +831,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +832,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38382,7 +38384,7 @@ index 17eda24..ead65a8 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +850,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +851,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38406,7 +38408,7 @@ index 17eda24..ead65a8 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +883,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +884,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38414,7 +38416,7 @@ index 17eda24..ead65a8 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +917,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +918,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38425,7 +38427,7 @@ index 17eda24..ead65a8 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +941,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +942,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38434,7 +38436,7 @@ index 17eda24..ead65a8 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +956,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +957,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38442,7 +38444,7 @@ index 17eda24..ead65a8 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +977,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +978,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38450,7 +38452,7 @@ index 17eda24..ead65a8 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +987,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +988,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38495,7 +38497,7 @@ index 17eda24..ead65a8 100644 ') optional_policy(` -@@ -559,14 +1032,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1033,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38527,7 +38529,7 @@ index 17eda24..ead65a8 100644 ') ') -@@ -577,6 +1067,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1068,39 @@ ifdef(`distro_suse',` ') ') @@ -38567,7 +38569,7 @@ index 17eda24..ead65a8 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1112,8 @@ optional_policy(` +@@ -589,6 +1113,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38576,7 +38578,7 @@ index 17eda24..ead65a8 100644 ') optional_policy(` -@@ -610,6 +1135,7 @@ optional_policy(` +@@ -610,6 +1136,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38584,7 +38586,7 @@ index 17eda24..ead65a8 100644 ') optional_policy(` -@@ -626,6 +1152,17 @@ optional_policy(` +@@ -626,6 +1153,17 @@ optional_policy(` ') optional_policy(` @@ -38602,7 +38604,7 @@ index 17eda24..ead65a8 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1179,13 @@ optional_policy(` +@@ -642,9 +1180,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38616,7 +38618,7 @@ index 17eda24..ead65a8 100644 ') optional_policy(` -@@ -657,15 +1198,11 @@ optional_policy(` +@@ -657,15 +1199,11 @@ optional_policy(` ') optional_policy(` @@ -38634,7 +38636,7 @@ index 17eda24..ead65a8 100644 ') optional_policy(` -@@ -686,6 +1223,15 @@ optional_policy(` +@@ -686,6 +1224,15 @@ optional_policy(` ') optional_policy(` @@ -38650,7 +38652,7 @@ index 17eda24..ead65a8 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1272,7 @@ optional_policy(` +@@ -726,6 +1273,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38658,7 +38660,7 @@ index 17eda24..ead65a8 100644 ') optional_policy(` -@@ -743,7 +1290,13 @@ optional_policy(` +@@ -743,7 +1291,13 @@ optional_policy(` ') optional_policy(` @@ -38673,7 +38675,7 @@ index 17eda24..ead65a8 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1319,10 @@ optional_policy(` +@@ -766,6 +1320,10 @@ optional_policy(` ') optional_policy(` @@ -38684,7 +38686,7 @@ index 17eda24..ead65a8 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1332,20 @@ optional_policy(` +@@ -775,10 +1333,20 @@ optional_policy(` ') optional_policy(` @@ -38705,7 +38707,7 @@ index 17eda24..ead65a8 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1354,10 @@ optional_policy(` +@@ -787,6 +1355,10 @@ optional_policy(` ') optional_policy(` @@ -38716,7 +38718,7 @@ index 17eda24..ead65a8 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1379,6 @@ optional_policy(` +@@ -808,8 +1380,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38725,7 +38727,7 @@ index 17eda24..ead65a8 100644 ') optional_policy(` -@@ -818,6 +1387,10 @@ optional_policy(` +@@ -818,6 +1388,10 @@ optional_policy(` ') optional_policy(` @@ -38736,7 +38738,7 @@ index 17eda24..ead65a8 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1400,12 @@ optional_policy(` +@@ -827,10 +1401,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38749,7 +38751,7 @@ index 17eda24..ead65a8 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1432,60 @@ optional_policy(` +@@ -857,21 +1433,60 @@ optional_policy(` ') optional_policy(` @@ -38811,7 +38813,7 @@ index 17eda24..ead65a8 100644 ') optional_policy(` -@@ -887,6 +1501,10 @@ optional_policy(` +@@ -887,6 +1502,10 @@ optional_policy(` ') optional_policy(` @@ -38822,7 +38824,7 @@ index 17eda24..ead65a8 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1515,218 @@ optional_policy(` +@@ -897,3 +1516,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -41023,7 +41025,7 @@ index b50c5fe..9eacd9b 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..31be8ac 100644 +index 4e94884..0690edf 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -41113,7 +41115,7 @@ index 4e94884..31be8ac 100644 ######################################## ## ## Send system log messages. -@@ -530,22 +592,106 @@ interface(`logging_log_filetrans',` +@@ -530,22 +592,107 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` @@ -41140,6 +41142,7 @@ index 4e94884..31be8ac 100644 + ') + + allow $1 devlog_t:lnk_file manage_lnk_file_perms; ++ allow $1 devlog_t:sock_file manage_sock_file_perms; + dev_filetrans($1, devlog_t, lnk_file, "log") + init_pid_filetrans($1, devlog_t, sock_file, "syslog") + logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log") @@ -41232,7 +41235,7 @@ index 4e94884..31be8ac 100644 ') ######################################## -@@ -571,6 +717,25 @@ interface(`logging_read_audit_config',` +@@ -571,6 +718,25 @@ interface(`logging_read_audit_config',` ######################################## ## @@ -41258,7 +41261,7 @@ index 4e94884..31be8ac 100644 ## dontaudit search of auditd configuration files. ## ## -@@ -609,6 +774,25 @@ interface(`logging_read_syslog_config',` +@@ -609,6 +775,25 @@ interface(`logging_read_syslog_config',` ######################################## ## @@ -41284,7 +41287,7 @@ index 4e94884..31be8ac 100644 ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. -@@ -722,6 +906,25 @@ interface(`logging_setattr_all_log_dirs',` +@@ -722,6 +907,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') @@ -41310,7 +41313,7 @@ index 4e94884..31be8ac 100644 ######################################## ## ## Do not audit attempts to get the attributes -@@ -776,7 +979,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +980,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -41337,7 +41340,7 @@ index 4e94884..31be8ac 100644 ') ######################################## -@@ -859,7 +1080,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1081,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -41346,7 +41349,7 @@ index 4e94884..31be8ac 100644 ') ######################################## -@@ -885,6 +1106,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1107,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -41391,7 +41394,7 @@ index 4e94884..31be8ac 100644 ## Write generic log files. ## ## -@@ -905,6 +1164,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1165,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -41416,7 +41419,7 @@ index 4e94884..31be8ac 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1261,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1262,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -41434,7 +41437,7 @@ index 4e94884..31be8ac 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1286,55 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1287,55 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -41490,7 +41493,7 @@ index 4e94884..31be8ac 100644 ') ######################################## -@@ -1032,10 +1363,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1364,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -41508,7 +41511,7 @@ index 4e94884..31be8ac 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1393,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1394,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -41517,7 +41520,7 @@ index 4e94884..31be8ac 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1423,90 @@ interface(`logging_admin',` +@@ -1085,3 +1424,90 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch index c7e47f4..a1302f3 100644 --- a/policy-f24-contrib.patch +++ b/policy-f24-contrib.patch @@ -3203,7 +3203,7 @@ index 0000000..36251b9 +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..d8b04b5 +index 0000000..6bd2eb9 --- /dev/null +++ b/antivirus.te @@ -0,0 +1,273 @@ @@ -3223,7 +3223,7 @@ index 0000000..d8b04b5 + +## +##

-+## Determine whether can antivirus programs use JIT compiler. ++## Determine whether antivirus programs can use JIT compiler. +##

+## +gen_tunable(antivirus_use_jit, false) @@ -14188,9 +14188,18 @@ index 4cc4a5c..a6c6322 100644 + ') diff --git a/clamav.te b/clamav.te -index ce3836a..94aa8a6 100644 +index ce3836a..8dc2b45 100644 --- a/clamav.te +++ b/clamav.te +@@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false) + + ## + ##

+-## Determine whether can clamd use JIT compiler. ++## Determine whether clamd can use JIT compiler. + ##

+ ## + gen_tunable(clamd_use_jit, false) @@ -38,6 +38,9 @@ files_config_file(clamd_etc_t) type clamd_initrc_exec_t; init_script_file(clamd_initrc_exec_t) @@ -79644,7 +79653,7 @@ index 7cb8b1f..bef7217 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..9f36ed5 100644 +index 618dcfe..bba4a3e 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -80117,7 +80126,7 @@ index 618dcfe..9f36ed5 100644 selinux_validate_context(puppetmaster_t) -@@ -314,26 +342,31 @@ auth_use_nsswitch(puppetmaster_t) +@@ -314,26 +342,32 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) miscfiles_read_generic_certs(puppetmaster_t) @@ -80145,6 +80154,7 @@ index 618dcfe..9f36ed5 100644 optional_policy(` - mysql_stream_connect(puppetmaster_t) ++ systemd_dbus_chat_timedated(puppetagent_t) + systemd_dbus_chat_timedated(puppetmaster_t) ') @@ -80154,7 +80164,7 @@ index 618dcfe..9f36ed5 100644 ') optional_policy(` -@@ -342,3 +375,9 @@ optional_policy(` +@@ -342,3 +376,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 5b94327..9f4c5e1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 191.22%{?dist} +Release: 191.23%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -672,6 +672,16 @@ exit 0 %endif %changelog +* Mon Dec 05 2016 Lukas Vrabec 3.13.1-191.23 +- Fix some boolean descriptions. +- Allow puppetagent_t to access timedated dbus +- Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) +- Allow systemd to read efivarfs. Resolve: #121 +- Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774) +- Add interface dev_manage_sysfs() +- Allow systemd create /dev/log in own mount-namespace. BZ(1383867) +- Add interface fs_dontaudit_getattr_nsfs_files() + * Tue Nov 29 2016 Lukas Vrabec 3.13.1-191.22 - Dontaudit logrotate_t to getattr nsfs_t BZ(1399081) - Allow pmie daemon to send signal pcmd daemon BZ(1398078)