From 98069472112a54f41324f7fc6f8826f72ec97c5d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 27 2014 20:51:01 +0000 Subject: - Allow swift to connect to keystone and memcache ports - If we can create a socket we need to be able to set the attributes --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 300776f..add160b 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -48981,7 +48981,7 @@ index e79d545..101086d 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e91317..018d0a6 100644 +index 6e91317..8fc985f 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -49043,16 +49043,18 @@ index 6e91317..018d0a6 100644 define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') -@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }') +@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }') define(`setattr_sock_file_perms',`{ setattr }') define(`read_sock_file_perms',`{ getattr open read }') define(`write_sock_file_perms',`{ getattr write open append }') -define(`rw_sock_file_perms',`{ getattr open read write append }') +-define(`create_sock_file_perms',`{ getattr create open }') +define(`rw_inherited_sock_file_perms',`{ getattr read write append }') +define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }') - define(`create_sock_file_perms',`{ getattr create open }') ++define(`create_sock_file_perms',`{ getattr setattr create open }') define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') + define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') @@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }') define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 226276e..e57b279 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -75302,18 +75302,20 @@ index 3698b51..12f5c46 100644 -miscfiles_read_localization(rabbitmq_epmd_t) diff --git a/radius.fc b/radius.fc -index c84b7ae..29c453e 100644 +index c84b7ae..4125f6d 100644 --- a/radius.fc +++ b/radius.fc -@@ -9,6 +9,8 @@ +@@ -9,7 +9,9 @@ /usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0) /usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0) +-/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) +/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0) + - /var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) ++/var/lib/radiusd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0) /var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) + /var/log/radacct(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0) diff --git a/radius.if b/radius.if index 4460582..60cf556 100644 --- a/radius.if @@ -95574,10 +95576,10 @@ index 0000000..6a1f575 +') diff --git a/swift.te b/swift.te new file mode 100644 -index 0000000..3d21c49 +index 0000000..43a0495 --- /dev/null +++ b/swift.te -@@ -0,0 +1,126 @@ +@@ -0,0 +1,128 @@ +policy_module(swift, 1.0.0) + +######################################## @@ -95670,6 +95672,8 @@ index 0000000..3d21c49 + +corenet_tcp_connect_xserver_port(swift_t) +corenet_tcp_connect_swift_port(swift_t) ++corenet_tcp_connect_keystone_port(swift_t) ++corenet_tcp_connect_memcache_port(swift_t) + +corecmd_exec_shell(swift_t) +corecmd_exec_bin(swift_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 88856be..f5087c9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 174%{?dist} +Release: 175%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jun 26 2014 Miroslav Grepl 3.12.1-175 +- Allow swift to connect to keystone and memcache ports +- If we can create a socket we need to be able to set the attributes + * Fri Jun 26 2014 Miroslav Grepl 3.12.1-174 - Add openstack-cinder policy - Add additional fixes for OpenStack