From a05fd1c930a6625b77d45a8b9ac89292a1b8d904 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 11 2014 12:28:15 +0000 Subject: - Allow unpriv SELinux users to dbus chat with firewalld - Add lvm_write_metadata() - Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type - Allow pegasus_openlmi_storage_t to write lvm metadata - Add hide_broken_symptoms for kdumpgui because of systemd bug - Make kdumpgui_t as unconfined domain - Allow docker to connect to tcp/5000 --- diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 883486b..93d3bb1 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -6026,7 +6026,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..341e29c 100644 +index b31c054..7991715 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6068,17 +6068,19 @@ index b31c054..341e29c 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +123,9 @@ +@@ -118,6 +123,11 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') +/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) ++/dev/sclp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) ++/dev/vmcp[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +137,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +139,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6093,7 +6095,7 @@ index b31c054..341e29c 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,6 +182,8 @@ ifdef(`distro_suse', ` +@@ -172,6 +184,8 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6102,7 +6104,7 @@ index b31c054..341e29c 100644 /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -198,12 +210,22 @@ ifdef(`distro_debian',` +@@ -198,12 +212,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -9381,7 +9383,7 @@ index cf04cb5..1abe365 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..2282452 100644 +index c2c6e05..3ef5eb5 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9436,7 +9438,7 @@ index c2c6e05..2282452 100644 +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) -+/etc/yum\.repos\.d/redhat\.repo -- gen_context(system_u:object_r:system_conf_t,s0) ++/etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) @@ -22302,7 +22304,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index cdfddf4..e53ec1a 100644 +index cdfddf4..fa6dc70 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -22310,7 +22312,7 @@ index cdfddf4..e53ec1a 100644 +## +##

-+## Allow unprivledged user to create and transition to svirt domains. ++## Allow unprivileged user to create and transition to svirt domains. +##

+## +gen_tunable(unprivuser_use_svirt, false) @@ -35486,10 +35488,10 @@ index 879bb1e..633e449 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..4e8728f 100644 +index 58bc27f..f887230 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -86,6 +86,28 @@ interface(`lvm_read_config',` +@@ -86,6 +86,50 @@ interface(`lvm_read_config',` ######################################## ## @@ -35515,10 +35517,32 @@ index 58bc27f..4e8728f 100644 + +######################################## +## ++## Read LVM configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`lvm_write_metadata',` ++ gen_require(` ++ type lvm_etc_t; ++ type lvm_metadata_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 lvm_etc_t:dir list_dir_perms; ++ write_files_pattern($1,lvm_metadata_t ,lvm_metadata_t) ++') ++ ++######################################## ++## ## Manage LVM configuration files. ## ## -@@ -123,3 +145,113 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +167,113 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -43377,7 +43401,7 @@ index db75976..e4eb903 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..519b132 100644 +index 3c5dba7..8d7c4a7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -44055,7 +44079,7 @@ index 3c5dba7..519b132 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +726,120 @@ template(`userdom_common_user_template',` +@@ -546,93 +726,124 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -44150,6 +44174,10 @@ index 3c5dba7..519b132 100644 + evolution_alarm_dbus_chat($1_usertype) + ') + ++ optional_policy(` ++ firewalld_dbus_chat($1_usertype) ++ ') ++ + optional_policy(` + gnome_dbus_chat_gconfdefault($1_usertype) + ') @@ -44214,7 +44242,7 @@ index 3c5dba7..519b132 100644 ') optional_policy(` -@@ -642,23 +849,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +853,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -44243,7 +44271,7 @@ index 3c5dba7..519b132 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +876,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +880,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -44252,7 +44280,7 @@ index 3c5dba7..519b132 100644 ') optional_policy(` -@@ -680,9 +885,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +889,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -44265,7 +44293,7 @@ index 3c5dba7..519b132 100644 ') ') -@@ -693,32 +898,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +902,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -44275,27 +44303,31 @@ index 3c5dba7..519b132 100644 + + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ rpcbind_stream_connect($1_usertype) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - usernetctl_run($1_t, $1_r) -+ seunshare_role_template($1, $1_r, $1_t) ++ slrnpull_search_spool($1_usertype) ') optional_policy(` @@ -44304,15 +44336,11 @@ index 3c5dba7..519b132 100644 - virt_home_filetrans_virt_content($1_t, dir, "isos") - virt_home_filetrans_svirt_home($1_t, dir, "qemu") - virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines") -+ slrnpull_search_spool($1_usertype) -+ ') -+ -+ optional_policy(` + thumb_role($1_r, $1_usertype) ') ') -@@ -743,17 +951,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +955,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -44329,9 +44357,7 @@ index 3c5dba7..519b132 100644 - userdom_manage_tmpfs_role($1_r, $1_t) + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) + @@ -44342,7 +44368,9 @@ index 3c5dba7..519b132 100644 + tunable_policy(`$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -44350,7 +44378,7 @@ index 3c5dba7..519b132 100644 userdom_change_password_template($1) -@@ -761,83 +985,107 @@ template(`userdom_login_user_template', ` +@@ -761,83 +989,107 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -44439,62 +44467,62 @@ index 3c5dba7..519b132 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ + +- seutil_read_config($1_t) + seutil_read_config($1_usertype) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) -- seutil_read_config($1_t) -+ optional_policy(` -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) -+ ') -+ -+ optional_policy(` -+ kerberos_use($1_usertype) -+ init_write_key($1_usertype) -+ ') -+ -+ optional_policy(` -+ mysql_filetrans_named_content($1_usertype) -+ ') - optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ kerberos_use($1_usertype) ++ init_write_key($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) ++ mysql_filetrans_named_content($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ oddjob_run_mkhomedir($1_t, $1_r) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) -+ wine_filetrans_named_content($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') + ++ optional_policy(` ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ++ ') ++ ++ optional_policy(` ++ oddjob_run_mkhomedir($1_t, $1_r) ++ ') ++ ++ optional_policy(` ++ wine_filetrans_named_content($1_usertype) ++ ') ++ ') ####################################### -@@ -868,6 +1116,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1120,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -44507,7 +44535,7 @@ index 3c5dba7..519b132 100644 ############################## # # Local policy -@@ -907,42 +1161,99 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,42 +1165,99 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -44587,40 +44615,40 @@ index 3c5dba7..519b132 100644 + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) + ') ++ ++ optional_policy(` ++ accountsd_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ consolekit_dontaudit_read_log($1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ++ ') optional_policy(` - consolekit_dbus_chat($1_t) -+ accountsd_dbus_chat($1_usertype) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) -+ consolekit_dontaudit_read_log($1_usertype) -+ consolekit_dbus_chat($1_usertype) ++ fprintd_dbus_chat($1_t) ') optional_policy(` - gnome_role_template($1, $1_r, $1_t) -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ ') -+ -+ optional_policy(` -+ fprintd_dbus_chat($1_t) -+ ') -+ -+ optional_policy(` + realmd_dbus_chat($1_t) ') optional_policy(` -@@ -951,19 +1262,40 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,18 +1266,39 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -44639,7 +44667,6 @@ index 3c5dba7..519b132 100644 -## -## The template for creating a unprivileged user roughly -## equivalent to a regular linux user. --## + optional_policy(` + rtkit_scheduled($1_usertype) + ') @@ -44665,11 +44692,10 @@ index 3c5dba7..519b132 100644 +## +## The template for creating a unprivileged user roughly +## equivalent to a regular linux user. -+## + ## ## ##

- ## The template for creating a unprivileged user roughly -@@ -990,27 +1322,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1326,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -44707,7 +44733,7 @@ index 3c5dba7..519b132 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1359,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1363,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -44733,11 +44759,9 @@ index 3c5dba7..519b132 100644 + + tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_all_unreserved_ports($1_usertype) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + cdrecord_role($1_r, $1_t) + ') + @@ -44766,9 +44790,11 @@ index 3c5dba7..519b132 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + wine_role_template($1, $1_r, $1_t) + ') + @@ -44778,7 +44804,7 @@ index 3c5dba7..519b132 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1421,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1425,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -44789,7 +44815,7 @@ index 3c5dba7..519b132 100644 ') ') -@@ -1082,7 +1459,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1463,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -44800,7 +44826,7 @@ index 3c5dba7..519b132 100644 ') ############################## -@@ -1098,6 +1477,7 @@ template(`userdom_admin_user_template',` +@@ -1098,6 +1481,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -44808,7 +44834,7 @@ index 3c5dba7..519b132 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1108,14 +1488,8 @@ template(`userdom_admin_user_template',` +@@ -1108,14 +1492,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -44825,7 +44851,7 @@ index 3c5dba7..519b132 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1131,6 +1505,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -44833,7 +44859,7 @@ index 3c5dba7..519b132 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1523,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -44848,7 +44874,7 @@ index 3c5dba7..519b132 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1541,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -44891,7 +44917,7 @@ index 3c5dba7..519b132 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1582,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -44900,7 +44926,7 @@ index 3c5dba7..519b132 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1591,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -44919,7 +44945,7 @@ index 3c5dba7..519b132 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1243,7 +1637,7 @@ template(`userdom_admin_user_template',` +@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',` ##

## # @@ -44928,7 +44954,7 @@ index 3c5dba7..519b132 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1253,6 +1647,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -44937,7 +44963,7 @@ index 3c5dba7..519b132 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1661,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -44949,7 +44975,7 @@ index 3c5dba7..519b132 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1675,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -44992,7 +45018,7 @@ index 3c5dba7..519b132 100644 ') optional_policy(` -@@ -1360,14 +1760,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -45011,7 +45037,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -1408,6 +1811,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -45063,7 +45089,7 @@ index 3c5dba7..519b132 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1960,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -45095,7 +45121,7 @@ index 3c5dba7..519b132 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +2026,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -45110,7 +45136,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -1573,9 +2049,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -45122,7 +45148,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -1632,6 +2110,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -45165,7 +45191,7 @@ index 3c5dba7..519b132 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2225,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -45174,7 +45200,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -1744,10 +2260,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -45189,7 +45215,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -1772,7 +2290,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -45216,7 +45242,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -1782,53 +2318,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -45299,7 +45325,7 @@ index 3c5dba7..519b132 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1848,6 +2401,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -45325,7 +45351,7 @@ index 3c5dba7..519b132 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2450,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -45363,7 +45389,7 @@ index 3c5dba7..519b132 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2490,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -45381,7 +45407,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -1941,7 +2538,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -45390,7 +45416,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -1949,19 +2546,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -45414,7 +45440,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -1969,17 +2564,71 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,21 +2568,75 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -45433,9 +45459,10 @@ index 3c5dba7..519b132 100644 ## -## Do not audit attempts to write user home files. +## Delete sock files in a user home subdirectory. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. +## +## @@ -45487,10 +45514,14 @@ index 3c5dba7..519b132 100644 +######################################## +## +## Do not audit attempts to write user home files. - ## - ## - ## -@@ -2010,8 +2659,7 @@ interface(`userdom_read_user_home_content_symlinks',` ++## ++## ++## ++## Domain to not audit. + ## + ## + # +@@ -2010,8 +2663,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -45500,7 +45531,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -2027,20 +2675,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2679,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -45525,7 +45556,7 @@ index 3c5dba7..519b132 100644 ######################################## ## -@@ -2123,7 +2765,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -45534,7 +45565,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -2131,19 +2773,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -45558,7 +45589,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -2151,12 +2791,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -45574,7 +45605,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -2393,11 +3033,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -45589,7 +45620,7 @@ index 3c5dba7..519b132 100644 files_search_tmp($1) ') -@@ -2417,7 +3057,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -45598,7 +45629,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -2664,6 +3304,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -45624,7 +45655,7 @@ index 3c5dba7..519b132 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3339,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -45640,7 +45671,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -2707,7 +3367,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -45649,7 +45680,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -2715,14 +3375,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -45684,7 +45715,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -2817,6 +3493,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -45709,7 +45740,7 @@ index 3c5dba7..519b132 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3529,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -45752,7 +45783,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -2859,14 +3565,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -45790,7 +45821,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -2885,8 +3610,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -45820,7 +45851,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -2958,69 +3702,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -45921,7 +45952,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -3028,12 +3771,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -45936,7 +45967,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -3097,7 +3840,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -45945,7 +45976,7 @@ index 3c5dba7..519b132 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3856,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -45979,7 +46010,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -3217,7 +3944,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -46006,7 +46037,7 @@ index 3c5dba7..519b132 100644 ') ######################################## -@@ -3272,12 +4017,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -46022,7 +46053,7 @@ index 3c5dba7..519b132 100644 ## ## ## -@@ -3285,44 +4031,120 @@ interface(`userdom_write_user_tmp_files',` +@@ -3285,40 +4035,116 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -46072,10 +46103,9 @@ index 3c5dba7..519b132 100644 ## -## Domain allowed access. +## Domain to not audit. - ## - ## - # --interface(`userdom_getattr_all_users',` ++## ++## ++# +interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` + type user_tmp_t; @@ -46148,14 +46178,10 @@ index 3c5dba7..519b132 100644 +## +## +## Domain allowed access. -+## -+## -+# -+interface(`userdom_getattr_all_users',` - gen_require(` - attribute userdomain; - ') -@@ -3385,6 +4207,42 @@ interface(`userdom_signal_all_users',` + ## + ## + # +@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -46198,7 +46224,7 @@ index 3c5dba7..519b132 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4263,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -46223,7 +46249,7 @@ index 3c5dba7..519b132 100644 ## Create keys for all user domains. ## ## -@@ -3423,6 +4299,24 @@ interface(`userdom_create_all_users_keys',` +@@ -3423,6 +4303,24 @@ interface(`userdom_create_all_users_keys',` ######################################## ## @@ -46248,7 +46274,7 @@ index 3c5dba7..519b132 100644 ## Send a dbus message to all user domains. ## ## -@@ -3438,4 +4332,1661 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4336,1661 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index d9019a5..fc86af6 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -23290,10 +23290,10 @@ index 0000000..cc6846a +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..c93feb8 +index 0000000..78644fe --- /dev/null +++ b/docker.te -@@ -0,0 +1,244 @@ +@@ -0,0 +1,245 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23302,7 +23302,7 @@ index 0000000..c93feb8 +# +## +##

-+## Allow docker to transition to unconfined conateiners ++## Allow docker to transition to unconfined containers. +##

+## +gen_tunable(docker_transition_unconfined, false) @@ -23411,6 +23411,7 @@ index 0000000..c93feb8 +corenet_tcp_sendrecv_generic_port(docker_t) +corenet_tcp_bind_all_ports(docker_t) +corenet_tcp_connect_http_port(docker_t) ++corenet_tcp_connect_commplex_main_port(docker_t) +corenet_udp_sendrecv_generic_if(docker_t) +corenet_udp_sendrecv_generic_node(docker_t) +corenet_udp_sendrecv_all_ports(docker_t) @@ -35042,7 +35043,7 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index e7f5c81..8c75bc8 100644 +index e7f5c81..12ff296 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -1,83 +1,92 @@ @@ -35158,7 +35159,7 @@ index e7f5c81..8c75bc8 100644 ') optional_policy(` -@@ -87,4 +96,10 @@ optional_policy(` +@@ -87,4 +96,24 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -35168,6 +35169,20 @@ index e7f5c81..8c75bc8 100644 + +optional_policy(` + policykit_dbus_chat(kdumpgui_t) ++') ++ ++optional_policy(` ++ ifdef(`hide_broken_symptoms',` ++ # systemd bug ++ init_enable_services(kdumpgui_t) ++ init_disable_services(kdumpgui_t) ++ init_reload_services(kdumpgui_t) ++ ') ++') ++ ++ ++optional_policy(` ++ unconfined_domain(kdumpgui_t) ') diff --git a/keepalived.fc b/keepalived.fc new file mode 100644 @@ -58991,10 +59006,10 @@ index 0000000..ba24b40 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..fc9dd48 +index 0000000..78672af --- /dev/null +++ b/pcp.te -@@ -0,0 +1,215 @@ +@@ -0,0 +1,232 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -59002,6 +59017,13 @@ index 0000000..fc9dd48 +# Declarations +# + ++## ++##

++## Allow pcp to bind to all unreserved_ports ++##

++## ++gen_tunable(pcp_bind_all_unreserved_ports, false) ++ +attribute pcp_domain; + +pcp_domain_template(pmcd) @@ -59071,6 +59093,7 @@ index 0000000..fc9dd48 + +sysnet_read_config(pcp_domain) + ++ +######################################## +# +# pcp_pmcd local policy @@ -59094,8 +59117,6 @@ index 0000000..fc9dd48 +corenet_tcp_bind_amqp_port(pcp_pmcd_t) +corenet_tcp_connect_amqp_port(pcp_pmcd_t) + -+dev_read_sysfs(pcp_pmcd_t) -+ +domain_read_all_domains_state(pcp_pmcd_t) +domain_getattr_all_domains(pcp_pmcd_t) + @@ -59117,6 +59138,11 @@ index 0000000..fc9dd48 + +userdom_read_user_tmp_files(pcp_pmcd_t) + ++tunable_policy(`pcp_bind_all_unreserved_ports',` ++ corenet_sendrecv_all_server_packets(pcp_pmcd_t) ++ corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t) ++') ++ +optional_policy(` + dbus_system_bus_client(pcp_pmcd_t) + @@ -59204,12 +59230,18 @@ index 0000000..fc9dd48 + +allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto; + ++corenet_tcp_bind_generic_node(pcp_pmlogger_t) +corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t) +corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t) -+corenet_tcp_bind_generic_node(pcp_pmlogger_t) ++corenet_tcp_bind_amqp_port(pcp_pmlogger_t) + +corenet_tcp_connect_all_ephemeral_ports(pcp_pmlogger_t) + ++tunable_policy(`pcp_bind_all_unreserved_ports',` ++ corenet_sendrecv_all_server_packets(pcp_pmlogger_t) ++ corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t) ++') ++ diff --git a/pcscd.if b/pcscd.if index 43d50f9..7f77d32 100644 --- a/pcscd.if @@ -59444,7 +59476,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..8ad2a04 100644 +index 7bcf327..230c9af 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -59468,7 +59500,7 @@ index 7bcf327..8ad2a04 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,316 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,317 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -59746,6 +59778,7 @@ index 7bcf327..8ad2a04 100644 +optional_policy(` + lvm_domtrans(pegasus_openlmi_storage_t) + lvm_read_metadata(pegasus_openlmi_storage_t) ++ lvm_write_metadata(pegasus_openlmi_storage_t) +') + +optional_policy(` @@ -59790,7 +59823,7 @@ index 7bcf327..8ad2a04 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +349,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +350,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -59821,7 +59854,7 @@ index 7bcf327..8ad2a04 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +375,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +376,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -59854,7 +59887,7 @@ index 7bcf327..8ad2a04 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +403,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +404,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -59866,7 +59899,7 @@ index 7bcf327..8ad2a04 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +419,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +420,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -59902,7 +59935,7 @@ index 7bcf327..8ad2a04 100644 ') optional_policy(` -@@ -151,16 +453,24 @@ optional_policy(` +@@ -151,16 +454,24 @@ optional_policy(` ') optional_policy(` @@ -59931,7 +59964,7 @@ index 7bcf327..8ad2a04 100644 ') optional_policy(` -@@ -168,7 +478,7 @@ optional_policy(` +@@ -168,7 +479,7 @@ optional_policy(` ') optional_policy(` @@ -105728,7 +105761,7 @@ index 36e32df..3d08962 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) ') diff --git a/zarafa.te b/zarafa.te -index a4479b1..a40d580 100644 +index a4479b1..ffeb7f4 100644 --- a/zarafa.te +++ b/zarafa.te @@ -1,13 +1,18 @@ @@ -105742,7 +105775,7 @@ index a4479b1..a40d580 100644 +## +##

-+## Allow zarafa domains to setrlimit/sys_rouserce. ++## Allow zarafa domains to setrlimit/sys_resource. +##

+## +gen_tunable(zarafa_setrlimit, false) diff --git a/selinux-policy.spec b/selinux-policy.spec index b1e1c56..c55cd06 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 133%{?dist} +Release: 134%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Mar 11 2014 Miroslav Grepl 3.12.1-134 +- Allow unpriv SELinux users to dbus chat with firewalld +- Add lvm_write_metadata() +- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type +- Allow pegasus_openlmi_storage_t to write lvm metadata +- Add hide_broken_symptoms for kdumpgui because of systemd bug +- Make kdumpgui_t as unconfined domain +- Allow docker to connect to tcp/5000 + * Mon Mar 10 2014 Miroslav Grepl 3.12.1-133 - Allow numad to write scan_sleep_millisecs - Turn on entropyd_use_audio boolean by default