From f8f75f94a2d9f9f93dfbb5a0620c1860733ea00d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 27 2014 19:39:58 +0000 Subject: - Turn on gear_port_t - Add gear policy and remove permissive domains. - Add labels for ostree - Add SELinux awareness for NM - Label /usr/sbin/pwhistory_helper as updpwd_exec_t --- diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 30e127c..de78b47 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2505,5 +2505,11 @@ bacula = module # # rhnsd policy # - rhnsd = module + +# Layer: contrib +# Module: gear +# +# gear policy +# +gear = module diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f15a12c..3600861 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -26099,7 +26099,7 @@ index c6fdab7..af71c62 100644 sudo_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 2479587..39239cf 100644 +index 2479587..00d2700 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,28 @@ @@ -26135,7 +26135,7 @@ index 2479587..39239cf 100644 /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -@@ -16,13 +30,24 @@ ifdef(`distro_suse', ` +@@ -16,13 +30,25 @@ ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') @@ -26147,6 +26147,7 @@ index 2479587..39239cf 100644 -/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) +/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0) ++/usr/sbin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0) +/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) +/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) @@ -26162,7 +26163,7 @@ index 2479587..39239cf 100644 /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -@@ -30,21 +55,25 @@ ifdef(`distro_gentoo', ` +@@ -30,21 +56,25 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c33f667..8e54661 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2311,14 +2311,17 @@ index 16d0d66..60abfd0 100644 optional_policy(` nscd_dontaudit_search_pid(amtu_t) diff --git a/anaconda.fc b/anaconda.fc -index b098089..b2c4d10 100644 +index b098089..258407b 100644 --- a/anaconda.fc +++ b/anaconda.fc -@@ -1 +1,4 @@ +@@ -1 +1,7 @@ # No file context specifications. + +/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0) +/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0) ++ ++/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0) ++/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0) diff --git a/anaconda.if b/anaconda.if index 14a61b7..21bbf36 100644 --- a/anaconda.if @@ -23286,10 +23289,10 @@ index 0000000..fd679a1 +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..4ca46bc +index 0000000..1048292 --- /dev/null +++ b/docker.if -@@ -0,0 +1,325 @@ +@@ -0,0 +1,345 @@ + +## The open-source application container engine. + @@ -23573,6 +23576,26 @@ index 0000000..4ca46bc + +######################################## +## ++## Connect to docker over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_stream_connect',` ++ gen_require(` ++ type docker_t, docker_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) ++') ++ ++ ++######################################## ++## +## All of the rules required to administrate +## an docker environment +## @@ -27441,6 +27464,413 @@ index 2820368..88c98f4 100644 sysnet_read_config(gatekeeper_t) userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) +diff --git a/gear.fc b/gear.fc +new file mode 100644 +index 0000000..5eabf35 +--- /dev/null ++++ b/gear.fc +@@ -0,0 +1,7 @@ ++/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0) ++ ++/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0) ++ ++/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0) ++ ++/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0) +diff --git a/gear.if b/gear.if +new file mode 100644 +index 0000000..04e159f +--- /dev/null ++++ b/gear.if +@@ -0,0 +1,288 @@ ++ ++## The open-source application container engine. ++ ++######################################## ++## ++## Execute gear in the gear domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gear_domtrans',` ++ gen_require(` ++ type gear_t, gear_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, gear_exec_t, gear_t) ++') ++ ++######################################## ++## ++## Search gear lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_search_lib',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ allow $1 gear_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Execute gear lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_exec_lib',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ allow $1 gear_var_lib_t:dir search_dir_perms; ++ can_exec($1, gear_var_lib_t) ++') ++ ++######################################## ++## ++## Read gear lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_read_lib_files',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, gear_var_lib_t, gear_var_lib_t) ++') ++ ++######################################## ++## ++## Manage gear lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_manage_lib_files',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t) ++ manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t) ++') ++ ++######################################## ++## ++## Manage gear lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_manage_lib_dirs',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t) ++') ++ ++######################################## ++## ++## Create objects in a gear var lib directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`gear_lib_filetrans',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ filetrans_pattern($1, gear_var_lib_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Read gear PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_read_pid_files',` ++ gen_require(` ++ type gear_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, gear_var_run_t, gear_var_run_t) ++') ++ ++######################################## ++## ++## Execute gear server in the gear domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gear_systemctl',` ++ gen_require(` ++ type gear_t; ++ type gear_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 gear_unit_file_t:file read_file_perms; ++ allow $1 gear_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, gear_t) ++') ++ ++######################################## ++## ++## Read and write gear shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_rw_sem',` ++ gen_require(` ++ type gear_t; ++ ') ++ ++ allow $1 gear_t:sem rw_sem_perms; ++') ++ ++####################################### ++## ++## Read and write the gear pty type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_use_ptys',` ++ gen_require(` ++ type gear_devpts_t; ++ ') ++ ++ allow $1 gear_devpts_t:chr_file rw_term_perms; ++') ++ ++####################################### ++## ++## Allow domain to create gear content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_filetrans_named_content',` ++ gen_require(` ++ type gear_var_lib_t; ++ type gear_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, gear_var_run_t, file, "gear.pid") ++ files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear") ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an gear environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_admin',` ++ gen_require(` ++ type gear_t; ++ type gear_var_lib_t, gear_var_run_t; ++ type gear_unit_file_t; ++ type gear_lock_t; ++ type gear_log_t; ++ ') ++ ++ allow $1 gear_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, gear_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, gear_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, gear_var_run_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, gear_log_t) ++ ++ gear_systemctl($1) ++ admin_pattern($1, gear_unit_file_t) ++ allow $1 gear_unit_file_t:service all_service_perms; ++') +diff --git a/gear.te b/gear.te +new file mode 100644 +index 0000000..6c32f79 +--- /dev/null ++++ b/gear.te +@@ -0,0 +1,94 @@ ++policy_module(gear, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type gear_t; ++type gear_exec_t; ++init_daemon_domain(gear_t, gear_exec_t) ++ ++type gear_var_lib_t; ++files_type(gear_var_lib_t) ++ ++type gear_log_t; ++logging_log_file(gear_log_t) ++ ++type gear_var_run_t; ++files_pid_file(gear_var_run_t) ++ ++type gear_unit_file_t; ++systemd_unit_file(gear_unit_file_t) ++ ++######################################## ++# ++# gear local policy ++# ++allow gear_t self:process { getattr signal_perms }; ++allow gear_t self:fifo_file rw_fifo_file_perms; ++allow gear_t self:unix_stream_socket create_stream_socket_perms; ++allow gear_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(gear_t, gear_log_t, gear_log_t) ++manage_files_pattern(gear_t, gear_log_t, gear_log_t) ++manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t) ++logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file }) ++ ++gear_filetrans_named_content(gear_t) ++ ++manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t) ++manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) ++manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) ++manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) ++files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file }) ++ ++kernel_read_system_state(gear_t) ++kernel_read_network_state(gear_t) ++kernel_read_all_sysctls(gear_t) ++kernel_rw_net_sysctls(gear_t) ++ ++domain_use_interactive_fds(gear_t) ++ ++corecmd_exec_bin(gear_t) ++corecmd_exec_shell(gear_t) ++ ++corenet_tcp_bind_generic_node(gear_t) ++corenet_tcp_sendrecv_generic_if(gear_t) ++corenet_tcp_sendrecv_generic_node(gear_t) ++corenet_tcp_sendrecv_generic_port(gear_t) ++corenet_tcp_bind_gear_port(gear_t) ++ ++files_read_etc_files(gear_t) ++ ++fs_read_cgroup_files(gear_t) ++fs_read_tmpfs_symlinks(gear_t) ++ ++auth_use_nsswitch(gear_t) ++ ++init_read_state(gear_t) ++init_dbus_chat(gear_t) ++ ++logging_send_audit_msgs(gear_t) ++logging_send_syslog_msg(gear_t) ++ ++miscfiles_read_localization(gear_t) ++ ++mount_domtrans(gear_t) ++ ++seutil_read_default_contexts(gear_t) ++ ++sysnet_dns_name_resolve(gear_t) ++ ++systemd_manage_all_unit_files(gear_t) ++ ++optional_policy(` ++ docker_stream_connect(gear_t) ++') diff --git a/geoclue.fc b/geoclue.fc new file mode 100644 index 0000000..a97f14f @@ -41276,10 +41706,10 @@ index 0000000..3f433f1 +') diff --git a/mcollective.te b/mcollective.te new file mode 100644 -index 0000000..a04dd6b +index 0000000..8bc27f4 --- /dev/null +++ b/mcollective.te -@@ -0,0 +1,29 @@ +@@ -0,0 +1,27 @@ +policy_module(mcollective, 1.0.0) + +######################################## @@ -41292,8 +41722,6 @@ index 0000000..a04dd6b +init_daemon_domain(mcollective_t, mcollective_exec_t) +cron_system_entry(mcollective_t, mcollective_exec_t) + -+permissive mcollective_t; -+ +type mcollective_etc_rw_t; +files_type(mcollective_etc_rw_t) + @@ -50610,7 +51038,7 @@ index 86dc29d..1cd0d0e 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..ed9adbc 100644 +index 55f2009..63b8998 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -50635,7 +51063,7 @@ index 55f2009..ed9adbc 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,25 +42,50 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,25 +42,53 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -50654,6 +51082,9 @@ index 55f2009..ed9adbc 100644 + +allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms }; + ++allow NetworkManager_t self:process setfscreate; ++selinux_validate_context(NetworkManager_t) ++ +tunable_policy(`deny_ptrace',`',` + allow NetworkManager_t self:capability sys_ptrace; + allow NetworkManager_t self:process ptrace; @@ -50683,10 +51114,10 @@ index 55f2009..ed9adbc 100644 +can_exec(NetworkManager_t, NetworkManager_exec_t) +#wicd +can_exec(NetworkManager_t, wpa_cli_exec_t) -+ + +list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) +read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) - ++ +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) @@ -50695,7 +51126,7 @@ index 55f2009..ed9adbc 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,6 +96,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,6 +99,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -50703,7 +51134,7 @@ index 55f2009..ed9adbc 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,17 +110,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,17 +113,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -50722,7 +51153,7 @@ index 55f2009..ed9adbc 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +128,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +131,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -50748,7 +51179,7 @@ index 55f2009..ed9adbc 100644 dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +144,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +147,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -50762,7 +51193,7 @@ index 55f2009..ed9adbc 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +152,33 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +155,33 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -50797,7 +51228,7 @@ index 55f2009..ed9adbc 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +193,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +196,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -50834,7 +51265,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -196,10 +234,6 @@ optional_policy(` +@@ -196,10 +237,6 @@ optional_policy(` ') optional_policy(` @@ -50845,7 +51276,7 @@ index 55f2009..ed9adbc 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +244,11 @@ optional_policy(` +@@ -210,16 +247,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -50864,7 +51295,7 @@ index 55f2009..ed9adbc 100644 ') ') -@@ -231,18 +260,27 @@ optional_policy(` +@@ -231,18 +263,27 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -50895,7 +51326,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -250,6 +288,10 @@ optional_policy(` +@@ -250,6 +291,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -50906,7 +51337,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -257,15 +299,19 @@ optional_policy(` +@@ -257,15 +302,19 @@ optional_policy(` ') optional_policy(` @@ -50928,7 +51359,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -274,10 +320,17 @@ optional_policy(` +@@ -274,10 +323,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -50946,7 +51377,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -289,6 +342,7 @@ optional_policy(` +@@ -289,6 +345,7 @@ optional_policy(` ') optional_policy(` @@ -50954,7 +51385,7 @@ index 55f2009..ed9adbc 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +350,7 @@ optional_policy(` +@@ -296,7 +353,7 @@ optional_policy(` ') optional_policy(` @@ -50963,7 +51394,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -307,6 +361,7 @@ optional_policy(` +@@ -307,6 +364,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -50971,7 +51402,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -320,14 +375,20 @@ optional_policy(` +@@ -320,14 +378,20 @@ optional_policy(` ') optional_policy(` @@ -50997,7 +51428,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -357,6 +418,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +421,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 57bb4e8..3cd932e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 40%{?dist} +Release: 41%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -584,6 +584,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Mar 27 2014 Miroslav Grepl 3.13.1-41 +- Turn on gear_port_t +- Add gear policy and remove permissive domains. +- Add labels for ostree +- Add SELinux awareness for NM +- Label /usr/sbin/pwhistory_helper as updpwd_exec_t + * Wed Mar 26 2014 Miroslav Grepl 3.13.1-40 - update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices