diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 34382d4..cc8492c 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -12792,7 +12792,7 @@ index 3f6e4dc..88c4f19 100644 mta_getattr_spool(comsat_t) diff --git a/condor.fc b/condor.fc -index 23dc348..7cc536b 100644 +index 23dc348..c4450f7 100644 --- a/condor.fc +++ b/condor.fc @@ -1,4 +1,5 @@ @@ -12801,6 +12801,15 @@ index 23dc348..7cc536b 100644 /usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0) /usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0) +@@ -8,6 +9,8 @@ + /usr/sbin/condor_startd -- gen_context(system_u:object_r:condor_startd_exec_t,s0) + /usr/sbin/condor_starter -- gen_context(system_u:object_r:condor_startd_exec_t,s0) + ++/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0) ++ + /var/lib/condor(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) + + /var/lib/condor/execute(/.*)? gen_context(system_u:object_r:condor_var_lib_t,s0) diff --git a/condor.if b/condor.if index 3fe3cb8..5fe84a6 100644 --- a/condor.if @@ -13258,10 +13267,20 @@ index 3fe3cb8..5fe84a6 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..49efe00 100644 +index 3f2b672..39f85e7 100644 --- a/condor.te +++ b/condor.te -@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) +@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t) + type condor_startd_tmpfs_t; + files_tmpfs_file(condor_startd_tmpfs_t) + ++type condor_etc_rw_t; ++files_config_file(condor_etc_rw_t) ++ + type condor_log_t; + logging_log_file(condor_log_t) + +@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t) type condor_var_run_t; files_pid_file(condor_var_run_t) @@ -13271,7 +13290,7 @@ index 3f2b672..49efe00 100644 condor_domain_template(collector) condor_domain_template(negotiator) condor_domain_template(procd) -@@ -57,10 +60,15 @@ condor_domain_template(startd) +@@ -57,15 +63,20 @@ condor_domain_template(startd) # Global local policy # @@ -13286,10 +13305,18 @@ index 3f2b672..49efe00 100644 +allow condor_domain self:udp_socket create_socket_perms; +allow condor_domain self:unix_stream_socket create_stream_socket_perms; +allow condor_domain self:netlink_route_socket r_netlink_socket_perms; ++ ++rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t) manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) - append_files_pattern(condor_domain, condor_log_t, condor_log_t) -@@ -86,13 +94,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; +-append_files_pattern(condor_domain, condor_log_t, condor_log_t) +-create_files_pattern(condor_domain, condor_log_t, condor_log_t) +-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t) ++manage_files_pattern(condor_domain, condor_log_t, condor_log_t) + logging_log_filetrans(condor_domain, condor_log_t, { dir file }) + + manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) +@@ -86,13 +97,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) @@ -13303,18 +13330,19 @@ index 3f2b672..49efe00 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -106,9 +111,7 @@ dev_read_rand(condor_domain) +@@ -106,9 +114,9 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) -logging_send_syslog_msg(condor_domain) -- --miscfiles_read_localization(condor_domain) +auth_read_passwd(condor_domain) +-miscfiles_read_localization(condor_domain) ++sysnet_dns_name_resolve(condor_domain) + tunable_policy(`condor_tcp_network_connect',` corenet_sendrecv_all_client_packets(condor_domain) -@@ -125,7 +128,7 @@ optional_policy(` +@@ -125,7 +133,7 @@ optional_policy(` # Master local policy # @@ -13323,27 +13351,27 @@ index 3f2b672..49efe00 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -133,6 +136,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -133,6 +141,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) +can_exec(condor_master_t, condor_master_exec_t) + -+kernel_read_system_state(condor_master_tmp_t) ++kernel_read_system_state(condor_master_t) + corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -150,7 +157,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) - - domain_read_all_domains_state(condor_master_t) +@@ -152,6 +164,8 @@ domain_read_all_domains_state(condor_master_t) --auth_use_nsswitch(condor_master_t) -+auth_read_passwd(condor_master_t) + auth_use_nsswitch(condor_master_t) ++logging_send_syslog_msg(condor_master_t) ++ optional_policy(` mta_send_mail(condor_master_t) -@@ -169,6 +176,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; + mta_read_config(condor_master_t) +@@ -169,6 +183,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -13352,7 +13380,7 @@ index 3f2b672..49efe00 100644 ##################################### # # Negotiator local policy -@@ -178,6 +187,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +194,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -13361,7 +13389,17 @@ index 3f2b672..49efe00 100644 ###################################### # # Procd local policy -@@ -201,6 +212,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -185,7 +203,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; + + allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; + +-allow condor_procd_t condor_startd_t:process sigkill; ++allow condor_procd_t condor_domain:process sigkill; ++ + + domain_read_all_domains_state(condor_procd_t) + +@@ -201,6 +220,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -13370,7 +13408,7 @@ index 3f2b672..49efe00 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -209,6 +222,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +230,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -13379,7 +13417,7 @@ index 3f2b672..49efe00 100644 ##################################### # # Startd local policy -@@ -233,11 +248,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +256,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -13392,7 +13430,7 @@ index 3f2b672..49efe00 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +263,7 @@ optional_policy(` +@@ -249,3 +271,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index c6decf8..a224dff 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 72%{?dist} +Release: 73%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Aug 23 2013 Miroslav Grepl 3.12.1-73 +- Update rules for condor domains + * Fri Aug 23 2013 Miroslav Grepl 3.12.1-72 - Fix collectd_t can read /etc/passwd file - Fix lsm.if summary