diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 3b13527..cad7ed8 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -23974,10 +23974,10 @@ index fe0c682..e8dcfa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..d6519a1 100644 +index 5fc0391..5a9d307 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,43 +6,62 @@ policy_module(ssh, 2.3.3) +@@ -6,43 +6,65 @@ policy_module(ssh, 2.3.3) # ## @@ -24021,6 +24021,9 @@ index 5fc0391..d6519a1 100644 init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) -role system_r types ssh_keygen_t; + ++type ssh_keygen_tmp_t; ++files_tmp_file(ssh_keygen_tmp_t) ++ +type sshd_keygen_t; +type sshd_keygen_exec_t; +init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t) @@ -24055,7 +24058,7 @@ index 5fc0391..d6519a1 100644 type ssh_t; type ssh_exec_t; -@@ -73,6 +92,11 @@ type ssh_home_t; +@@ -73,6 +95,11 @@ type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) @@ -24067,7 +24070,7 @@ index 5fc0391..d6519a1 100644 ############################## # -@@ -83,6 +107,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -83,6 +110,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -24075,7 +24078,7 @@ index 5fc0391..d6519a1 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -90,15 +115,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -90,15 +118,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -24092,7 +24095,7 @@ index 5fc0391..d6519a1 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -107,33 +128,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -107,33 +131,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -24140,7 +24143,7 @@ index 5fc0391..d6519a1 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -154,40 +184,46 @@ files_read_var_files(ssh_t) +@@ -154,40 +187,46 @@ files_read_var_files(ssh_t) logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) @@ -24206,7 +24209,7 @@ index 5fc0391..d6519a1 100644 ') optional_policy(` -@@ -195,6 +231,7 @@ optional_policy(` +@@ -195,6 +234,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -24214,7 +24217,7 @@ index 5fc0391..d6519a1 100644 ############################## # # ssh_keysign_t local policy -@@ -206,6 +243,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +246,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -24222,7 +24225,7 @@ index 5fc0391..d6519a1 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +261,55 @@ optional_policy(` +@@ -223,33 +264,55 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -24287,7 +24290,7 @@ index 5fc0391..d6519a1 100644 ') optional_policy(` -@@ -257,11 +317,28 @@ optional_policy(` +@@ -257,11 +320,28 @@ optional_policy(` ') optional_policy(` @@ -24317,7 +24320,7 @@ index 5fc0391..d6519a1 100644 ') optional_policy(` -@@ -269,6 +346,10 @@ optional_policy(` +@@ -269,6 +349,10 @@ optional_policy(` ') optional_policy(` @@ -24328,7 +24331,7 @@ index 5fc0391..d6519a1 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +360,93 @@ optional_policy(` +@@ -279,13 +363,93 @@ optional_policy(` ') optional_policy(` @@ -24422,7 +24425,7 @@ index 5fc0391..d6519a1 100644 ######################################## # # ssh_keygen local policy -@@ -294,19 +455,29 @@ optional_policy(` +@@ -294,19 +458,33 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -24440,6 +24443,10 @@ index 5fc0391..d6519a1 100644 +userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) +userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) + ++manage_dirs_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t) ++manage_files_pattern(ssh_keygen_t, ssh_keygen_tmp_t, ssh_keygen_tmp_t) ++files_tmp_filetrans(ssh_keygen_t, ssh_keygen_tmp_t, { file dir }) ++ +kernel_read_system_state(ssh_keygen_t) kernel_read_kernel_sysctls(ssh_keygen_t) @@ -24453,7 +24460,7 @@ index 5fc0391..d6519a1 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +494,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +501,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -24466,7 +24473,7 @@ index 5fc0391..d6519a1 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +508,140 @@ optional_policy(` +@@ -331,3 +515,140 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 0f090cc..ab1a6a5 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -52843,10 +52843,10 @@ index 0000000..28936b4 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..2d9ab86 +index 0000000..e571f9a --- /dev/null +++ b/nova.te -@@ -0,0 +1,320 @@ +@@ -0,0 +1,324 @@ +policy_module(nova, 1.0.0) + +######################################## @@ -52979,6 +52979,10 @@ index 0000000..2d9ab86 + ssh_exec_keygen(nova_api_t) +') + ++optional_policy(` ++ gnome_dontaudit_search_config(nova_api_t) ++') ++ +#optional_policy(` +# unconfined_domain(nova_api_t) +#') @@ -83297,7 +83301,7 @@ index f1140ef..8afe362 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index e3e7c96..d7db2d9 100644 +index e3e7c96..7a6ca6c 100644 --- a/rsync.te +++ b/rsync.te @@ -1,4 +1,4 @@ @@ -83424,7 +83428,7 @@ index e3e7c96..d7db2d9 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -83550,6 +83554,8 @@ index e3e7c96..d7db2d9 100644 optional_policy(` - inetd_service_domain(rsync_t, rsync_exec_t) + swift_manage_data_files(rsync_t) ++ swift_manage_lock(rsync_t) ++ swift_filetrans_named_lock(rsync_t) ') diff --git a/rtas.fc b/rtas.fc new file mode 100644 @@ -94648,10 +94654,10 @@ index c6aaac7..84cdcac 100644 sysnet_dns_name_resolve(svnserve_t) diff --git a/swift.fc b/swift.fc new file mode 100644 -index 0000000..744f0ce +index 0000000..a4ec18a --- /dev/null +++ b/swift.fc -@@ -0,0 +1,29 @@ +@@ -0,0 +1,30 @@ +/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0) +/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -94671,6 +94677,7 @@ index 0000000..744f0ce + +/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0) + ++/var/lock/swift.* gen_context(system_u:object_r:swift_lock_t,s0) +/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0) +/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0) + @@ -94683,10 +94690,10 @@ index 0000000..744f0ce +') diff --git a/swift.if b/swift.if new file mode 100644 -index 0000000..df82c36 +index 0000000..6a1f575 --- /dev/null +++ b/swift.if -@@ -0,0 +1,118 @@ +@@ -0,0 +1,155 @@ + +## policy for swift + @@ -94748,6 +94755,43 @@ index 0000000..df82c36 + manage_dirs_pattern($1, swift_data_t, swift_data_t) +') + ++##################################### ++## ++## Read and write swift lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`swift_manage_lock',` ++ gen_require(` ++ type swift_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_files_pattern($1, swift_lock_t, swift_lock_t) ++') ++ ++####################################### ++## ++## Transition content labels to swift named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`swift_filetrans_named_lock',` ++ gen_require(` ++ type swift_lock_t; ++ ') ++ ++ files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock") ++') ++ +######################################## +## +## Execute swift server in the swift domain. diff --git a/selinux-policy.spec b/selinux-policy.spec index 6bf1954..50adf0c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 164%{?dist} +Release: 165%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri May 16 2014 Miroslav Grepl 3.12.1-165 +- More fixes for OpenStack + * Fri May 16 2014 Miroslav Grepl 3.12.1-164 - Add openstack fixes