diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 7ec52d7..cda26f9 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -12400,14 +12400,15 @@ index 29782b8..685edff 100644 ') diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 0000000..51990d0 +index 0000000..6cc6774 --- /dev/null +++ b/cloudform.fc -@@ -0,0 +1,27 @@ +@@ -0,0 +1,28 @@ +/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) + +/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) ++/usr/libexec/min-metadata-service -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) +/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) +/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) @@ -82215,10 +82216,10 @@ index 0000000..0ec3302 +') diff --git a/rtas.te b/rtas.te new file mode 100644 -index 0000000..d6d29bd +index 0000000..9a5164c --- /dev/null +++ b/rtas.te -@@ -0,0 +1,65 @@ +@@ -0,0 +1,95 @@ +policy_module(rtas, 1.0.0) + +######################################## @@ -82242,13 +82243,19 @@ index 0000000..d6d29bd +type rtas_errd_unit_file_t; +systemd_unit_file(rtas_errd_unit_file_t) + ++type rtas_errd_tmp_t; ++files_tmp_file(rtas_errd_tmp_t) ++ ++type rtas_errd_tmpfs_t; ++files_tmpfs_file(rtas_errd_tmpfs_t) ++ +######################################## +# +# rtas_errd local policy +# + -+allow rtas_errd_t self:capability { chown sys_admin }; -+allow rtas_errd_t self:process fork; ++allow rtas_errd_t self:capability { net_admin chown sys_admin }; ++allow rtas_errd_t self:process { fork signull }; +allow rtas_errd_t self:fifo_file rw_fifo_file_perms; +allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms; + @@ -82266,7 +82273,19 @@ index 0000000..d6d29bd +manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t) +files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file }) + ++manage_files_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t) ++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t) ++files_tmp_filetrans(rtas_errd_t, rtas_errd_tmp_t, { file dir }) ++ ++manage_files_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t) ++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t) ++fs_tmpfs_filetrans(rtas_errd_t, rtas_errd_tmpfs_t, { file dir }) ++ ++kernel_read_all_sysctls(rtas_errd_t) +kernel_read_system_state(rtas_errd_t) ++kernel_read_network_state(rtas_errd_t) ++ ++domain_read_all_domains_state(rtas_errd_t) + +auth_use_nsswitch(rtas_errd_t) + @@ -82276,12 +82295,24 @@ index 0000000..d6d29bd +dev_read_urand(rtas_errd_t) +dev_read_raw_memory(rtas_errd_t) +dev_write_raw_memory(rtas_errd_t) ++dev_read_sysfs(rtas_errd_t) ++dev_rw_nvram(rtas_errd_t) + +files_manage_system_db_files(rtas_errd_t) + ++logging_send_syslog_msg(rtas_errd_t) +logging_read_generic_logs(rtas_errd_t) + +optional_policy(` ++ hostname_exec(rtas_errd_t) ++') ++ ++optional_policy(` ++ rpm_exec(rtas_errd_t) ++ rpm_dontaudit_manage_db(rtas_errd_t) ++') ++ ++optional_policy(` + unconfined_domain(rtas_errd_t) +') diff --git a/rtkit.if b/rtkit.if diff --git a/selinux-policy.spec b/selinux-policy.spec index 154e374..0c0b04a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 142%{?dist} +Release: 143%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Mar 20 2014 Lukas Vrabec 3.12.1-143 +- Add additional fixes for rtas_errd +- Fix transitions for tmp/tmpfs in rtas.te +- Allow rtas_errd to readl all sysctls + * Wed Mar 19 2014 Miroslav Grepl 3.12.1-142 - Add support for /var/spool/rhsm/debug - Make virt_sandbox_use_audit as True by default