diff --git a/policy-f20-base.patch b/policy-f20-base.patch index 0e47a2d..adf837b 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -17209,10 +17209,17 @@ index 8416beb..c6cd3eb 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..3b8dd74 100644 +index 9e603f5..bf31a0e 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); +@@ -26,14 +26,18 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); @@ -17224,7 +17231,7 @@ index 9e603f5..3b8dd74 100644 # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. -@@ -53,6 +56,7 @@ type anon_inodefs_t; +@@ -53,6 +57,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -17232,7 +17239,7 @@ index 9e603f5..3b8dd74 100644 type bdev_t; fs_type(bdev_t) -@@ -63,12 +67,18 @@ fs_type(binfmt_misc_fs_t) +@@ -63,12 +68,18 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) @@ -17252,7 +17259,7 @@ index 9e603f5..3b8dd74 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -89,6 +99,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -89,6 +100,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -17264,7 +17271,7 @@ index 9e603f5..3b8dd74 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -97,6 +112,7 @@ type hugetlbfs_t; +@@ -97,6 +113,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -17272,7 +17279,7 @@ index 9e603f5..3b8dd74 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -119,12 +135,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -119,12 +136,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -17290,7 +17297,7 @@ index 9e603f5..3b8dd74 100644 type ramfs_t; fs_type(ramfs_t) files_mountpoint(ramfs_t) -@@ -145,11 +166,6 @@ fs_type(spufs_t) +@@ -145,11 +167,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -17302,7 +17309,7 @@ index 9e603f5..3b8dd74 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -167,6 +183,8 @@ type vxfs_t; +@@ -167,6 +184,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -17311,7 +17318,7 @@ index 9e603f5..3b8dd74 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +194,8 @@ fs_type(tmpfs_t) +@@ -176,6 +195,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -17320,7 +17327,7 @@ index 9e603f5..3b8dd74 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +275,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +276,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -17329,7 +17336,7 @@ index 9e603f5..3b8dd74 100644 files_mountpoint(removable_t) # -@@ -274,6 +296,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +297,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index ee269bc..0083c80 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -29626,10 +29626,10 @@ index fd02acc..0000000 - -miscfiles_read_localization(glusterd_t) diff --git a/gnome.fc b/gnome.fc -index e39de43..6a6db28 100644 +index e39de43..5edcb83 100644 --- a/gnome.fc +++ b/gnome.fc -@@ -1,15 +1,61 @@ +@@ -1,15 +1,60 @@ -HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) -HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) @@ -29647,7 +29647,6 @@ index e39de43..6a6db28 100644 +HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0) +HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0) +HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0) -+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0) @@ -36957,7 +36956,7 @@ index 0000000..0d61849 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 0000000..2c08717 +index 0000000..879ab65 --- /dev/null +++ b/keepalived.te @@ -0,0 +1,55 @@ @@ -36996,16 +36995,16 @@ index 0000000..2c08717 +kernel_read_system_state(keepalived_t) +kernel_read_network_state(keepalived_t) + ++auth_use_nsswitch(keepalived_t) ++ +corecmd_exec_bin(keepalived_t) +corecmd_exec_shell(keepalived_t) + -+corenet_tcp_connect_snmp_port(keepalived_t) -+ -+auth_use_nsswitch(keepalived_t) -+ +corenet_tcp_connect_connlcli_port(keepalived_t) +corenet_tcp_connect_http_port(keepalived_t) +corenet_tcp_connect_smtp_port(keepalived_t) ++corenet_tcp_connect_snmp_port(keepalived_t) ++corenet_tcp_connect_agentx_port(keepalived_t) + +dev_read_urand(keepalived_t) + @@ -74201,7 +74200,7 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 769d1fd..5c8b3c0 100644 +index 769d1fd..ef91a41 100644 --- a/quantum.te +++ b/quantum.te @@ -1,96 +1,145 @@ @@ -74261,7 +74260,7 @@ index 769d1fd..5c8b3c0 100644 +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; +allow neutron_t self:tcp_socket { accept listen }; -+allow neutron_t self:unix_stream_socket { accept listen }; ++allow neutron_t self:unix_stream_socket { accept listen connectto }; +allow neutron_t self:netlink_route_socket rw_netlink_socket_perms; +allow neutron_t self:rawip_socket create_socket_perms; +allow neutron_t self:packet_socket create_socket_perms; @@ -102428,7 +102427,7 @@ index 9dec06c..88dcafb 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..1df2084 100644 +index 1f22fba..50bb3f1 100644 --- a/virt.te +++ b/virt.te @@ -1,147 +1,209 @@ @@ -103874,7 +103873,7 @@ index 1f22fba..1df2084 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1126,300 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1126,304 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -104069,6 +104068,7 @@ index 1f22fba..1df2084 100644 +fs_list_inotifyfs(svirt_sandbox_domain) +fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) +fs_read_fusefs_files(svirt_sandbox_domain) ++fs_read_hugetlbfs_files(svirt_sandbox_domain) + +auth_dontaudit_read_passwd(svirt_sandbox_domain) +auth_dontaudit_read_login_records(svirt_sandbox_domain) @@ -104133,13 +104133,15 @@ index 1f22fba..1df2084 100644 +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_sandbox_domain) + fs_manage_nfs_files(svirt_sandbox_domain) -+ fs_read_nfs_symlinks(svirt_sandbox_domain) ++ fs_manage_nfs_named_sockets(svirt_sandbox_domain) ++ fs_manage_nfs_symlinks(svirt_sandbox_domain) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(svirt_sandbox_domain) + fs_manage_cifs_dirs(svirt_sandbox_domain) -+ fs_read_cifs_symlinks(svirt_sandbox_domain) ++ fs_manage_cifs_named_sockets(svirt_sandbox_domain) ++ fs_manage_cifs_symlinks(svirt_sandbox_domain) ') ######################################## @@ -104198,6 +104200,7 @@ index 1f22fba..1df2084 100644 +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; + +kernel_read_irq_sysctls(svirt_lxc_net_t) ++kernel_read_messages(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) dev_getattr_mtrr_dev(svirt_lxc_net_t) @@ -104312,7 +104315,7 @@ index 1f22fba..1df2084 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1432,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1436,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -104327,7 +104330,7 @@ index 1f22fba..1df2084 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1450,8 @@ optional_policy(` +@@ -1183,9 +1454,8 @@ optional_policy(` ######################################## # @@ -104338,7 +104341,7 @@ index 1f22fba..1df2084 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1464,216 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1468,216 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 868d1ee..c1982d8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 171%{?dist} +Release: 172%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jun 24 2014 Lukas Vrabec 3.12.1-172 +- Allow keepalived connect to agentx port +- Allow neutron-ns-metadata to connectto own unix stream socket +- Additional allow rules for docker sandbox processes +- Remove duplicate .fc entry for Grilo plugin bookmarks +- Add f2fs support for Xattrs + * Wed Jun 18 2014 Lukas Vrabec 3.12.1-171 - Add additional interfaces needed by mozilla_plugin_use_bluejeans boolean