diff --git a/policy-f19-base.patch b/policy-f19-base.patch index e6a2495..342b464 100644 --- a/policy-f19-base.patch +++ b/policy-f19-base.patch @@ -35130,7 +35130,7 @@ index 346a7cc..42a48b6 100644 +/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 6944526..b82ccf1 100644 +index 6944526..0bd8d93 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -35405,7 +35405,7 @@ index 6944526..b82ccf1 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',` +@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -35473,6 +35473,8 @@ index 6944526..b82ccf1 100644 + + files_etc_filetrans($1, net_conf_t, file, "resolv.conf") + files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp") ++ files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved") + files_etc_filetrans($1, net_conf_t, file, "denyhosts") + files_etc_filetrans($1, net_conf_t, file, "hosts") + files_etc_filetrans($1, net_conf_t, file, "hosts.deny") diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch index 43a7584..5344e2c 100644 --- a/policy-f19-contrib.patch +++ b/policy-f19-contrib.patch @@ -2329,7 +2329,7 @@ index 6f1384c..9f23456 100644 rpm_domtrans(anaconda_t) diff --git a/antivirus.fc b/antivirus.fc new file mode 100644 -index 0000000..e44bff0 +index 0000000..9d5214b --- /dev/null +++ b/antivirus.fc @@ -0,0 +1,43 @@ @@ -2354,10 +2354,10 @@ index 0000000..e44bff0 + +/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) + -+ +/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) +/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) +/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) ++/var/lib/clamav-unofficial-sigs(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) +/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0) +/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) +/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0) @@ -11873,10 +11873,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..1ef78b0 +index 0000000..2f9ecfd --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,297 @@ +@@ -0,0 +1,298 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -12038,6 +12038,7 @@ index 0000000..1ef78b0 + +optional_policy(` + rpm_domtrans(cloud_init_t) ++ rpm_transition_script(cloud_init_t) + unconfined_domain(cloud_init_t) +') + @@ -37342,10 +37343,10 @@ index 327f3f7..4f61561 100644 + ') ') diff --git a/mandb.te b/mandb.te -index 5a414e0..7fee444 100644 +index 5a414e0..24f45a8 100644 --- a/mandb.te +++ b/mandb.te -@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles; +@@ -10,28 +10,52 @@ roleattribute system_r mandb_roles; type mandb_t; type mandb_exec_t; @@ -37392,6 +37393,7 @@ index 5a414e0..7fee444 100644 -files_read_etc_files(mandb_t) +files_search_locks(mandb_t) ++files_dontaudit_search_all_mountpoints(mandb_t) miscfiles_manage_man_cache(mandb_t) +miscfiles_setattr_man_pages(mandb_t) @@ -38044,10 +38046,10 @@ index cba62db..562833a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 92508b2..db83591 100644 +index 92508b2..2213a03 100644 --- a/milter.te +++ b/milter.te -@@ -1,77 +1,110 @@ +@@ -1,77 +1,117 @@ -policy_module(milter, 1.4.2) +policy_module(milter, 1.4.0) @@ -38067,6 +38069,9 @@ index 92508b2..db83591 100644 +type dkim_milter_private_key_t; +files_type(dkim_milter_private_key_t) + ++type dkim_milter_tmp_t; ++files_tmp_file(dkim_milter_tmp_t) ++ +# currently-supported milters are milter-greylist, milter-regex and spamass-milter milter_template(greylist) milter_template(regex) @@ -38126,6 +38131,10 @@ index 92508b2..db83591 100644 -logging_send_syslog_msg(milter_domains) +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + ++manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t) ++manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t) ++files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file }) ++ +kernel_read_kernel_sysctls(dkim_milter_t) + +auth_use_nsswitch(dkim_milter_t) @@ -38186,7 +38195,7 @@ index 92508b2..db83591 100644 optional_policy(` mysql_stream_connect(greylist_milter_t) -@@ -79,30 +112,45 @@ optional_policy(` +@@ -79,30 +119,45 @@ optional_policy(` ######################################## # diff --git a/selinux-policy.spec b/selinux-policy.spec index c57ac6d..e202e04 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 74.14%{?dist} +Release: 74.15%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Dec 10 2013 Lukas Vrabec 3.12.1-74.15 +- Add file transition rules for content created by f5link +- Allow cloud_init to transition to rpm_script_t +- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs +- Allow dkim-milter to create files/dirs in /tmp +- Dontaudit mandb searching all mountpoints + * Tue Nov 26 2013 Lukas Vrabec 3.12.1-74.14 - Allow apmd to request the kernel load module - Allow sssd to request the kernel loads modules