From a853036f7980c7801eef8a690b0d4d231e2d661e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 30 2014 12:26:17 +0000 Subject: - Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring - Allow geoclue to create temporary files/dirs in /tmp - Add httpd_dontaudit_search_dirs boolean - Add support for winbind.service - ALlow also fail2ban-client to read apache logs - Allow vmtools to getattr on all fs --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 402d0ff..f75f5e3 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2631,7 +2631,7 @@ index 99e3903..fa68362 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1d732f1..e0fc276 100644 +index 1d732f1..1a53101 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -26,6 +26,7 @@ type chfn_exec_t; @@ -2784,6 +2784,15 @@ index 1d732f1..e0fc276 100644 auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) +@@ -273,7 +297,7 @@ optional_policy(` + # Passwd local policy + # + +-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource }; ++allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource }; + dontaudit passwd_t self:capability sys_tty_config; + allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow passwd_t self:process { setrlimit setfscreate }; @@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index dbef4b0..fc9620c 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4786,10 +4786,10 @@ index f6eb485..51b128e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..7954b3b 100644 +index 6649962..1f527f5 100644 --- a/apache.te +++ b/apache.te -@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2) +@@ -5,280 +5,325 @@ policy_module(apache, 2.7.2) # Declarations # @@ -4810,39 +4810,40 @@ index 6649962..7954b3b 100644 ## -gen_tunable(allow_httpd_anon_write, false) +gen_tunable(httpd_anon_write, false) ++ ## -##

-## Determine whether httpd can use mod_auth_pam. -##

+##

-+## Allow Apache to use mod_auth_pam ++## Dontaudit Apache to search dirs. +##

##
-gen_tunable(allow_httpd_mod_auth_pam, false) -+gen_tunable(httpd_mod_auth_pam, false) ++gen_tunable(httpd_dontaudit_search_dirs, false) ## -##

-## Determine whether httpd can use built in scripting. -##

+##

-+## Allow Apache to use mod_auth_ntlm_winbind ++## Allow Apache to use mod_auth_pam +##

##
-gen_tunable(httpd_builtin_scripting, false) -+gen_tunable(httpd_mod_auth_ntlm_winbind, false) ++gen_tunable(httpd_mod_auth_pam, false) ## -##

-## Determine whether httpd can check spam. -##

+##

-+## Allow httpd scripts and modules execmem/execstack ++## Allow Apache to use mod_auth_ntlm_winbind +##

##
-gen_tunable(httpd_can_check_spam, false) -+gen_tunable(httpd_execmem, false) ++gen_tunable(httpd_mod_auth_ntlm_winbind, false) ## -##

@@ -4850,6 +4851,13 @@ index 6649962..7954b3b 100644 -## can connect to the network using TCP. -##

+##

++## Allow httpd scripts and modules execmem/execstack ++##

++##
++gen_tunable(httpd_execmem, false) ++ ++## ++##

+## Allow httpd processes to manage IPA content +##

+##
@@ -5255,7 +5263,7 @@ index 6649962..7954b3b 100644 type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) -@@ -286,15 +323,35 @@ init_script_file(httpd_initrc_exec_t) +@@ -286,15 +331,35 @@ init_script_file(httpd_initrc_exec_t) type httpd_keytab_t; files_type(httpd_keytab_t) @@ -5291,7 +5299,7 @@ index 6649962..7954b3b 100644 type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -302,10 +359,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -302,10 +367,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -5304,7 +5312,7 @@ index 6649962..7954b3b 100644 type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -314,9 +369,19 @@ role system_r types httpd_suexec_t; +@@ -314,9 +377,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -5327,7 +5335,7 @@ index 6649962..7954b3b 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -324,14 +389,21 @@ files_tmp_file(httpd_tmp_t) +@@ -324,14 +397,21 @@ files_tmp_file(httpd_tmp_t) type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) @@ -5350,7 +5358,7 @@ index 6649962..7954b3b 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -346,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad +@@ -346,33 +426,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; @@ -5401,7 +5409,7 @@ index 6649962..7954b3b 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -381,30 +460,38 @@ allow httpd_t self:shm create_shm_perms; +@@ -381,30 +468,38 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -5445,7 +5453,7 @@ index 6649962..7954b3b 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,14 +499,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,14 +507,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5467,7 +5475,7 @@ index 6649962..7954b3b 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -450,140 +544,168 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +552,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5533,7 +5541,7 @@ index 6649962..7954b3b 100644 -fs_search_auto_mountpoints(httpd_t) +fs_rw_anon_inodefs_files(httpd_t) +fs_read_hugetlbfs_files(httpd_t) - ++ +auth_use_nsswitch(httpd_t) + +application_exec_all(httpd_t) @@ -5544,7 +5552,7 @@ index 6649962..7954b3b 100644 + +domain_use_interactive_fds(httpd_t) +domain_dontaudit_read_all_domains_state(httpd_t) -+ + +files_dontaudit_search_all_pids(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) @@ -5609,16 +5617,20 @@ index 6649962..7954b3b 100644 -ifdef(`hide_broken_symptoms',` - libs_exec_lib_files(httpd_t) ++tunable_policy(`httpd_dontaudit_search_dirs',` ++ files_dontaudit_search_non_security_dirs(httpd_t) + ') + +-tunable_policy(`allow_httpd_anon_write',` +- miscfiles_manage_public_files(httpd_t) +# +# We need optionals to be able to be within booleans to make this work +# +tunable_policy(`httpd_mod_auth_pam',` + auth_domtrans_chkpwd(httpd_t) + logging_send_audit_msgs(httpd_t) - ') - --tunable_policy(`allow_httpd_anon_write',` -- miscfiles_manage_public_files(httpd_t) ++') ++ +optional_policy(` + tunable_policy(`httpd_mod_auth_ntlm_winbind',` + samba_domtrans_winbind_helper(httpd_t) @@ -5701,7 +5713,7 @@ index 6649962..7954b3b 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +716,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +728,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5761,7 +5773,7 @@ index 6649962..7954b3b 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +768,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +780,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5813,12 +5825,8 @@ index 6649962..7954b3b 100644 - tunable_policy(`httpd_can_network_connect_zabbix',` - zabbix_tcp_connect(httpd_t) - ') -+tunable_policy(`httpd_use_cifs',` -+ fs_manage_cifs_dirs(httpd_t) -+ fs_manage_cifs_files(httpd_t) -+ fs_manage_cifs_symlinks(httpd_t) - ') - +-') +- -optional_policy(` - tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` - spamassassin_domtrans_client(httpd_t) @@ -5841,8 +5849,12 @@ index 6649962..7954b3b 100644 - tunable_policy(`httpd_mod_auth_ntlm_winbind',` - samba_domtrans_winbind_helper(httpd_t) - ') --') -- ++tunable_policy(`httpd_use_cifs',` ++ fs_manage_cifs_dirs(httpd_t) ++ fs_manage_cifs_files(httpd_t) ++ fs_manage_cifs_symlinks(httpd_t) + ') + -tunable_policy(`httpd_read_user_content',` - userdom_read_user_home_content_files(httpd_t) +tunable_policy(`httpd_use_fusefs',` @@ -5852,7 +5864,7 @@ index 6649962..7954b3b 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,66 +815,56 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,66 +827,56 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5873,10 +5885,8 @@ index 6649962..7954b3b 100644 - userdom_use_user_terminals(httpd_t) -',` - userdom_dontaudit_use_user_terminals(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_suexec_t) - ') - +-') +- -tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_cifs_dirs(httpd_t) @@ -5893,8 +5903,10 @@ index 6649962..7954b3b 100644 - fs_manage_fusefs_dirs(httpd_t) - fs_manage_fusefs_files(httpd_t) - fs_read_fusefs_symlinks(httpd_t) --') -- ++ userdom_use_inherited_user_terminals(httpd_t) ++ userdom_use_inherited_user_terminals(httpd_suexec_t) + ') + -tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` - fs_exec_fusefs_files(httpd_t) -') @@ -5950,7 +5962,7 @@ index 6649962..7954b3b 100644 ') optional_policy(` -@@ -770,6 +880,23 @@ optional_policy(` +@@ -770,6 +892,23 @@ optional_policy(` ') optional_policy(` @@ -5974,7 +5986,7 @@ index 6649962..7954b3b 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -786,35 +913,55 @@ optional_policy(` +@@ -786,35 +925,55 @@ optional_policy(` ') optional_policy(` @@ -6043,7 +6055,7 @@ index 6649962..7954b3b 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +969,18 @@ optional_policy(` +@@ -822,8 +981,18 @@ optional_policy(` ') optional_policy(` @@ -6062,7 +6074,7 @@ index 6649962..7954b3b 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +989,7 @@ optional_policy(` +@@ -832,6 +1001,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6070,7 +6082,7 @@ index 6649962..7954b3b 100644 ') optional_policy(` -@@ -842,20 +1000,39 @@ optional_policy(` +@@ -842,20 +1012,39 @@ optional_policy(` ') optional_policy(` @@ -6116,7 +6128,7 @@ index 6649962..7954b3b 100644 ') optional_policy(` -@@ -863,19 +1040,35 @@ optional_policy(` +@@ -863,19 +1052,35 @@ optional_policy(` ') optional_policy(` @@ -6152,7 +6164,7 @@ index 6649962..7954b3b 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1076,173 @@ optional_policy(` +@@ -883,65 +1088,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6225,10 +6237,11 @@ index 6649962..7954b3b 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache PHP script local policy +# + @@ -6287,11 +6300,10 @@ index 6649962..7954b3b 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache suexec local policy # @@ -6348,7 +6360,7 @@ index 6649962..7954b3b 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1251,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1263,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6503,7 +6515,7 @@ index 6649962..7954b3b 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1335,106 @@ optional_policy(` +@@ -1083,172 +1347,106 @@ optional_policy(` ') ') @@ -6528,11 +6540,11 @@ index 6649962..7954b3b 100644 - -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -+allow httpd_sys_script_t self:process getsched; - +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) -- ++allow httpd_sys_script_t self:process getsched; + -corenet_all_recvfrom_unlabeled(httpd_script_domains) -corenet_all_recvfrom_netlabel(httpd_script_domains) -corenet_tcp_sendrecv_generic_if(httpd_script_domains) @@ -6621,15 +6633,6 @@ index 6649962..7954b3b 100644 - corenet_sendrecv_oracledb_client_packets(httpd_script_domains) - corenet_tcp_connect_oracledb_port(httpd_script_domains) - corenet_tcp_sendrecv_oracledb_port(httpd_script_domains) --') -- --optional_policy(` -- mysql_read_config(httpd_script_domains) -- mysql_stream_connect(httpd_script_domains) -- -- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` -- mysql_tcp_connect(httpd_script_domains) -- ') +tunable_policy(`httpd_can_network_connect_db',` + corenet_tcp_connect_gds_db_port(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_sys_script_t) @@ -6639,12 +6642,21 @@ index 6649962..7954b3b 100644 ') -optional_policy(` -- postgresql_stream_connect(httpd_script_domains) +- mysql_read_config(httpd_script_domains) +- mysql_stream_connect(httpd_script_domains) +- +- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` +- mysql_tcp_connect(httpd_script_domains) +- ') +-') +fs_cifs_entry_type(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) +fs_nfs_entry_type(httpd_sys_script_t) +fs_rw_anon_inodefs_files(httpd_sys_script_t) +-optional_policy(` +- postgresql_stream_connect(httpd_script_domains) +- - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_script_domains) - ') @@ -6681,7 +6693,8 @@ index 6649962..7954b3b 100644 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; -allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms; -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -kernel_read_kernel_sysctls(httpd_sys_script_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) @@ -6701,8 +6714,7 @@ index 6649962..7954b3b 100644 - corenet_sendrecv_pop_client_packets(httpd_sys_script_t) - corenet_tcp_connect_pop_port(httpd_sys_script_t) - corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- - mta_send_mail(httpd_sys_script_t) - mta_signal_system_mail(httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` @@ -6740,7 +6752,7 @@ index 6649962..7954b3b 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1442,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1454,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6837,7 +6849,7 @@ index 6649962..7954b3b 100644 ######################################## # -@@ -1321,8 +1517,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1529,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6854,7 +6866,7 @@ index 6649962..7954b3b 100644 ') ######################################## -@@ -1330,49 +1533,38 @@ optional_policy(` +@@ -1330,49 +1545,38 @@ optional_policy(` # User content local policy # @@ -6919,7 +6931,7 @@ index 6649962..7954b3b 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1574,100 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1586,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -25291,7 +25303,7 @@ index 50d0084..94e1936 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e567..91d4dfb 100644 +index cf0e567..fed8792 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -25368,7 +25380,7 @@ index cf0e567..91d4dfb 100644 shorewall_domtrans(fail2ban_t) ') -@@ -131,22 +144,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -131,22 +144,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -25398,6 +25410,10 @@ index cf0e567..91d4dfb 100644 - userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) ++ ++optional_policy(` ++ apache_read_log(fail2ban_client_t) ++') diff --git a/fcoe.te b/fcoe.te index ce358fb..aabd04f 100644 --- a/fcoe.te @@ -27102,10 +27118,10 @@ index 0000000..9e17d3e +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..64faa9e +index 0000000..1fb8bd5 --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,38 @@ +@@ -0,0 +1,45 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -27121,6 +27137,9 @@ index 0000000..64faa9e +type geoclue_var_lib_t; +files_type(geoclue_var_lib_t) + ++type geoclue_tmp_t; ++files_tmp_file(geoclue_tmp_t) ++ +######################################## +# +# geoclue local policy @@ -27131,6 +27150,10 @@ index 0000000..64faa9e +manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t) +files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir }) + ++manage_files_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t) ++manage_dirss_pattern(geoclue_t, geoclue_tmp_t, geoclue_tmp_t) ++files_tmp_filetrans(geoclue_t, geoclue_tmp_t, { dir file }) ++ +corenet_tcp_connect_http_port(geoclue_t) + +corecmd_exec_bin(geoclue_t) @@ -80608,10 +80631,10 @@ index 7fb75f4..27f5e22 100644 +userdom_getattr_user_terminals(rwho_t) + diff --git a/samba.fc b/samba.fc -index b8b66ff..2ccac49 100644 +index b8b66ff..d1fa967 100644 --- a/samba.fc +++ b/samba.fc -@@ -1,42 +1,54 @@ +@@ -1,42 +1,55 @@ -/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) -/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0) + @@ -80637,6 +80660,7 @@ index b8b66ff..2ccac49 100644 +# +/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) +/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) ++/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) -/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) -/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) @@ -80692,7 +80716,7 @@ index b8b66ff..2ccac49 100644 /var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) /var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) /var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) -@@ -45,7 +57,11 @@ +@@ -45,7 +58,11 @@ /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) @@ -100334,10 +100358,10 @@ index 0000000..044be2f +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..b4d2dac +index 0000000..1398ead --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,42 @@ +@@ -0,0 +1,44 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -100377,6 +100401,8 @@ index 0000000..b4d2dac +dev_read_urand(vmtools_t) +dev_getattr_all_blk_files(vmtools_t) + ++fs_getattr_all_fs(vmtools_t) ++ +auth_use_nsswitch(vmtools_t) + +logging_send_syslog_msg(vmtools_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index d2c5efd..be21a00 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -578,6 +578,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jan 30 2014 Miroslav Grepl 3.13.1-20 +- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring +- Allow geoclue to create temporary files/dirs in /tmp +- Add httpd_dontaudit_search_dirs boolean +- Add support for winbind.service +- ALlow also fail2ban-client to read apache logs +- Allow vmtools to getattr on all fs + * Tue Jan 28 2014 Miroslav Grepl 3.13.1-19 - Add net_admin also for systemd_passwd_agent_t - Allow Associate usermodehelper_t to sysfs filesystem