From d17f759dd0fd2ee0cc488ce7412262250a674e1f Mon Sep 17 00:00:00 2001 From: Miroslav Date: Dec 13 2011 10:26:04 +0000 Subject: - Allow abrt to request the kernel to load a module - Make sure mozilla content is labeled correctly - Allow tgtd to read system state - More fixes for boinc * allow to resolve dns name * re-write boinc policy to use boinc_domain attribute - Allow munin services plugins to use NSCD services --- diff --git a/policy-F16.patch b/policy-F16.patch index 25d1257..e5be303 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -5446,7 +5446,7 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..9b1de02 100644 +index f5afe78..c57fc1e 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,44 +1,862 @@ @@ -6521,7 +6521,7 @@ index f5afe78..9b1de02 100644 ## ## ## -@@ -140,51 +1029,299 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1029,298 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -6715,7 +6715,6 @@ index f5afe78..9b1de02 100644 + allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; +') + -+ +######################################## +## +## Create gnome content in the user home directory @@ -7931,7 +7930,7 @@ index 93ac529..800b5c8 100644 + +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index fbb5c5a..e187982 100644 +index fbb5c5a..ffeec16 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -7943,7 +7942,7 @@ index fbb5c5a..e187982 100644 # Allow the user domain to signal/ps. ps_process_pattern($2, mozilla_t) allow $2 mozilla_t:process signal_perms; -@@ -49,8 +51,16 @@ interface(`mozilla_role',` +@@ -49,9 +51,19 @@ interface(`mozilla_role',` mozilla_run_plugin(mozilla_t, $1) mozilla_dbus_chat($2) @@ -7958,9 +7957,12 @@ index fbb5c5a..e187982 100644 + pulseaudio_filetrans_admin_home_content(mozilla_t) + pulseaudio_filetrans_home_content(mozilla_t) ') ++ ++ mozilla_filetrans_home_content($2) ') -@@ -109,7 +119,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',` + ######################################## +@@ -109,7 +121,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',` type mozilla_home_t; ') @@ -7969,7 +7971,7 @@ index fbb5c5a..e187982 100644 ') ######################################## -@@ -197,12 +207,29 @@ interface(`mozilla_domtrans',` +@@ -197,12 +209,31 @@ interface(`mozilla_domtrans',` # interface(`mozilla_domtrans_plugin',` gen_require(` @@ -7997,10 +7999,12 @@ index fbb5c5a..e187982 100644 + read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + can_exec($1, mozilla_plugin_rw_t) ++ ++ #mozilla_filetrans_home_content($1) ') ######################################## -@@ -228,6 +255,27 @@ interface(`mozilla_run_plugin',` +@@ -228,6 +259,27 @@ interface(`mozilla_run_plugin',` mozilla_domtrans_plugin($1) role $2 types mozilla_plugin_t; @@ -8028,7 +8032,7 @@ index fbb5c5a..e187982 100644 ') ######################################## -@@ -269,9 +317,27 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -269,9 +321,27 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -8057,7 +8061,7 @@ index fbb5c5a..e187982 100644 ## ## ## -@@ -279,28 +345,48 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -279,28 +349,79 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # @@ -8113,6 +8117,37 @@ index fbb5c5a..e187982 100644 + allow $1 mozilla_plugin_rw_t:file manage_file_perms; + allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; ') ++ ++######################################## ++## ++## Create mozilla content in the user home directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mozilla_filetrans_home_content',` ++ ++ gen_require(` ++ type mozilla_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") ++') ++ diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 2e9318b..bb90a3b 100644 --- a/policy/modules/apps/mozilla.te @@ -16430,7 +16465,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..facd6a8 100644 +index fae1ab1..b3fbad5 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -16531,7 +16566,7 @@ index fae1ab1..facd6a8 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -158,5 +199,219 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -158,5 +199,223 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -16595,6 +16630,10 @@ index fae1ab1..facd6a8 100644 +') + +optional_policy(` ++ mozilla_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` + networkmanager_filetrans_named_content(unconfined_domain_type) +') + @@ -23987,7 +24026,7 @@ index 0b827c5..d83d4dc 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..e203cd3 100644 +index 30861ec..939e294 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -24095,7 +24134,7 @@ index 30861ec..e203cd3 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,10 +133,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -24104,10 +24143,11 @@ index 30861ec..e203cd3 100644 kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) ++kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -104,6 +154,8 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +155,8 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -24116,7 +24156,7 @@ index 30861ec..e203cd3 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +166,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -24126,7 +24166,7 @@ index 30861ec..e203cd3 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +175,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -24135,7 +24175,7 @@ index 30861ec..e203cd3 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +186,26 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +187,26 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -24168,7 +24208,7 @@ index 30861ec..e203cd3 100644 ') optional_policy(` -@@ -167,6 +226,7 @@ optional_policy(` +@@ -167,6 +227,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -24176,7 +24216,7 @@ index 30861ec..e203cd3 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +238,35 @@ optional_policy(` +@@ -178,12 +239,35 @@ optional_policy(` ') optional_policy(` @@ -24213,7 +24253,7 @@ index 30861ec..e203cd3 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +283,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +284,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -24242,7 +24282,7 @@ index 30861ec..e203cd3 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +306,128 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +307,128 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -28274,10 +28314,10 @@ index 0000000..9fe3f9e +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..61db909 +index 0000000..788087e --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,178 @@ +@@ -0,0 +1,173 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -28285,6 +28325,8 @@ index 0000000..61db909 +# Declarations +# + ++attribute boinc_domain; ++ +type boinc_t; +type boinc_exec_t; +init_daemon_domain(boinc_t, boinc_exec_t) @@ -28311,6 +28353,37 @@ index 0000000..61db909 +type boinc_project_var_lib_t; +files_type(boinc_project_var_lib_t) + ++####################################### ++# ++# boinc domain local policy ++# ++ ++allow boinc_domain self:fifo_file rw_fifo_file_perms; ++allow boinc_domain self:sem create_sem_perms; ++ ++# needs read /proc/interrupts ++kernel_read_system_state(boinc_domain) ++ ++corecmd_exec_bin(boinc_domain) ++corecmd_exec_shell(boinc_domain) ++ ++dev_read_rand(boinc_domain) ++dev_read_urand(boinc_domain) ++dev_read_sysfs(boinc_domain) ++ ++domain_read_all_domains_state(boinc_domain) ++ ++files_read_etc_files(boinc_domain) ++files_read_etc_runtime_files(boinc_domain) ++files_read_usr_files(boinc_domain) ++ ++miscfiles_read_fonts(boinc_domain) ++miscfiles_read_localization(boinc_domain) ++ ++optional_policy(` ++ sysnet_dns_name_resolve(boinc_domain) ++') ++ +######################################## +# +# boinc local policy @@ -28319,10 +28392,8 @@ index 0000000..61db909 +allow boinc_t self:capability { kill }; +allow boinc_t self:process { setsched sigkill }; + -+allow boinc_t self:fifo_file rw_fifo_file_perms; +allow boinc_t self:unix_stream_socket create_stream_socket_perms; +allow boinc_t self:tcp_socket create_stream_socket_perms; -+allow boinc_t self:sem create_sem_perms; +allow boinc_t self:shm create_shm_perms; + +manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) @@ -28340,15 +28411,9 @@ index 0000000..61db909 +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + -+# needs read /proc/interrupts -+kernel_read_system_state(boinc_t) -+ +files_getattr_all_dirs(boinc_t) +files_getattr_all_files(boinc_t) + -+corecmd_exec_bin(boinc_t) -+corecmd_exec_shell(boinc_t) -+ +corenet_all_recvfrom_unlabeled(boinc_t) +corenet_all_recvfrom_netlabel(boinc_t) +corenet_tcp_sendrecv_generic_if(boinc_t) @@ -28365,18 +28430,8 @@ index 0000000..61db909 +corenet_tcp_connect_http_port(boinc_t) +corenet_tcp_connect_http_cache_port(boinc_t) + -+dev_list_sysfs(boinc_t) -+dev_read_rand(boinc_t) -+dev_read_urand(boinc_t) -+dev_read_sysfs(boinc_t) -+ -+domain_read_all_domains_state(boinc_t) -+ +files_dontaudit_getattr_boot_dirs(boinc_t) + -+files_read_etc_files(boinc_t) -+files_read_usr_files(boinc_t) -+ +fs_getattr_all_fs(boinc_t) + +term_getattr_all_ptys(boinc_t) @@ -28384,14 +28439,11 @@ index 0000000..61db909 + +init_read_utmp(boinc_t) + -+miscfiles_read_localization(boinc_t) -+miscfiles_read_generic_certs(boinc_t) -+ +logging_send_syslog_msg(boinc_t) + -+sysnet_dns_name_resolve(boinc_t) -+ -+mta_send_mail(boinc_t) ++optional_policy(` ++ mta_send_mail(boinc_t) ++') + +######################################## +# @@ -28408,9 +28460,6 @@ index 0000000..61db909 + allow boinc_project_t self:process ptrace; +') + -+allow boinc_project_t self:fifo_file rw_fifo_file_perms; -+allow boinc_project_t self:sem create_sem_perms; -+ +manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) +manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) +files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file }) @@ -28429,29 +28478,15 @@ index 0000000..61db909 +list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) +rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) + -+kernel_read_system_state(boinc_project_t) +kernel_read_kernel_sysctls(boinc_project_t) +kernel_search_vm_sysctl(boinc_project_t) +kernel_read_network_state(boinc_project_t) + -+corecmd_exec_bin(boinc_project_t) -+corecmd_exec_shell(boinc_project_t) -+ +corenet_tcp_connect_boinc_port(boinc_project_t) + -+domain_read_all_domains_state(boinc_project_t) -+ -+dev_read_rand(boinc_project_t) -+dev_read_urand(boinc_project_t) -+dev_read_sysfs(boinc_project_t) +dev_rw_xserver_misc(boinc_project_t) + -+files_read_etc_files(boinc_project_t) -+files_read_etc_runtime_files(boinc_project_t) -+files_read_usr_files(boinc_project_t) -+ -+miscfiles_read_fonts(boinc_project_t) -+miscfiles_read_localization(boinc_project_t) ++files_dontaudit_search_home(boinc_project_t) + +optional_policy(` + java_exec(boinc_project_t) @@ -46347,7 +46382,7 @@ index c358d8f..7c097ec 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..9850f4d 100644 +index f17583b..171ebec 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -46442,7 +46477,7 @@ index f17583b..9850f4d 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -221,19 +231,17 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,19 +231,23 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -46452,10 +46487,19 @@ index f17583b..9850f4d 100644 - logging_read_generic_logs(mail_munin_plugin_t) - mta_read_config(mail_munin_plugin_t) - mta_send_mail(mail_munin_plugin_t) -+mta_list_queue(mail_munin_plugin_t) - mta_read_queue(mail_munin_plugin_t) +-mta_read_config(mail_munin_plugin_t) +-mta_send_mail(mail_munin_plugin_t) +-mta_read_queue(mail_munin_plugin_t) ++optional_policy(` ++ mta_read_config(mail_munin_plugin_t) ++ mta_send_mail(mail_munin_plugin_t) ++ mta_list_queue(mail_munin_plugin_t) ++ mta_read_queue(mail_munin_plugin_t) ++') ++ ++optional_policy(` ++ nscd_socket_use(mail_munin_plugin_t) ++') optional_policy(` postfix_read_config(mail_munin_plugin_t) @@ -46464,7 +46508,7 @@ index f17583b..9850f4d 100644 ') optional_policy(` -@@ -245,6 +253,8 @@ optional_policy(` +@@ -245,6 +259,8 @@ optional_policy(` # local policy for service plugins # @@ -46473,7 +46517,7 @@ index f17583b..9850f4d 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +265,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +271,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -46488,7 +46532,18 @@ index f17583b..9850f4d 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +293,10 @@ optional_policy(` +@@ -279,6 +292,10 @@ optional_policy(` + ') + + optional_policy(` ++ nscd_socket_use(services_munin_plugin_t) ++') ++ ++optional_policy(` + postgresql_stream_connect(services_munin_plugin_t) + ') + +@@ -286,6 +303,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -46499,7 +46554,7 @@ index f17583b..9850f4d 100644 ################################## # # local policy for system plugins -@@ -295,13 +306,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,13 +316,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -46516,7 +46571,7 @@ index f17583b..9850f4d 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +323,31 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +333,31 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -62829,7 +62884,7 @@ index 8294f6f..4847b43 100644 /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te -index 665bf7c..d100080 100644 +index 665bf7c..a1ea37a 100644 --- a/policy/modules/services/tgtd.te +++ b/policy/modules/services/tgtd.te @@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t) @@ -62851,7 +62906,7 @@ index 665bf7c..d100080 100644 allow tgtd_t self:shm create_shm_perms; allow tgtd_t self:sem create_sem_perms; allow tgtd_t self:tcp_socket create_stream_socket_perms; -@@ -46,6 +49,11 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +@@ -46,6 +49,12 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) @@ -62860,10 +62915,11 @@ index 665bf7c..d100080 100644 +manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) +files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) + ++kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) corenet_all_recvfrom_netlabel(tgtd_t) -@@ -57,10 +65,18 @@ corenet_tcp_bind_generic_node(tgtd_t) +@@ -57,10 +66,18 @@ corenet_tcp_bind_generic_node(tgtd_t) corenet_tcp_bind_iscsi_port(tgtd_t) corenet_sendrecv_iscsi_server_packets(tgtd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 503daba..54e97bc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 67%{?dist} +Release: 68%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Dec 13 2011 Miroslav Grepl 3.10.0-68 +- Allow abrt to request the kernel to load a module +- Make sure mozilla content is labeled correctly +- Allow tgtd to read system state +- More fixes for boinc + * allow to resolve dns name + * re-write boinc policy to use boinc_domain attribute +- Allow munin services plugins to use NSCD services + * Thu Dec 8 2011 Miroslav Grepl 3.10.0-67 - Allow mozilla_plugin_t to manage mozilla_home_t - Allow ssh derived domain to execute ssh-keygen in the ssh_keygen_t domain