diff --git a/SOURCES/policy-rhel-7.0.z-base.patch b/SOURCES/policy-rhel-7.0.z-base.patch index e229992..2f3752e 100644 --- a/SOURCES/policy-rhel-7.0.z-base.patch +++ b/SOURCES/policy-rhel-7.0.z-base.patch @@ -55,7 +55,7 @@ index fc6d1d3..612503a 100644 dbus_system_bus_client(sudodomain) ') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 72e1a41..77dedae 100644 +index 72e1a41..26e21b2 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -272,7 +272,7 @@ network_port(pulseaudio, tcp,4713,s0, udp,4713,s0) @@ -67,7 +67,15 @@ index 72e1a41..77dedae 100644 network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) -@@ -326,6 +326,7 @@ network_port(trisoap, tcp,10200,s0, udp,10200,s0) +@@ -312,6 +312,7 @@ network_port(stunnel) # no defined portcon + network_port(svn, tcp,3690,s0, udp,3690,s0) + network_port(svrloc, tcp,427,s0, udp,427,s0) + network_port(swat, tcp,901,s0) ++network_port(swift, tcp,6200-6203,s0) + network_port(sype_transport, tcp,9911,s0, udp,9911,s0) + network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0) + network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -326,6 +327,7 @@ network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -190,6 +198,60 @@ index 924f856..7b26d12 100644 -/var/run/[^/]*/gvfs/.* <> +/var/run/user/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) +/var/run/user/[^/]*/gvfs/.* <> +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 3270372..170e7da 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -126,6 +126,24 @@ interface(`kernel_setsched',` + + ######################################## + ## ++## Dontaudit attempts to set the priority of kernel threads. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_dontaudit_setsched',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ dontaudit $1 kernel_t:process setsched; ++') ++ ++######################################## ++## + ## Send a SIGCHLD signal to kernel threads. + ## + ## +@@ -180,6 +198,24 @@ interface(`kernel_signal',` + + ######################################## + ## ++## Send signull to kernel threads. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_signull',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:process signull; ++') ++ ++######################################## ++## + ## Allows the kernel to share state information with + ## the caller. + ## diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index d6519a1..5a9d307 100644 --- a/policy/modules/services/ssh.te diff --git a/SOURCES/policy-rhel-7.0.z-contrib.patch b/SOURCES/policy-rhel-7.0.z-contrib.patch index 2c39572..f61be49 100644 --- a/SOURCES/policy-rhel-7.0.z-contrib.patch +++ b/SOURCES/policy-rhel-7.0.z-contrib.patch @@ -626,25 +626,99 @@ index 6c32f79..cb68ca9 100644 + openshift_manage_lib_files(gear_t) + openshift_relabelfrom_lib(gear_t) +') +diff --git a/glance.fc b/glance.fc +index c21a528..a746a2b 100644 +--- a/glance.fc ++++ b/glance.fc +@@ -1,8 +1,14 @@ + /etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0) + /etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/openstack-glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_initrc_exec_t,s0) + +-/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) ++/usr/lib/systemd/system/openstack-glance-api.* -- gen_context(system_u:object_r:glance_api_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-glance-registry.* -- gen_context(system_u:object_r:glance_registry_unit_file_t,s0) ++/usr/lib/systemd/system/openstack-glance-scrubber.* -- gen_context(system_u:object_r:glance_scrubber_unit_file_t,s0) ++ ++/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0) + /usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0) ++/usr/bin/glance-scrubber -- gen_context(system_u:object_r:glance_scrubber_exec_t,s0) + + /var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0) + +diff --git a/glance.if b/glance.if +index 229782f..2f3fa34 100644 +--- a/glance.if ++++ b/glance.if +@@ -19,10 +19,16 @@ template(`glance_basic_types_template',` + type $1_t, glance_domain; + type $1_exec_t; + ++ type $1_unit_file_t; ++ systemd_unit_file($1_unit_file_t) ++ + kernel_read_system_state($1_t) + + corenet_all_recvfrom_unlabeled($1_t) + corenet_all_recvfrom_netlabel($1_t) ++ ++ logging_send_syslog_msg($1_t) ++ + ') + + ######################################## diff --git a/glance.te b/glance.te -index 16dcb5b..2d17fe6 100644 +index 16dcb5b..109dc9b 100644 --- a/glance.te +++ b/glance.te -@@ -5,6 +5,13 @@ policy_module(glance, 1.0.2) +@@ -1,10 +1,32 @@ +-policy_module(glance, 1.0.2) ++policy_module(glance, 1.1.0) + + ######################################## + # # Declarations # +## ++##

++## Determine whether glance-api can ++## connect to all TCP ports ++##

++## ++gen_tunable(glance_api_can_network, false) ++ ++## +##

+## Allow glance domain to manage fuse files +##

+## +gen_tunable(glance_use_fusefs, false) + ++## ++##

++## Allow glance domain to use executable memory and executable stack ++##

++## ++gen_tunable(glance_use_execmem, false) ++ attribute glance_domain; glance_basic_types_template(glance_registry) -@@ -77,6 +84,19 @@ libs_exec_ldconfig(glance_domain) +@@ -25,6 +47,12 @@ init_daemon_domain(glance_api_t, glance_api_exec_t) + type glance_api_initrc_exec_t; + init_script_file(glance_api_initrc_exec_t) + ++glance_basic_types_template(glance_scrubber) ++init_daemon_domain(glance_scrubber_t, glance_scrubber_exec_t) ++ ++type glance_scrubber_initrc_exec_t; ++init_script_file(glance_scrubber_initrc_exec_t) ++ + type glance_log_t; + logging_log_file(glance_log_t) + +@@ -77,6 +105,21 @@ libs_exec_ldconfig(glance_domain) sysnet_dns_name_resolve(glance_domain) @@ -655,7 +729,9 @@ index 16dcb5b..2d17fe6 100644 + fs_getattr_fusefs(glance_domain) +') + -+ ++tunable_policy(`glance_use_execmem',` ++ allow glance_domain self:process { execmem execstack }; ++') + +optional_policy(` + mysql_read_db_lnk_files(glance_domain) @@ -664,7 +740,18 @@ index 16dcb5b..2d17fe6 100644 ######################################## # # Registry local policy -@@ -122,6 +142,8 @@ corenet_tcp_connect_mysqld_port(glance_api_t) +@@ -102,6 +145,10 @@ optional_policy(` + mysql_tcp_connect(glance_registry_t) + ') + ++optional_policy(` ++ unconfined_domain(glance_registry_t) ++') ++ + ######################################## + # + # Api local policy +@@ -122,12 +169,24 @@ corenet_tcp_connect_mysqld_port(glance_api_t) corenet_tcp_connect_http_port(glance_api_t) corenet_tcp_connect_all_ephemeral_ports(glance_api_t) @@ -673,6 +760,22 @@ index 16dcb5b..2d17fe6 100644 corenet_sendrecv_hplip_server_packets(glance_api_t) corenet_tcp_bind_hplip_port(glance_api_t) + + fs_getattr_xattr_fs(glance_api_t) + ++tunable_policy(`glance_api_can_network',` ++ corenet_sendrecv_all_client_packets(glance_api_t) ++ corenet_tcp_connect_all_ports(glance_api_t) ++ corenet_tcp_sendrecv_all_ports(glance_api_t) ++') ++ + optional_policy(` + mysql_stream_connect(glance_api_t) + ') ++ ++optional_policy(` ++ unconfined_domain(glance_api_t) ++') diff --git a/gnome.te b/gnome.te index 5314f96..ea1115c 100644 --- a/gnome.te @@ -1163,10 +1266,18 @@ index 49dc5ef..3bcd32c 100644 +') diff --git a/passenger.if b/passenger.if -index 0ec51d4..2d8335f 100644 +index 0ec51d4..0e33327 100644 --- a/passenger.if +++ b/passenger.if -@@ -159,3 +159,22 @@ interface(`passenger_manage_tmp_files',` +@@ -16,6 +16,7 @@ interface(`passenger_domtrans',` + ') + + domtrans_pattern($1, passenger_exec_t, passenger_t) ++ allow passenger_t $1:unix_stream_socket { accept getattr read write }; + ') + + ###################################### +@@ -159,3 +160,22 @@ interface(`passenger_manage_tmp_files',` manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t) manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') @@ -1574,11 +1685,74 @@ index a375475..0903e67 100644 ') ######################################## +diff --git a/quantum.fc b/quantum.fc +index 32dec67..b985b65 100644 +--- a/quantum.fc ++++ b/quantum.fc +@@ -4,6 +4,9 @@ + /usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) + /usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) + /usr/bin/neutron-lbaas-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-metadata-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-netns-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0) ++/usr/bin/neutron-ns-metadata-proxy -- gen_context(system_u:object_r:neutron_exec_t,s0) + /usr/bin/neutron-rootwrap -- gen_context(system_u:object_r:neutron_exec_t,s0) + /usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) + /usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0) +@@ -26,3 +29,6 @@ + + /var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0) + /var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0) ++ ++/var/run/neutron(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) ++/var/run/quantum(/.*)? gen_context(system_u:object_r:neutron_var_run_t,s0) +diff --git a/quantum.if b/quantum.if +index 3105104..97bbea4 100644 +--- a/quantum.if ++++ b/quantum.if +@@ -171,6 +171,7 @@ interface(`neutron_manage_lib_files',` + + files_search_var_lib($1) + manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) ++ manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) + ') + + ######################################## diff --git a/quantum.te b/quantum.te -index 52bad99..156e9af 100644 +index 52bad99..e8c81df 100644 --- a/quantum.te +++ b/quantum.te -@@ -29,13 +29,17 @@ systemd_unit_file(neutron_unit_file_t) +@@ -1,10 +1,18 @@ +-policy_module(quantum, 1.0.3) ++policy_module(quantum, 1.1.0) + + ######################################## + # + # Declarations + # + ++## ++##

++## Determine whether neutron can ++## connect to all TCP ports ++##

++## ++gen_tunable(neutron_can_network, false) ++ + type neutron_t alias quantum_t; + type neutron_exec_t alias quantum_exec_t; + init_daemon_domain(neutron_t, neutron_exec_t) +@@ -21,6 +29,9 @@ files_tmp_file(neutron_tmp_t) + type neutron_var_lib_t alias quantum_var_lib_t; + files_type(neutron_var_lib_t) + ++type neutron_var_run_t alias quantum_var_run_t; ++files_pid_file(neutron_var_run_t) ++ + type neutron_unit_file_t alias quantum_unit_file_t; + systemd_unit_file(neutron_unit_file_t) + +@@ -29,13 +40,17 @@ systemd_unit_file(neutron_unit_file_t) # Local policy # @@ -1591,20 +1765,25 @@ index 52bad99..156e9af 100644 allow neutron_t self:fifo_file rw_fifo_file_perms; allow neutron_t self:key manage_key_perms; allow neutron_t self:tcp_socket { accept listen }; - allow neutron_t self:unix_stream_socket { accept listen }; +-allow neutron_t self:unix_stream_socket { accept listen }; ++allow neutron_t self:unix_stream_socket { accept listen connectto }; allow neutron_t self:netlink_route_socket rw_netlink_socket_perms; +allow neutron_t self:rawip_socket create_socket_perms; +allow neutron_t self:packet_socket create_socket_perms; manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t) append_files_pattern(neutron_t, neutron_log_t, neutron_log_t) -@@ -44,18 +48,21 @@ setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +@@ -44,15 +59,22 @@ setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) logging_log_filetrans(neutron_t, neutron_log_t, dir) manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -files_tmp_filetrans(neutron_t, neutron_tmp_t, file) +manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) +files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir }) ++ ++manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t) ++manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t) ++files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir }) manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) @@ -1614,15 +1793,16 @@ index 52bad99..156e9af 100644 can_exec(neutron_t, neutron_tmp_t) -kernel_read_kernel_sysctls(neutron_t) ++kernel_rw_kernel_sysctl(neutron_t) ++kernel_rw_net_sysctls(neutron_t) kernel_read_system_state(neutron_t) kernel_read_network_state(neutron_t) kernel_request_load_module(neutron_t) -+kernel_rw_kernel_sysctl(neutron_t) -+kernel_rw_net_sysctls(neutron_t) +@@ -68,10 +90,13 @@ corenet_tcp_sendrecv_all_ports(neutron_t) + corenet_tcp_bind_generic_node(neutron_t) - corecmd_exec_shell(neutron_t) - corecmd_exec_bin(neutron_t) -@@ -71,7 +78,9 @@ corenet_tcp_bind_neutron_port(neutron_t) + corenet_tcp_bind_neutron_port(neutron_t) ++corenet_tcp_connect_neutron_port(neutron_t) corenet_tcp_connect_keystone_port(neutron_t) corenet_tcp_connect_amqp_port(neutron_t) corenet_tcp_connect_mysqld_port(neutron_t) @@ -1632,16 +1812,7 @@ index 52bad99..156e9af 100644 domain_named_filetrans(neutron_t) dev_read_sysfs(neutron_t) -@@ -82,6 +91,8 @@ dev_unmount_sysfs_fs(neutron_t) - - files_mounton_non_security(neutron_t) - -+fs_getattr_all_fs(neutron_t) -+ - auth_use_nsswitch(neutron_t) - - libs_exec_ldconfig(neutron_t) -@@ -89,6 +100,9 @@ libs_exec_ldconfig(neutron_t) +@@ -89,10 +114,19 @@ libs_exec_ldconfig(neutron_t) logging_send_audit_msgs(neutron_t) logging_send_syslog_msg(neutron_t) @@ -1651,7 +1822,31 @@ index 52bad99..156e9af 100644 sysnet_exec_ifconfig(neutron_t) sysnet_manage_ifconfig_run(neutron_t) sysnet_filetrans_named_content_ifconfig(neutron_t) -@@ -109,16 +123,19 @@ optional_policy(` + ++tunable_policy(`neutron_can_network',` ++ corenet_sendrecv_all_client_packets(neutron_t) ++ corenet_tcp_connect_all_ports(neutron_t) ++ corenet_tcp_sendrecv_all_ports(neutron_t) ++') ++ + optional_policy(` + brctl_domtrans(neutron_t) + ') +@@ -100,25 +134,32 @@ optional_policy(` + optional_policy(` + dnsmasq_domtrans(neutron_t) + dnsmasq_signal(neutron_t) +- dnsmasq_kill(neutron_t) + dnsmasq_read_state(neutron_t) + ') + + optional_policy(` ++ rhcs_domtrans_haproxy(neutron_t) ++ rhcs_stream_connect_haproxy(neutron_t) ++') ++ ++optional_policy(` + iptables_domtrans(neutron_t) ') optional_policy(` @@ -1673,7 +1868,7 @@ index 52bad99..156e9af 100644 postgresql_tcp_connect(neutron_t) ') -@@ -129,4 +146,8 @@ optional_policy(` +@@ -129,4 +170,8 @@ optional_policy(` optional_policy(` sudo_exec(neutron_t) @@ -1703,6 +1898,77 @@ index 7d5630f..9fb98a1 100644 manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t) +diff --git a/raid.te b/raid.te +index aa0ff54..9e28c38 100644 +--- a/raid.te ++++ b/raid.te +@@ -69,6 +69,9 @@ kernel_read_kernel_sysctls(mdadm_t) + kernel_request_load_module(mdadm_t) + kernel_rw_software_raid_state(mdadm_t) + kernel_setsched(mdadm_t) ++kernel_dontaudit_setsched(mdadm_t) ++kernel_signal(mdadm_t) ++kernel_stream_connect(mdadm_t) + + corecmd_exec_bin(mdadm_t) + corecmd_exec_shell(mdadm_t) +diff --git a/rhcs.if b/rhcs.if +index 1337d42..e6bcb25 100644 +--- a/rhcs.if ++++ b/rhcs.if +@@ -97,6 +97,26 @@ interface(`rhcs_stream_connect_dlm_controld',` + + ##################################### + ## ++## Connect to haproxy over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_stream_connect_haproxy',` ++ gen_require(` ++ type haproxy_t, haproxy_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t) ++') ++ ++##################################### ++## + ## Allow read and write access to dlm_controld semaphores. + ## + ## +@@ -212,6 +232,25 @@ interface(`rhcs_stream_connect_fenced',` + stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) + ') + ++###################################### ++## ++## Execute a domain transition to run fenced. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rhcs_domtrans_haproxy',` ++ gen_require(` ++ type haproxy_t, haproxy_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, haproxy_exec_t, haproxy_t) ++') ++ + ##################################### + ## + ## Execute a domain transition to run gfs_controld. diff --git a/rhcs.te b/rhcs.te index 4fd3b77..503838b 100644 --- a/rhcs.te @@ -2000,10 +2266,15 @@ index e472397..6aeecac 100644 auth_use_nsswitch(stapserver_t) diff --git a/swift.fc b/swift.fc -index 744f0ce..b07d112 100644 +index 744f0ce..7e59e7e 100644 --- a/swift.fc +++ b/swift.fc -@@ -15,8 +15,11 @@ +@@ -11,12 +11,16 @@ + + /usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0) + /usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0) ++/usr/bin/swift-object-expirer -- gen_context(system_u:object_r:swift_exec_t,s0) + /usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0) /usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0) /usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0) @@ -2064,10 +2335,23 @@ index df82c36..6a1f575 100644 ## ## Execute swift server in the swift domain. diff --git a/swift.te b/swift.te -index 7bef550..7fce837 100644 +index 7bef550..43a0495 100644 --- a/swift.te +++ b/swift.te -@@ -9,8 +9,14 @@ type swift_t; +@@ -5,12 +5,27 @@ policy_module(swift, 1.0.0) + # Declarations + # + ++## ++##

++## Determine whether swift can ++## connect to all TCP ports ++##

++## ++gen_tunable(swift_can_network, false) ++ ++ + type swift_t; type swift_exec_t; init_daemon_domain(swift_t, swift_exec_t) @@ -2083,7 +2367,7 @@ index 7bef550..7fce837 100644 type swift_var_cache_t; files_type(swift_var_cache_t) -@@ -36,10 +42,18 @@ allow swift_t self:tcp_socket create_stream_socket_perms; +@@ -36,10 +51,18 @@ allow swift_t self:tcp_socket create_stream_socket_perms; allow swift_t self:unix_stream_socket create_stream_socket_perms; allow swift_t self:unix_dgram_socket create_socket_perms; @@ -2102,20 +2386,27 @@ index 7bef550..7fce837 100644 manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t) -@@ -59,7 +73,12 @@ kernel_dgram_send(swift_t) +@@ -59,7 +82,19 @@ kernel_dgram_send(swift_t) kernel_read_system_state(swift_t) kernel_read_network_state(swift_t) +# bug in swift +corenet_tcp_bind_xserver_port(swift_t) ++ ++corenet_tcp_bind_swift_port(swift_t) +corenet_tcp_bind_http_cache_port(swift_t) + ++corenet_tcp_connect_xserver_port(swift_t) ++corenet_tcp_connect_swift_port(swift_t) ++corenet_tcp_connect_keystone_port(swift_t) ++corenet_tcp_connect_memcache_port(swift_t) ++ corecmd_exec_shell(swift_t) +corecmd_exec_bin(swift_t) dev_read_urand(swift_t) -@@ -67,6 +86,8 @@ domain_use_interactive_fds(swift_t) +@@ -67,6 +102,8 @@ domain_use_interactive_fds(swift_t) files_dontaudit_search_home(swift_t) @@ -2124,8 +2415,20 @@ index 7bef550..7fce837 100644 auth_use_nsswitch(swift_t) libs_exec_ldconfig(swift_t) -@@ -77,4 +98,5 @@ userdom_dontaudit_search_user_home_dirs(swift_t) +@@ -75,6 +112,17 @@ logging_send_syslog_msg(swift_t) + userdom_dontaudit_search_user_home_dirs(swift_t) + ++tunable_policy(`swift_can_network',` ++ corenet_sendrecv_all_client_packets(swift_t) ++ corenet_tcp_connect_all_ports(swift_t) ++ corenet_tcp_sendrecv_all_ports(swift_t) ++') ++ ++optional_policy(` ++ apache_search_config(swift_t) ++') ++ optional_policy(` rpm_exec(swift_t) + rpm_dontaudit_manage_db(swift_t) diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index f478c9f..c8452a0 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 153%{?dist}.10 +Release: 153%{?dist}.11 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -583,6 +583,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Aug 22 2014 Miroslav Grepl 3.12.1-153.el7_0.11 +- Back port OpenStack fixes +- Allow mdadm to connect to own socket created by mdadm running as kernel_t +Resolves:#1132828 + * Tue Jun 3 2014 Miroslav Grepl 3.12.1-153.el7_0.10 - Allow swift to execute bin_t - Allow swift to bind http_cache