diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 5b464e7..8e69aa4 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2527,3 +2527,11 @@ rhnsd = module # gear policy # gear = module + +# Layer: contrib +# Module: mongodb +# +# mongodb policy +# + +mongodb = module diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index a3ec877..bb1bef1 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -8893,7 +8893,7 @@ index 2b9a3a1..f755e6b 100644 +/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0) +') diff --git a/bind.if b/bind.if -index 531a8f2..0df9341 100644 +index 531a8f2..67b6c3d 100644 --- a/bind.if +++ b/bind.if @@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',` @@ -8988,28 +8988,54 @@ index 531a8f2..0df9341 100644 ## Create, read, write, and delete ## bind zone files. ## -@@ -364,11 +428,17 @@ interface(`bind_admin',` +@@ -344,6 +408,25 @@ interface(`bind_udp_chat_named',` + + ######################################## + ## ++## Allow the domain to read bind state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`bind_read_state',` ++ gen_require(` ++ type named_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, named_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an bind environment. + ## +@@ -364,11 +447,17 @@ interface(`bind_admin',` type named_t, named_tmp_t, named_log_t; type named_cache_t, named_zone_t, named_initrc_exec_t; type dnssec_t, ndc_t, named_conf_t, named_var_run_t; - type named_keytab_t; + type named_keytab_t, named_unit_file_t; - ') - -- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { named_t ndc_t }) ++ ') ++ + allow $1 named_t:process signal_perms; + ps_process_pattern($1, named_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 named_t:process ptrace; -+ ') -+ + ') + +- allow $1 { named_t ndc_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { named_t ndc_t }) + bind_run_ndc($1, $2) init_labeled_script_domtrans($1, named_initrc_exec_t) domain_system_change_exemption($1) -@@ -384,11 +454,15 @@ interface(`bind_admin',` +@@ -384,11 +473,15 @@ interface(`bind_admin',` files_list_etc($1) admin_pattern($1, { named_keytab_t named_conf_t }) @@ -12704,10 +12730,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..0e17a32 +index 0000000..99cab6e --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,298 @@ +@@ -0,0 +1,229 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -12718,7 +12744,6 @@ index 0000000..0e17a32 + +cloudform_domain_template(deltacloudd) +cloudform_domain_template(iwhd) -+cloudform_domain_template(mongod) +cloudform_domain_template(cloud_init) + +type cloud_init_tmp_t; @@ -12751,21 +12776,6 @@ index 0000000..0e17a32 +type iwhd_var_run_t; +files_pid_file(iwhd_var_run_t) + -+type mongod_initrc_exec_t; -+init_script_file(mongod_initrc_exec_t) -+ -+type mongod_log_t; -+logging_log_file(mongod_log_t) -+ -+type mongod_var_lib_t; -+files_type(mongod_var_lib_t) -+ -+type mongod_tmp_t; -+files_tmp_file(mongod_tmp_t) -+ -+type mongod_var_run_t; -+files_pid_file(mongod_var_run_t) -+ +type iwhd_log_t; +logging_log_file(iwhd_log_t) + @@ -12953,59 +12963,6 @@ index 0000000..0e17a32 + +userdom_home_manager(iwhd_t) + -+######################################## -+# -+# mongod local policy -+# -+ -+allow mongod_t self:process { execmem setsched signal }; -+ -+allow mongod_t self:netlink_route_socket r_netlink_socket_perms; -+allow mongod_t self:unix_stream_socket create_stream_socket_perms; -+allow mongod_t self:udp_socket create_socket_perms; -+ -+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) -+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) -+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log") -+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log") -+ -+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -+ -+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) -+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) -+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) -+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) -+ -+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -+#needed by dbomatic -+files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) -+ -+corecmd_exec_bin(mongod_t) -+corecmd_exec_shell(mongod_t) -+ -+corenet_tcp_bind_generic_node(mongod_t) -+corenet_tcp_bind_mongod_port(mongod_t) -+corenet_tcp_connect_mongod_port(mongod_t) -+corenet_tcp_connect_postgresql_port(mongod_t) -+ -+kernel_read_vm_sysctls(mongod_t) -+kernel_read_system_state(mongod_t) -+ -+fs_getattr_all_fs(mongod_t) -+ -+optional_policy(` -+ mysql_stream_connect(mongod_t) -+') -+ -+optional_policy(` -+ postgresql_stream_connect(mongod_t) -+') -+ -+optional_policy(` -+ sysnet_dns_name_resolve(mongod_t) -+') diff --git a/cmirrord.if b/cmirrord.if index cc4e7cb..f348d27 100644 --- a/cmirrord.if @@ -13257,6 +13214,312 @@ index 5f306dd..e01156f 100644 + tftp_manage_config(cobblerd_t) tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) ') +diff --git a/cockpit.fc b/cockpit.fc +new file mode 100644 +index 0000000..ee6e817 +--- /dev/null ++++ b/cockpit.fc +@@ -0,0 +1,9 @@ ++/usr/lib/systemd/system/cockpit.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) ++ ++/usr/lib/systemd/system/cockpit.socket -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) ++ ++/usr/lib/systemd/system/cockpitd.service -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) ++ ++/usr/libexec/cockpitd -- gen_context(system_u:object_r:cockpit_exec_t,s0) ++ ++/var/lib/cockpit(/.*)? gen_context(system_u:object_r:cockpit_var_lib_t,s0) +diff --git a/cockpit.if b/cockpit.if +new file mode 100644 +index 0000000..25e3237 +--- /dev/null ++++ b/cockpit.if +@@ -0,0 +1,186 @@ ++ ++## policy for cockpit ++ ++######################################## ++## ++## Execute TEMPLATE in the cockpit domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cockpit_domtrans',` ++ gen_require(` ++ type cockpit_t, cockpit_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, cockpit_exec_t, cockpit_t) ++') ++ ++######################################## ++## ++## Search cockpit lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_search_lib',` ++ gen_require(` ++ type cockpit_var_lib_t; ++ ') ++ ++ allow $1 cockpit_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read cockpit lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_read_lib_files',` ++ gen_require(` ++ type cockpit_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) ++') ++ ++######################################## ++## ++## Manage cockpit lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_manage_lib_files',` ++ gen_require(` ++ type cockpit_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) ++') ++ ++######################################## ++## ++## Manage cockpit lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_manage_lib_dirs',` ++ gen_require(` ++ type cockpit_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) ++') ++ ++######################################## ++## ++## Execute cockpit server in the cockpit domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`cockpit_systemctl',` ++ gen_require(` ++ type cockpit_t; ++ type cockpit_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 cockpit_unit_file_t:file read_file_perms; ++ allow $1 cockpit_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, cockpit_t) ++') ++ ++ ++######################################## ++## ++## Send and receive messages from ++## cockpit over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cockpit_dbus_chat',` ++ gen_require(` ++ type cockpit_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 cockpit_t:dbus send_msg; ++ allow cockpit_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an cockpit environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`cockpit_admin',` ++ gen_require(` ++ type cockpit_t; ++ type cockpit_var_lib_t; ++ type cockpit_unit_file_t; ++ ') ++ ++ allow $1 cockpit_t:process { signal_perms }; ++ ps_process_pattern($1, cockpit_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 cockpit_t:process ptrace; ++ ') ++ ++ files_search_var_lib($1) ++ admin_pattern($1, cockpit_var_lib_t) ++ ++ cockpit_systemctl($1) ++ admin_pattern($1, cockpit_unit_file_t) ++ allow $1 cockpit_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/cockpit.te b/cockpit.te +new file mode 100644 +index 0000000..ede96a7 +--- /dev/null ++++ b/cockpit.te +@@ -0,0 +1,93 @@ ++policy_module(cockpit, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type cockpit_t; ++type cockpit_exec_t; ++init_daemon_domain(cockpit_t, cockpit_exec_t) ++ ++type cockpit_var_lib_t; ++files_type(cockpit_var_lib_t) ++ ++type cockpit_unit_file_t; ++systemd_unit_file(cockpit_unit_file_t) ++ ++######################################## ++# ++# cockpit local policy ++# ++allow cockpit_t self:capability net_admin; ++allow cockpit_t self:fifo_file rw_fifo_file_perms; ++allow cockpit_t self:unix_stream_socket create_stream_socket_perms; ++allow cockpit_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow cockpit_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t) ++manage_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t) ++manage_lnk_files_pattern(cockpit_t, cockpit_var_lib_t, cockpit_var_lib_t) ++files_var_lib_filetrans(cockpit_t, cockpit_var_lib_t, { dir file lnk_file }) ++ ++kernel_read_system_state(cockpit_t) ++kernel_read_network_state(cockpit_t) ++ ++corecmd_exec_bin(cockpit_t) ++corecmd_exec_shell(cockpit_t) ++ ++dev_read_sysfs(cockpit_t) ++ ++domain_use_interactive_fds(cockpit_t) ++domain_read_all_domains_state(cockpit_t) ++ ++files_read_etc_files(cockpit_t) ++files_list_tmp(cockpit_t) ++ ++fs_read_tmpfs_symlinks(cockpit_t) ++fs_list_cgroup_dirs(cockpit_t) ++fs_read_cgroup_files(cockpit_t) ++fs_getattr_all_fs(cockpit_t) ++ ++auth_use_nsswitch(cockpit_t) ++ ++init_dbus_chat(cockpit_t) ++init_status(cockpit_t) ++init_read_state(cockpit_t) ++init_list_pid_dirs(cockpit_t) ++ ++logging_send_syslog_msg(cockpit_t) ++ ++miscfiles_read_localization(cockpit_t) ++ ++systemd_status_all_unit_files(cockpit_t) ++systemd_read_logind_sessions_files(cockpit_t) ++ ++udev_read_pid_files(cockpit_t) ++ ++optional_policy(` ++ dbus_system_bus_client(cockpit_t) ++ dbus_connect_system_bus(cockpit_t) ++ ++ optional_policy(` ++ accountsd_dbus_chat(cockpit_t) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat_disk(cockpit_t) ++ devicekit_dbus_chat_power(cockpit_t) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(cockpit_t) ++ networkmanager_stream_connect(cockpit_t) ++ ') ++ ++ optional_policy(` ++ realmd_dbus_chat(cockpit_t) ++ ') ++') ++ ++optional_policy(` ++ docker_stream_connect(cockpit_t) ++') diff --git a/collectd.fc b/collectd.fc index 79a3abe..8d70290 100644 --- a/collectd.fc @@ -23835,10 +24098,10 @@ index 0000000..1048292 +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..d5a606c +index 0000000..acaabd3 --- /dev/null +++ b/docker.te -@@ -0,0 +1,266 @@ +@@ -0,0 +1,267 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -24068,6 +24331,7 @@ index 0000000..d5a606c + +userdom_stream_connect(docker_t) +userdom_search_user_home_content(docker_t) ++userdom_read_all_users_state(docker_t) + +optional_policy(` + dbus_system_bus_client(docker_t) @@ -28272,10 +28536,10 @@ index 0000000..9e17d3e +') diff --git a/geoclue.te b/geoclue.te new file mode 100644 -index 0000000..95c3a2b +index 0000000..7106428 --- /dev/null +++ b/geoclue.te -@@ -0,0 +1,47 @@ +@@ -0,0 +1,51 @@ +policy_module(geoclue, 1.0.0) + +######################################## @@ -28322,6 +28586,10 @@ index 0000000..95c3a2b + +optional_policy(` + dbus_system_domain(geoclue_t, geoclue_exec_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(geoclue_t) ++ ') +') diff --git a/gift.te b/gift.te index 8a820fa..996b30c 100644 @@ -43927,20 +44195,59 @@ index b94102e..25d1d33 100644 + ') +') diff --git a/mongodb.te b/mongodb.te -index 169f236..a9a3284 100644 +index 169f236..2184be0 100644 --- a/mongodb.te +++ b/mongodb.te -@@ -41,7 +41,8 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) +@@ -21,19 +21,27 @@ files_type(mongod_var_lib_t) + type mongod_var_run_t; + files_pid_file(mongod_var_run_t) + ++type mongod_tmp_t; ++files_tmp_file(mongod_tmp_t) ++ + ######################################## + # + # Local policy + # + +-allow mongod_t self:process signal; ++ ++allow mongod_t self:process { setsched signal }; + allow mongod_t self:fifo_file rw_fifo_file_perms; + ++allow mongod_t self:netlink_route_socket r_netlink_socket_perms; ++allow mongod_t self:unix_stream_socket create_stream_socket_perms; ++allow mongod_t self:udp_socket create_socket_perms; ++ + manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) + append_files_pattern(mongod_t, mongod_log_t, mongod_log_t) + create_files_pattern(mongod_t, mongod_log_t, mongod_log_t) + setattr_files_pattern(mongod_t, mongod_log_t, mongod_log_t) +-logging_log_filetrans(mongod_t, mongod_log_t, dir) ++logging_log_filetrans(mongod_t, mongod_log_t, { dir file }) + + manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) + manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) +@@ -41,21 +49,41 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) -files_pid_filetrans(mongod_t, mongod_var_run_t, dir) +manage_sock_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) +files_pid_filetrans(mongod_t, mongod_var_run_t, { dir file sock_file }) ++ ++manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) ++files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) kernel_read_system_state(mongod_t) ++kernel_read_vm_sysctls(mongod_t) ++ ++corecmd_exec_bin(mongod_t) ++corecmd_exec_shell(mongod_t) -@@ -49,13 +50,11 @@ corenet_all_recvfrom_unlabeled(mongod_t) + corenet_all_recvfrom_unlabeled(mongod_t) corenet_all_recvfrom_netlabel(mongod_t) corenet_tcp_sendrecv_generic_if(mongod_t) corenet_tcp_sendrecv_generic_node(mongod_t) @@ -43955,6 +44262,18 @@ index 169f236..a9a3284 100644 fs_getattr_all_fs(mongod_t) -miscfiles_read_localization(mongod_t) ++optional_policy(` ++ mysql_stream_connect(mongod_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(mongod_t) ++') ++ ++optional_policy(` ++ sysnet_dns_name_resolve(mongod_t) ++') ++ diff --git a/mono.te b/mono.te index a6a8643..c0f6cf5 100644 --- a/mono.te @@ -49397,7 +49716,7 @@ index 687af38..a77dc09 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..ae0d53a 100644 +index 7584bbe..494cd37 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1) @@ -49474,7 +49793,7 @@ index 7584bbe..ae0d53a 100644 manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) -@@ -95,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) +@@ -95,50 +92,56 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t) files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file }) @@ -49501,11 +49820,13 @@ index 7584bbe..ae0d53a 100644 -corenet_sendrecv_mysqld_server_packets(mysqld_t) corenet_tcp_bind_mysqld_port(mysqld_t) -corenet_sendrecv_mysqld_client_packets(mysqld_t) ++corenet_tcp_bind_tram_port(mysqld_t) corenet_tcp_connect_mysqld_port(mysqld_t) -corenet_tcp_sendrecv_mysqld_port(mysqld_t) - -corecmd_exec_bin(mysqld_t) -corecmd_exec_shell(mysqld_t) ++corenet_tcp_connect_tram_port(mysqld_t) +corenet_sendrecv_mysqld_client_packets(mysqld_t) +corenet_sendrecv_mysqld_server_packets(mysqld_t) @@ -49546,7 +49867,7 @@ index 7584bbe..ae0d53a 100644 ') optional_policy(` -@@ -146,6 +147,10 @@ optional_policy(` +@@ -146,6 +149,10 @@ optional_policy(` ') optional_policy(` @@ -49557,7 +49878,7 @@ index 7584bbe..ae0d53a 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +160,18 @@ optional_policy(` +@@ -155,21 +162,18 @@ optional_policy(` ####################################### # @@ -49584,7 +49905,7 @@ index 7584bbe..ae0d53a 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +179,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +181,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -49595,7 +49916,7 @@ index 7584bbe..ae0d53a 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +189,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -49631,7 +49952,7 @@ index 7584bbe..ae0d53a 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +217,7 @@ optional_policy(` +@@ -209,7 +219,7 @@ optional_policy(` ######################################## # @@ -49640,7 +49961,7 @@ index 7584bbe..ae0d53a 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -218,11 +228,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -49658,7 +49979,7 @@ index 7584bbe..ae0d53a 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +241,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -89876,16 +90197,18 @@ index cbfe369..6594af3 100644 files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 -index 0000000..ab5d7e7 +index 0000000..e43fdd8 --- /dev/null +++ b/snapper.fc -@@ -0,0 +1,6 @@ +@@ -0,0 +1,8 @@ +/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) + +/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0) +/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0) + +/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) ++ ++/mnt/(.*/)?.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) diff --git a/snapper.if b/snapper.if new file mode 100644 index 0000000..94105ee diff --git a/selinux-policy.spec b/selinux-policy.spec index dfaa269..dafc7a5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 46%{?dist} +Release: 47%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -588,6 +588,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Apr 23 2014 Miroslav Grepl 3.13.1-47 +- mongod should not be a part of cloudforms.pp +- Fix labeling in snapper.fc +- Allow docker to read unconfined_t process state +- geoclue dbus chats with NetworkManager +- Add cockpit policy +- Add interface to allow tools to check the processes state of bind/named +- Allow myslqd to use the tram port for Galera/MariaDB + * Fri Apr 18 2014 Miroslav Grepl 3.13.1-46 - Allow init_t to setattr/relabelfrom dhcp state files - Allow dmesg to read hwdata and memory dev