Little misc patches from Russell Coker.

2017-02-18 09:39:01 -05:00 · 2017-02-18 09:39:01 -05:00 · cb35cd587f
commit cb35cd587f
parent d9980666a4
11 changed files with 66 additions and 26 deletions
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@ -1 +1 @@
-Subproject commit 9dd465a5d5ae5c37f2efbde3ed9aa13d6a7f4913
+Subproject commit d59909fbf34e11ca808842173acf03cfe44f34aa
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@ -1,4 +1,4 @@
-policy_module(files, 1.23.2)
+policy_module(files, 1.23.3)
 ########################################
 #
@ -11,6 +11,7 @@ attribute lockfile;
 attribute mountpoint;
 attribute pidfile;
 attribute configfile;
 attribute spoolfile;
 # For labeling types that are to be polyinstantiated
 attribute polydir;
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@ -932,6 +932,26 @@ interface(`xserver_create_xdm_tmp_sockets',`
 	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
 ########################################
 ## <summary>
 ##	Delete a named socket in a XDM
 ##	temporary directory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`xserver_delete_xdm_tmp_sockets',`
 	gen_require(`
 		type xdm_tmp_t;
 	')
 	files_search_tmp($1)
 	delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
 ')
 ########################################
 ## <summary>
 ##	Read XDM pid files.
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.1)
+policy_module(xserver, 3.13.2)
 gen_require(`
 	class x_drawable all_x_drawable_perms;
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
 # /usr
 #
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/systemd --	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
@ -34,7 +35,6 @@ ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -1,4 +1,4 @@
-policy_module(init, 2.2.2)
+policy_module(init, 2.2.3)
 gen_require(`
 	class passwd rootok;
@ -307,7 +307,9 @@ ifdef(`init_systemd',`
 	',`
 		# Run the shell in the sysadm role for single-user mode.
 		# causes problems with upstart
-		sysadm_shell_domtrans(init_t)
+		ifndef(`distro_debian',`
 			sysadm_shell_domtrans(init_t)
 		')
 	')
 ')
@ -561,9 +563,6 @@ miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
 miscfiles_read_generic_certs(initrc_t)
 modutils_read_module_config(initrc_t)
 modutils_domtrans_insmod(initrc_t)
 seutil_read_config(initrc_t)
 userdom_read_user_home_content_files(initrc_t)
@ -952,6 +951,11 @@ optional_policy(`
 	mailman_read_data_symlinks(initrc_t)
 ')
 optional_policy(`
 	modutils_read_module_config(initrc_t)
 	modutils_domtrans_insmod(initrc_t)
 ')
 optional_policy(`
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -1,4 +1,4 @@
-policy_module(logging, 1.25.1)
+policy_module(logging, 1.25.2)
 ########################################
 #
@ -124,8 +124,6 @@ term_use_all_terms(auditctl_t)
 init_dontaudit_use_fds(auditctl_t)
 locallogin_dontaudit_use_fds(auditctl_t)
 logging_set_audit_parameters(auditctl_t)
 logging_send_syslog_msg(auditctl_t)
@ -133,6 +131,10 @@ ifdef(`init_systemd',`
 	init_rw_stream_sockets(auditctl_t)
 ')
 optional_policy(`
 	locallogin_dontaudit_use_fds(auditctl_t)
 ')
 ########################################
 #
 # Auditd local policy
@ -373,8 +375,8 @@ optional_policy(`
 # sys_admin for the integrated klog of syslog-ng and metalog
 # sys_nice for rsyslog
 # cjp: why net_admin!
-allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config };
+allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
-dontaudit syslogd_t self:capability { sys_ptrace sys_tty_config };
+dontaudit syslogd_t self:capability { sys_ptrace };
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
@ -565,6 +567,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(syslogd_t)
 	# for systemd-journal to read seat data from /run/udev/data
 	udev_read_pid_files(syslogd_t)
 ')
 optional_policy(`
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.1)
+policy_module(lvm, 1.19.2)
 ########################################
 #
@ -257,6 +257,8 @@ dev_dontaudit_getattr_generic_pipes(lvm_t)
 dev_create_generic_dirs(lvm_t)
 # the following one is needed by cryptsetup
 dev_getattr_fs(lvm_t)
 # for systemd-cryptsetup
 dev_write_kmsg(lvm_t)
 domain_use_interactive_fds(lvm_t)
 domain_read_all_domains_state(lvm_t)
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.1)
+policy_module(selinuxutil, 1.22.2)
 gen_require(`
 	bool secure_mode;
@ -343,8 +343,6 @@ files_relabel_non_auth_files(restorecond_t )
 files_read_non_auth_files(restorecond_t)
 auth_use_nsswitch(restorecond_t)
 locallogin_dontaudit_use_fds(restorecond_t)
 logging_send_syslog_msg(restorecond_t)
 miscfiles_read_localization(restorecond_t)
@ -357,6 +355,10 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 optional_policy(`
 	locallogin_dontaudit_use_fds(restorecond_t)
 ')
 optional_policy(`
 	rpm_use_script_fds(restorecond_t)
 ')
@ -482,8 +484,6 @@ term_use_all_terms(semanage_t)
 # Running genhomedircon requires this for finding all users
 auth_use_nsswitch(semanage_t)
 locallogin_use_fds(semanage_t)
 logging_send_syslog_msg(semanage_t)
 miscfiles_read_localization(semanage_t)
@ -516,6 +516,10 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 optional_policy(`
 	locallogin_use_fds(semanage_t)
 ')
 ########################################
 #
 # Setfiles local policy
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.2)
+policy_module(sysnetwork, 1.20.3)
 ########################################
 #
@ -145,8 +145,6 @@ logging_send_syslog_msg(dhcpc_t)
 miscfiles_read_localization(dhcpc_t)
 modutils_run_insmod(dhcpc_t, dhcpc_roles)
 sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
 userdom_use_user_terminals(dhcpc_t)
@ -205,6 +203,10 @@ optional_policy(`
 	')
 ')
 optional_policy(`
 	modutils_run_insmod(dhcpc_t, dhcpc_roles)
 ')
 # for the dhcp client to run ping to check IP addresses
 optional_policy(`
 	netutils_run_ping(dhcpc_t, dhcpc_roles)
@ -333,8 +335,6 @@ logging_send_syslog_msg(ifconfig_t)
 miscfiles_read_localization(ifconfig_t)
 modutils_domtrans_insmod(ifconfig_t)
 seutil_use_runinit_fds(ifconfig_t)
 sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
@ -376,6 +376,10 @@ optional_policy(`
 	ipsec_setcontext_default_spd(ifconfig_t)
 ')
 optional_policy(`
 	modutils_domtrans_insmod(ifconfig_t)
 ')
 optional_policy(`
 	nis_use_ypbind(ifconfig_t)
 ')
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@ -1,4 +1,4 @@
-policy_module(udev, 1.21.1)
+policy_module(udev, 1.21.2)
 ########################################
 #
@ -125,6 +125,7 @@ files_search_mnt(udev_t)
 fs_getattr_all_fs(udev_t)
 fs_list_inotifyfs(udev_t)
 fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
 mcs_ptrace_all(udev_t)
		`@ -1 +1 @@`
			`Subproject commit 9dd465a5d5ae5c37f2efbde3ed9aa13d6a7f4913`				`Subproject commit d59909fbf34e11ca808842173acf03cfe44f34aa`