Set of minor updates on the contrib modules
Sven Vermeulen (6):
mplayer streams HTTP resources
fcron and fcronsighup binaries are moved
Add in contexts for fcron rm.systab and systab.tmp
Asterisk needs to search through logs
Denial in mail log on node bind
Fix typo in mcelog_admin (missing bracket)
asterisk.te | 1 +
cron.fc | 5 +++++
mcelog.if | 2 +-
mplayer.te | 3 +++
postfix.te | 2 ++
5 files changed, 12 insertions(+), 1 deletion(-)
--
1.8.1.5
Needed to allow mplayer to stream HTTP resources (like webradios).
Signed-off-by: Sven Vermeulen <[email protected]>
---
mplayer.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mplayer.te b/mplayer.te
index 9aca704..802e494 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -130,6 +130,7 @@ tunable_policy(`use_samba_home_dirs',`
allow mplayer_t self:process { signal_perms getsched };
allow mplayer_t self:fifo_file rw_fifo_file_perms;
allow mplayer_t self:sem create_sem_perms;
+allow mplayer_t self:udp_socket create_socket_perms;
allow mplayer_t mplayer_etc_t:dir list_dir_perms;
allow mplayer_t mplayer_etc_t:file read_file_perms;
@@ -155,6 +156,8 @@ kernel_read_kernel_sysctls(mplayer_t)
corecmd_exec_bin(mplayer_t)
corecmd_exec_shell(mplayer_t)
+corenet_tcp_connect_http_port(mplayer_t)
+
dev_read_rand(mplayer_t)
dev_read_realtime_clock(mplayer_t)
dev_read_sound_mixer(mplayer_t)
--
1.8.1.5
In fcron 3.1.1, the fcron and fcronsighup binaries are moved into /usr/libexec.
Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.fc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/cron.fc b/cron.fc
index 6e76215..d4fbcfd 100644
--- a/cron.fc
+++ b/cron.fc
@@ -6,6 +6,9 @@
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crond_exec_t,s0)
+
/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
--
1.8.1.5
Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/cron.fc b/cron.fc
index d4fbcfd..cab22a1 100644
--- a/cron.fc
+++ b/cron.fc
@@ -44,7 +44,9 @@
/var/spool/fcron/.* <<none>>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
ifdef(`distro_debian',`
/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
--
1.8.1.5
Allow asterisk to search through the log files, otherwise the following error is
received:
asterisk: ERROR[23298]: cdr_csv.c:318 in csv_log: Unable to re-open master file
/var/log/asterisk//cdr-csv//Master.csv : Permission denied
Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/asterisk.te b/asterisk.te
index 5439f1c..c436f9f 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -146,6 +146,7 @@ fs_search_auto_mountpoints(asterisk_t)
auth_use_nsswitch(asterisk_t)
+logging_search_logs(asterisk_t)
logging_send_syslog_msg(asterisk_t)
miscfiles_read_localization(asterisk_t)
--
1.8.1.5
When mails are sent to an IPv6-enabled server, the following denial is otherwise
shown in the mail logs:
postfix/smtp[7620]: warning: smtp_connect_addr: bind <local_ipv6>: Permission denied
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/postfix.te b/postfix.te
index 191a66f..dd59b2a 100644
--- a/postfix.te
+++ b/postfix.te
@@ -702,6 +702,8 @@ allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+corenet_tcp_bind_generic_node(postfix_smtp_t)
+
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
--
1.8.1.5
Signed-off-by: Sven Vermeulen <[email protected]>
---
mcelog.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mcelog.if b/mcelog.if
index 9dbe694..f89651e 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -56,6 +56,6 @@ interface(`mcelog_admin',`
logging_search_logs($1)
admin_pattern($1, mcelog_log_t)
- files_search_pids($1
+ files_search_pids($1)
admin_pattern($1, mcelog_var_run_t)
')
--
1.8.1.5
Are the fcron source patches being maintained again?
--
My blog http://etbe.coker.com.au
Sent from a Galaxy S3
Android phone with K-9 Mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130311/414a6040/attachment.html
On Mar 11, 2013 8:15 AM, "Russell Coker" <[email protected]> wrote:
>
> Are the fcron source patches being maintained again?
As long as I can get it to work by updating the policy (and as long as
Gentoo package maintainers continue with it) I continue with it ;-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130311/8044b9e0/attachment.html
On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, Thanks
> ---
> mcelog.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mcelog.if b/mcelog.if
> index 9dbe694..f89651e 100644
> --- a/mcelog.if
> +++ b/mcelog.if
> @@ -56,6 +56,6 @@ interface(`mcelog_admin',`
> logging_search_logs($1)
> admin_pattern($1, mcelog_log_t)
>
> - files_search_pids($1
> + files_search_pids($1)
> admin_pattern($1, mcelog_var_run_t)
> ')
On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> In fcron 3.1.1, the fcron and fcronsighup binaries are moved into /usr/libexec.
Merged with changes: fcronsighup is crontab_exec_t. Thanks
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> cron.fc | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/cron.fc b/cron.fc
> index 6e76215..d4fbcfd 100644
> --- a/cron.fc
> +++ b/cron.fc
> @@ -6,6 +6,9 @@
> /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
> /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
>
> +/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
> +/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crond_exec_t,s0)
> +
> /usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
> /usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
> /usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> When mails are sent to an IPv6-enabled server, the following denial is otherwise
> shown in the mail logs:
>
> postfix/smtp[7620]: warning: smtp_connect_addr: bind <local_ipv6>: Permission denied
>
Merged. The original gentoo bugzilla here has additional details of this
event: https://bugs.gentoo.org/show_bug.cgi?id=453990
Thanks
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> postfix.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/postfix.te b/postfix.te
> index 191a66f..dd59b2a 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -702,6 +702,8 @@ allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
>
> rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
>
> +corenet_tcp_bind_generic_node(postfix_smtp_t)
> +
> optional_policy(`
> cyrus_stream_connect(postfix_smtp_t)
> ')
On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> Allow asterisk to search through the log files, otherwise the following error is
> received:
>
> asterisk: ERROR[23298]: cdr_csv.c:318 in csv_log: Unable to re-open master file
> /var/log/asterisk//cdr-csv//Master.csv : Permission denied
>
Merged, thanks
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> asterisk.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/asterisk.te b/asterisk.te
> index 5439f1c..c436f9f 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -146,6 +146,7 @@ fs_search_auto_mountpoints(asterisk_t)
>
> auth_use_nsswitch(asterisk_t)
>
> +logging_search_logs(asterisk_t)
> logging_send_syslog_msg(asterisk_t)
>
> miscfiles_read_localization(asterisk_t)
On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> Needed to allow mplayer to stream HTTP resources (like webradios).
Merged with additional networking rules for compatibility, Thanks
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> mplayer.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/mplayer.te b/mplayer.te
> index 9aca704..802e494 100644
> --- a/mplayer.te
> +++ b/mplayer.te
> @@ -130,6 +130,7 @@ tunable_policy(`use_samba_home_dirs',`
> allow mplayer_t self:process { signal_perms getsched };
> allow mplayer_t self:fifo_file rw_fifo_file_perms;
> allow mplayer_t self:sem create_sem_perms;
> +allow mplayer_t self:udp_socket create_socket_perms;
>
> allow mplayer_t mplayer_etc_t:dir list_dir_perms;
> allow mplayer_t mplayer_etc_t:file read_file_perms;
> @@ -155,6 +156,8 @@ kernel_read_kernel_sysctls(mplayer_t)
> corecmd_exec_bin(mplayer_t)
> corecmd_exec_shell(mplayer_t)
>
> +corenet_tcp_connect_http_port(mplayer_t)
> +
> dev_read_rand(mplayer_t)
> dev_read_realtime_clock(mplayer_t)
> dev_read_sound_mixer(mplayer_t)
On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
Merged, Thanks
> ---
> cron.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/cron.fc b/cron.fc
> index d4fbcfd..cab22a1 100644
> --- a/cron.fc
> +++ b/cron.fc
> @@ -44,7 +44,9 @@
> /var/spool/fcron/.* <<none>>
> /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
> /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
> +/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
> /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
> +/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
>
> ifdef(`distro_debian',`
> /var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
On Mon, 11 Mar 2013, Sven Vermeulen <[email protected]> wrote:
> As long as I can get it to work by updating the policy (and as long as
> Gentoo package maintainers continue with it) I continue with it ;-)
How can I get the Gentoo patches for the fcron package?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/