[selinux-policy/f14/master] * Wed Aug 4 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-10 - Allow pcscd to read sysfs - systemd fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 4 19:18:31 UTC 2010
commit c8fdc6b2697c3de132ea86141f5b58af985cca0f
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Aug 4 15:18:25 2010 -0400
* Wed Aug 4 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-10
- Allow pcscd to read sysfs
- systemd fixes
- Fix wine_mmap_zero_ignore boolean
.gitignore | 2 +
policy-F14.patch | 111 ++++++++++++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 7 +++-
3 files changed, 100 insertions(+), 20 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 52a38dd..80d3fd6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -218,3 +218,5 @@ serefpolicy-3.8.5.tgz
serefpolicy-3.8.6.tgz
serefpolicy-3.8.7.tgz
serefpolicy-3.8.8.tgz
+*.rpm
+serefpolicy*
diff --git a/policy-F14.patch b/policy-F14.patch
index 31e5fb2..af9df7a 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -7397,7 +7397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.8.8/policy/modules/apps/wine.if
--- nsaserefpolicy/policy/modules/apps/wine.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/wine.if 2010-08-04 14:27:03.000000000 -0400
@@ -35,6 +35,8 @@
role $1 types wine_t;
@@ -7421,7 +7421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
+ ')
+
+ tunable_policy(`wine_mmap_zero_ignore',`
-+ allow $1_wine_t self:memprotect mmap_zero;
++ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
optional_policy(`
@@ -7646,7 +7646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/corenetwork.te.in 2010-08-04 13:10:54.000000000 -0400
@@ -24,6 +24,7 @@
#
type tun_tap_device_t;
@@ -7697,7 +7697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -124,8 +132,9 @@
+@@ -124,29 +132,32 @@
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -7708,7 +7708,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(kismet, tcp,2501,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
-@@ -137,16 +146,17 @@
+ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+ network_port(lirc, tcp,8765,s0)
++network_port(luci, tcp,8084,s0)
+ network_port(lmtp, tcp,24,s0, udp,24,s0)
+ type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
+ network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
@@ -7729,7 +7734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -154,12 +164,20 @@
+@@ -154,12 +165,20 @@
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -7750,7 +7755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +192,27 @@
+@@ -174,24 +193,27 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7781,7 +7786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,16 +222,17 @@
+@@ -201,16 +223,17 @@
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -8941,7 +8946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-04 13:24:15.000000000 -0400
@@ -1233,7 +1233,7 @@
type cifs_t;
')
@@ -20275,6 +20280,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
tunable_policy(`openvpn_enable_homedirs',`
userdom_read_user_home_content_files(openvpn_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.8.8/policy/modules/services/pcscd.te
+--- nsaserefpolicy/policy/modules/services/pcscd.te 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/pcscd.te 2010-08-04 14:25:34.000000000 -0400
+@@ -44,7 +44,8 @@
+ dev_rw_generic_usb_dev(pcscd_t)
+ dev_rw_smartcard(pcscd_t)
+ dev_rw_usbfs(pcscd_t)
+-dev_search_sysfs(pcscd_t)
++dev_list_sysfs(pcscd_t)
++dev_read_sysfs(pcscd_t)
+
+ files_read_etc_files(pcscd_t)
+ files_read_etc_runtime_files(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.8.8/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2010-07-27 16:06:06.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/pegasus.te 2010-07-30 14:06:53.000000000 -0400
@@ -20373,8 +20391,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/perd
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.fc serefpolicy-3.8.8/policy/modules/services/piranha.fc
--- nsaserefpolicy/policy/modules/services/piranha.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/piranha.fc 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,21 @@
++++ serefpolicy-3.8.8/policy/modules/services/piranha.fc 2010-08-04 13:10:54.000000000 -0400
+@@ -0,0 +1,26 @@
+
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
+
@@ -20383,11 +20401,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
+
++/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
++
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
+
++/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
++/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
++/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
++
+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
+
+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
@@ -20395,7 +20419,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
+
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.if serefpolicy-3.8.8/policy/modules/services/piranha.if
--- nsaserefpolicy/policy/modules/services/piranha.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.8.8/policy/modules/services/piranha.if 2010-07-30 14:06:53.000000000 -0400
@@ -20577,8 +20600,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.8.8/policy/modules/services/piranha.te
--- nsaserefpolicy/policy/modules/services/piranha.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/services/piranha.te 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,188 @@
++++ serefpolicy-3.8.8/policy/modules/services/piranha.te 2010-08-04 13:10:54.000000000 -0400
+@@ -0,0 +1,215 @@
+policy_module(piranha,1.0.0)
+
+########################################
@@ -20609,6 +20632,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+type piranha_web_tmpfs_t;
+files_tmpfs_file(piranha_web_tmpfs_t)
+
++type piranha_web_conf_t;
++files_type(piranha_web_conf_t)
++
++type piranha_web_data_t;
++files_type(piranha_web_data_t)
++
++type piranha_web_tmp_t;
++files_tmp_file(piranha_web_tmp_t)
++
+type piranha_etc_rw_t;
+files_type(piranha_etc_rw_t)
+
@@ -20635,20 +20667,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+#
+
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
-+allow piranha_web_t self:process { getsched setsched signal ptrace };
++allow piranha_web_t self:process { getsched setsched signal signull ptrace };
+allow piranha_web_t self:rawip_socket create_socket_perms;
+
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+allow piranha_web_t self:sem create_sem_perms;
+allow piranha_web_t self:shm create_shm_perms;
+
++manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
++files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
++
++read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
++
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
+
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file } )
+
-+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
++can_exec(piranha_web_t, piranha_web_tmp_t)
++manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
++files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
++
++manage_dirs_patter(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
+
@@ -20657,6 +20700,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+kernel_read_kernel_sysctls(piranha_web_t)
+
+corenet_tcp_bind_piranha_port(piranha_web_t)
++corenet_tcp_bind_luci_port(piranha_web_t)
++corenet_tcp_connect_ricci_port(piranha_web_t)
+
+dev_read_urand(piranha_web_t)
+
@@ -20667,10 +20712,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
+consoletype_exec(piranha_web_t)
+
+optional_policy(`
++ apache_read_config(piranha_web_t)
+ apache_exec_modules(piranha_web_t)
+ apache_exec(piranha_web_t)
+')
+
++optional_policy(`
++ sasl_connect(piranha_web_t)
++')
++
+######################################
+#
+# piranha-lvs local policy
@@ -25605,6 +25655,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
-/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.8.8/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te 2010-07-27 16:06:06.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/uucp.te 2010-08-04 13:17:33.000000000 -0400
+@@ -83,6 +83,7 @@
+ corenet_udp_sendrecv_generic_node(uucpd_t)
+ corenet_tcp_sendrecv_all_ports(uucpd_t)
+ corenet_udp_sendrecv_all_ports(uucpd_t)
++corenet_tcp_connect_ssh_port(uucpd_t)
+
+ dev_read_urand(uucpd_t)
+
+@@ -113,6 +114,10 @@
+ kerberos_use(uucpd_t)
+ ')
+
++optional_policy(`
++ ssh_exec(uucpd_t)
++')
++
+ ########################################
+ #
+ # UUX Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.8.8/policy/modules/services/varnishd.if
--- nsaserefpolicy/policy/modules/services/varnishd.if 2010-07-27 16:12:33.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/varnishd.if 2010-07-30 14:06:53.000000000 -0400
@@ -29284,7 +29356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-04 12:04:07.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-04 13:52:32.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -30389,12 +30461,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.8.8/policy/modules/system/kdump.te
--- nsaserefpolicy/policy/modules/system/kdump.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/kdump.te 2010-07-30 14:06:53.000000000 -0400
-@@ -29,6 +29,7 @@
++++ serefpolicy-3.8.8/policy/modules/system/kdump.te 2010-08-04 13:52:39.000000000 -0400
+@@ -29,6 +29,8 @@
kernel_read_system_state(kdump_t)
kernel_read_core_if(kdump_t)
+kernel_read_debugfs(kdump_t)
++kernel_request_load_module(kdump_t)
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ddd2ffb..9db7cdd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Wed Aug 4 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-10
+- Allow pcscd to read sysfs
+- systemd fixes
+- Fix wine_mmap_zero_ignore boolean
+
* Tue Aug 3 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-9
- Apply Miroslav munin patch
- Turn back on allow_execmem and allow_execmod booleans
More information about the scm-commits
mailing list