[selinux-policy/f14/master] - Allow login programs to search /cgroups
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Aug 13 20:14:41 UTC 2010
commit 0d3635865efe3044eba64fd35468dcd550d859b8
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Aug 13 16:14:15 2010 -0400
- Allow login programs to search /cgroups
policy-F14.patch | 249 ++++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 5 +-
2 files changed, 180 insertions(+), 74 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index b3d494e..355ea17 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1782,7 +1782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.8.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-11 08:24:20.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/admin/prelink.te 2010-08-13 11:29:37.000000000 -0400
@@ -59,6 +59,7 @@
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -1836,6 +1836,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
+@@ -148,7 +159,7 @@
+ files_read_etc_files(prelink_cron_system_t)
+ files_search_var_lib(prelink_cron_system_t)
+
+- init_exec(prelink_cron_system_t)
++ init_telinit(prelink_cron_system_t)
+
+ libs_exec_ld_so(prelink_cron_system_t)
+
@@ -158,6 +169,8 @@
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
@@ -4390,8 +4399,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.8.8/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-07-30 14:06:53.000000000 -0400
-@@ -82,6 +82,7 @@
++++ serefpolicy-3.8.8/policy/modules/apps/java.te 2010-08-13 15:48:49.000000000 -0400
+@@ -82,12 +82,12 @@
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)
@@ -4399,7 +4408,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
files_read_usr_files(java_t)
files_search_home(java_t)
files_search_var_lib(java_t)
-@@ -143,12 +144,15 @@
+ files_read_etc_runtime_files(java_t)
+ # Read global fonts and font config
+-files_read_etc_files(java_t)
+
+ fs_getattr_xattr_fs(java_t)
+ fs_dontaudit_rw_tmpfs_files(java_t)
+@@ -143,12 +143,15 @@
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
@@ -5209,7 +5224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-11 08:01:15.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-13 15:48:58.000000000 -0400
@@ -0,0 +1,301 @@
+policy_module(nsplugin, 1.0.0)
+
@@ -5330,8 +5345,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
-+files_read_usr_files(nsplugin_t)
+files_read_etc_files(nsplugin_t)
++files_read_usr_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
+fs_getattr_tmpfs(nsplugin_t)
@@ -5890,7 +5905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.8.8/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/sambagui.te 2010-08-13 15:50:28.000000000 -0400
@@ -0,0 +1,66 @@
+policy_module(sambagui,1.0.0)
+
@@ -5926,8 +5941,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+corecmd_exec_bin(sambagui_t)
+
+files_read_etc_files(sambagui_t)
++files_read_usr_files(sambagui_t)
+files_search_var_lib(sambagui_t)
-+files_search_usr(sambagui_t)
+
+# reading shadow by pdbedit
+#auth_read_shadow(sambagui_t)
@@ -7461,6 +7476,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+optional_policy(`
+ xserver_stream_connect(consolehelper_domain)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.8.8/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc 2010-07-27 16:06:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/vmware.fc 2010-08-13 14:51:09.000000000 -0400
+@@ -66,5 +66,6 @@
+ /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+ /var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+
++/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.8.8/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-07-27 16:06:04.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/vmware.te 2010-07-30 14:06:53.000000000 -0400
@@ -7962,7 +7987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-04 12:08:01.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-13 09:07:52.000000000 -0400
@@ -461,6 +461,24 @@
########################################
@@ -9132,7 +9157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-04 13:24:15.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-08-13 10:09:00.000000000 -0400
@@ -1233,7 +1233,7 @@
type cifs_t;
')
@@ -13387,8 +13412,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
kernel_read_kernel_sysctls(avahi_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.8.8/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-07-30 14:06:53.000000000 -0400
-@@ -359,9 +359,9 @@
++++ serefpolicy-3.8.8/policy/modules/services/bind.if 2010-08-12 16:43:18.000000000 -0400
+@@ -308,6 +308,27 @@
+
+ ########################################
+ ## <summary>
++## Read BIND zone files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bind_read_log',`
++ gen_require(`
++ type named_zone_t;
++ type named_log_t;
++ ')
++
++ files_search_var($1)
++ allow $1 named_zone_t:dir search_dir_perms;
++ read_files_pattern($1, named_log_t, named_log_t)
++')
++
++########################################
++## <summary>
+ ## Manage BIND zone files.
+ ## </summary>
+ ## <param name="domain">
+@@ -359,9 +380,9 @@
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -13400,7 +13453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
type named_initrc_exec_t;
')
-@@ -391,8 +391,7 @@
+@@ -391,8 +412,7 @@
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -15755,7 +15808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-13 11:29:11.000000000 -0400
@@ -63,9 +63,12 @@
type crond_tmp_t;
@@ -16420,7 +16473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.8.8/policy/modules/services/denyhosts.te
--- nsaserefpolicy/policy/modules/services/denyhosts.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/denyhosts.te 2010-08-13 13:33:16.000000000 -0400
@@ -25,7 +25,8 @@
#
# DenyHosts personal policy.
@@ -16431,7 +16484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
-@@ -53,6 +54,7 @@
+@@ -53,20 +54,28 @@
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
@@ -16439,7 +16492,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
corenet_sendrecv_smtp_client_packets(denyhosts_t)
dev_read_urand(denyhosts_t)
-@@ -61,12 +63,18 @@
+
+ files_read_etc_files(denyhosts_t)
++files_read_usr_files(denyhosts_t)
# /var/log/secure
logging_read_generic_logs(denyhosts_t)
@@ -16641,7 +16696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-11 09:33:29.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-13 12:10:15.000000000 -0400
@@ -18,7 +18,7 @@
files_tmp_file(dovecot_auth_tmp_t)
@@ -16660,16 +16715,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_t self:fifo_file rw_fifo_file_perms;
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
-@@ -72,7 +72,7 @@
+@@ -72,7 +72,8 @@
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-allow dovecot_t dovecot_etc_t:file read_file_perms;
++allow dovecot_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,10 +94,11 @@
+@@ -94,10 +95,11 @@
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -16682,7 +16738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -242,6 +243,7 @@
+@@ -242,6 +244,7 @@
')
optional_policy(`
@@ -16690,7 +16746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +255,25 @@
+@@ -253,19 +256,25 @@
allow dovecot_deliver_t dovecot_t:process signull;
@@ -16718,7 +16774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +310,5 @@
+@@ -302,4 +311,5 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -19470,7 +19526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-08-13 15:25:16.000000000 -0400
@@ -21,7 +21,7 @@
files_config_file(etc_mail_t)
@@ -19610,7 +19666,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -292,3 +288,42 @@
+@@ -249,6 +245,10 @@
+ mailman_read_data_symlinks(mailserver_delivery)
+ ')
+
++optional_policy(`
++ uucp_domtrans_uux(mailserver_delivery)
++')
++
+ ########################################
+ #
+ # User send mail local policy
+@@ -292,3 +292,42 @@
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -20618,7 +20685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
kernel_list_proc(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.8.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/openvpn.te 2010-08-12 16:38:44.000000000 -0400
@@ -24,6 +24,9 @@
type openvpn_etc_rw_t;
files_config_file(openvpn_etc_rw_t)
@@ -20643,7 +20710,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-@@ -113,6 +120,7 @@
+@@ -68,6 +75,7 @@
+ kernel_read_net_sysctls(openvpn_t)
+ kernel_read_network_state(openvpn_t)
+ kernel_read_system_state(openvpn_t)
++kernel_request_load_module(openvpn_t)
+
+ corecmd_exec_bin(openvpn_t)
+ corecmd_exec_shell(openvpn_t)
+@@ -113,6 +121,7 @@
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
@@ -24310,7 +24385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-08-12 16:45:59.000000000 -0400
@@ -152,9 +152,6 @@
type winbind_log_t;
logging_log_file(winbind_log_t)
@@ -24400,7 +24475,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -692,6 +687,7 @@
+@@ -677,7 +672,7 @@
+ allow swat_t nmbd_t:process { signal signull };
+ allow nmbd_t swat_t:process signal;
+
+-allow swat_t smbd_var_run_t:file { lock unlink };
++allow swat_t nmbd_var_run_t:file read_file_perms;
+
+ allow swat_t smbd_port_t:tcp_socket name_bind;
+
+@@ -692,12 +687,14 @@
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -24408,7 +24492,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
-@@ -710,6 +706,7 @@
+ allow swat_t smbd_t:process signull;
+
+ allow swat_t smbd_var_run_t:file read_file_perms;
++allow swat_t smbd_var_run_t:file { lock unlink };
+
+ manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+ manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
+@@ -710,6 +707,7 @@
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -24416,7 +24507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +751,8 @@
+@@ -754,6 +752,8 @@
miscfiles_read_localization(swat_t)
@@ -24425,7 +24516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,14 +805,14 @@
+@@ -806,14 +806,14 @@
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -24445,7 +24536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +832,7 @@
+@@ -833,6 +833,7 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -24453,7 +24544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +922,18 @@
+@@ -922,6 +923,18 @@
#
optional_policy(`
@@ -24472,7 +24563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +944,12 @@
+@@ -932,9 +945,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -26218,12 +26309,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.8.8/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-07-30 14:06:53.000000000 -0400
-@@ -13,17 +13,18 @@
++++ serefpolicy-3.8.8/policy/modules/services/virt.fc 2010-08-13 13:57:22.000000000 -0400
+@@ -13,17 +13,19 @@
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
++/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
@@ -28904,7 +28996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.8.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-11 09:09:04.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/authlogin.if 2010-08-13 13:17:18.000000000 -0400
@@ -91,9 +91,12 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -28926,7 +29018,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
manage_files_pattern($1, var_auth_t, var_auth_t)
-@@ -141,6 +145,7 @@
+@@ -126,6 +130,8 @@
+ files_read_etc_files($1)
+
+ fs_list_auto_mountpoints($1)
++ fs_manage_cgroup_dirs($1)
++ fs_manage_cgroup_files($1)
+
+ selinux_get_fs_mount($1)
+ selinux_validate_context($1)
+@@ -141,6 +147,7 @@
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -28934,7 +29035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +156,38 @@
+@@ -151,8 +158,38 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -28975,7 +29076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -365,13 +400,15 @@
+@@ -365,13 +402,15 @@
')
optional_policy(`
@@ -28992,7 +29093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -418,6 +455,7 @@
+@@ -418,6 +457,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -29000,7 +29101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -874,6 +912,26 @@
+@@ -874,6 +914,26 @@
########################################
## <summary>
@@ -29027,7 +29128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -1500,6 +1558,8 @@
+@@ -1500,6 +1560,8 @@
#
interface(`auth_use_nsswitch',`
@@ -29036,7 +29137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1591,15 @@
+@@ -1531,7 +1593,15 @@
')
optional_policy(`
@@ -29861,7 +29962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-10 05:23:35.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-13 09:08:20.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -29973,7 +30074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,66 @@
+@@ -185,15 +216,68 @@
sysadm_shell_domtrans(init_t)
')
@@ -29994,9 +30095,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ dev_write_kmsg(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_dirs(init_t)
++ dev_manage_generic_files(init_t)
+ dev_read_generic_chr_files(init_t)
+ dev_relabelfrom_generic_chr_files(init_t)
+ dev_relabelto_autofs_dev(init_t)
++
+ files_mounton_all_mountpoints(init_t)
+ files_manage_all_pids_dirs(init_t)
+
@@ -30040,7 +30143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -211,7 +293,7 @@
+@@ -211,7 +295,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30049,7 +30152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +322,7 @@
+@@ -240,6 +324,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30057,7 +30160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +340,22 @@
+@@ -257,11 +342,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30080,7 +30183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +391,13 @@
+@@ -297,11 +393,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30094,7 +30197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +416,10 @@
+@@ -320,8 +418,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30106,7 +30209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,6 +435,8 @@
+@@ -337,6 +437,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30115,7 +30218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +450,8 @@
+@@ -350,6 +452,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30124,7 +30227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -362,6 +464,7 @@
+@@ -362,6 +466,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30132,7 +30235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -393,13 +496,14 @@
+@@ -393,13 +498,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -30148,7 +30251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +576,7 @@
+@@ -472,7 +578,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30157,7 +30260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -518,6 +622,19 @@
+@@ -518,6 +624,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -30177,7 +30280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -525,10 +642,17 @@
+@@ -525,10 +644,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30195,7 +30298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -543,6 +667,35 @@
+@@ -543,6 +669,35 @@
')
')
@@ -30231,7 +30334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +708,8 @@
+@@ -555,6 +710,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30240,7 +30343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -571,6 +726,7 @@
+@@ -571,6 +728,7 @@
optional_policy(`
cgroup_stream_connect(initrc_t)
@@ -30248,7 +30351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -583,6 +739,11 @@
+@@ -583,6 +741,11 @@
')
optional_policy(`
@@ -30260,7 +30363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -599,6 +760,7 @@
+@@ -599,6 +762,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30268,7 +30371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -700,7 +862,12 @@
+@@ -700,7 +864,12 @@
')
optional_policy(`
@@ -30281,7 +30384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -723,6 +890,10 @@
+@@ -723,6 +892,10 @@
')
optional_policy(`
@@ -30292,7 +30395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -744,6 +915,10 @@
+@@ -744,6 +917,10 @@
')
optional_policy(`
@@ -30303,7 +30406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -765,8 +940,6 @@
+@@ -765,8 +942,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -30312,7 +30415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -779,10 +952,12 @@
+@@ -779,10 +954,12 @@
squid_manage_logs(initrc_t)
')
@@ -30325,7 +30428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +979,19 @@
+@@ -804,11 +981,19 @@
')
optional_policy(`
@@ -30346,7 +30449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +1001,25 @@
+@@ -818,6 +1003,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -30372,7 +30475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -843,3 +1045,55 @@
+@@ -843,3 +1047,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -33057,7 +33160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-13 15:47:08.000000000 -0400
@@ -22,6 +22,9 @@
type selinux_config_t;
files_type(selinux_config_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6c70439..bd57abf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Fri Aug 13 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-14
+- Allow login programs to search /cgroups
+
* Thu Aug 12 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-13
- Fix cert handling
More information about the scm-commits
mailing list