[selinux-policy/f14/master] - Dominic Grift Cleanup - Miroslav Grepl policy for jabberd - Various fixes for mount/livecd and pre
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Aug 31 22:41:43 UTC 2010
commit 1c6f587fe76b9628ffeb1e8377f88bdf4fa0fc49
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Aug 31 18:41:17 2010 -0400
- Dominic Grift Cleanup
- Miroslav Grepl policy for jabberd
- Various fixes for mount/livecd and prelink
policy-F14.patch | 511 ++++++++++++++++++++++++++++++++++++++++++++++-----
selinux-policy.spec | 7 +-
sources | 1 -
3 files changed, 472 insertions(+), 47 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 3083567..64d2e9a 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -925,7 +925,7 @@ index b687b5d..4f38995 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index aa0dcc6..0154b77 100644
+index aa0dcc6..cdbadda 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -59,6 +59,7 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -990,7 +990,7 @@ index aa0dcc6..0154b77 100644
libs_exec_ld_so(prelink_cron_system_t)
-@@ -158,6 +169,8 @@ optional_policy(`
+@@ -158,7 +169,14 @@ optional_policy(`
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
@@ -999,6 +999,12 @@ index aa0dcc6..0154b77 100644
optional_policy(`
rpm_read_db(prelink_cron_system_t)
')
+ ')
++ifdef(`hide_broken_symptoms', `
++ optional_policy(`
++ dbus_read_config(prelink_t)
++ ')
++')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index 2df2f1d..c1aaa79 100644
--- a/policy/modules/admin/readahead.te
@@ -4382,10 +4388,10 @@ index 0000000..74c624e
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..ccb1203
+index 0000000..b4f0852
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,306 @@
+@@ -0,0 +1,307 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -4450,7 +4456,7 @@ index 0000000..ccb1203
+allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket create_socket_perms;
-+allow nsplugin_t nsplugin_rw_t:dir search_dir_perms;
++allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+
+tunable_policy(`allow_nsplugin_execmem',`
+ allow nsplugin_t self:process { execstack execmem };
@@ -4627,6 +4633,7 @@ index 0000000..ccb1203
+corecmd_exec_shell(nsplugin_config_t)
+
+kernel_read_system_state(nsplugin_config_t)
++kernel_request_load_module(nsplugin_config_t)
+
+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
@@ -5450,10 +5457,10 @@ index 0000000..c20d303
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..88a211a
+index 0000000..8d4ac56
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,401 @@
+@@ -0,0 +1,403 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5501,6 +5508,8 @@ index 0000000..88a211a
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
++kernel_dontaudit_request_load_module(sandbox_xserver_t)
++
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
+
@@ -5694,7 +5703,7 @@ index 0000000..88a211a
+#
+# sandbox_x_client_t local policy
+#
-+allow sandbox_x_client_t self:tcp_socket create_socket_perms;
++allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
+allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
@@ -5728,7 +5737,7 @@ index 0000000..88a211a
+allow sandbox_web_type self:process setsched;
+dontaudit sandbox_web_type self:process setrlimit;
+
-+allow sandbox_web_type self:tcp_socket create_socket_perms;
++allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
+allow sandbox_web_type self:udp_socket create_socket_perms;
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
@@ -6193,10 +6202,10 @@ index 0000000..3d12484
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..59867f6
+index 0000000..7e8fd3a
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,316 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -6279,6 +6288,9 @@ index 0000000..59867f6
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_msn_t)
++ optional_policy(`
++ networkmanager_dbus_chat(telepathy_msn_t)
++ ')
+')
+
+optional_policy(`
@@ -6985,7 +6997,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 2ecdde8..d739fc3 100644
+index 2ecdde8..f118873 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -24,6 +24,7 @@ dev_node(ppp_device_t)
@@ -7047,9 +7059,11 @@ index 2ecdde8..d739fc3 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -124,29 +132,32 @@ network_port(isns, tcp,3205,s0, udp,3205,s0)
+@@ -123,30 +131,34 @@ network_port(iscsi, tcp,3260,s0)
+ network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
++network_port(jabber_router, tcp,5347,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+network_port(kerberos_admin, tcp,749,s0)
@@ -7084,7 +7098,7 @@ index 2ecdde8..d739fc3 100644
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
-@@ -154,12 +165,20 @@ network_port(pegasus_http, tcp,5988,s0)
+@@ -154,12 +166,20 @@ network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -7105,7 +7119,7 @@ index 2ecdde8..d739fc3 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +193,27 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -174,24 +194,27 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -7137,7 +7151,7 @@ index 2ecdde8..d739fc3 100644
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
-@@ -201,16 +223,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -201,16 +224,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -13639,10 +13653,10 @@ index 0000000..89d19e0
+')
diff --git a/policy/modules/services/cachefilesd.te b/policy/modules/services/cachefilesd.te
new file mode 100644
-index 0000000..8561265
+index 0000000..e67f987
--- /dev/null
+++ b/policy/modules/services/cachefilesd.te
-@@ -0,0 +1,147 @@
+@@ -0,0 +1,146 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
@@ -13668,7 +13682,6 @@ index 0000000..8561265
+#
+# Declarations
+#
-+require { type kernel_t; }
+
+#
+# Files in the cache are created by the cachefiles module with security ID
@@ -15887,7 +15900,7 @@ index 8ba9425..d53ee7e 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..ccacea9 100644
+index f231f17..ca3a848 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -15950,7 +15963,7 @@ index f231f17..ccacea9 100644
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-@@ -212,6 +232,7 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,12 +232,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -15958,7 +15971,14 @@ index f231f17..ccacea9 100644
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
-@@ -225,6 +246,8 @@ auth_use_nsswitch(devicekit_power_t)
+ files_read_usr_files(devicekit_power_t)
+
+ fs_list_inotifyfs(devicekit_power_t)
++fs_getattr_all_fs(devicekit_power_t)
+
+ term_use_all_terms(devicekit_power_t)
+
+@@ -225,6 +247,8 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
@@ -15967,6 +15987,28 @@ index f231f17..ccacea9 100644
sysnet_read_config(devicekit_power_t)
sysnet_domtrans_ifconfig(devicekit_power_t)
+@@ -261,6 +285,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_read_home_config(devicekit_power_t)
++')
++
++optional_policy(`
+ hal_domtrans_mac(devicekit_power_t)
+ hal_manage_log(devicekit_power_t)
+ hal_manage_pid_dirs(devicekit_power_t)
+@@ -280,5 +308,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ usbmuxd_stream_connect(devicekit_power_t)
++')
++
++optional_policy(`
+ vbetool_domtrans(devicekit_power_t)
+ ')
++
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d4424ad..a307b51 100644
--- a/policy/modules/services/dhcp.te
@@ -17508,6 +17550,301 @@ index 9fab1dc..05119f7 100644
mta_send_mail(innd_t)
+diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
+index 4c9acec..908eb91 100644
+--- a/policy/modules/services/jabber.fc
++++ b/policy/modules/services/jabber.fc
+@@ -2,5 +2,14 @@
+
+ /usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
+
++# for new version of jabberd
++/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
++/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
++
++/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
++
++
+ /var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+ /var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
+diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
+index 9878499..2873e8f 100644
+--- a/policy/modules/services/jabber.if
++++ b/policy/modules/services/jabber.if
+@@ -1,17 +1,96 @@
+ ## <summary>Jabber instant messaging server</summary>
+
+-########################################
++#######################################
+ ## <summary>
+-## Connect to jabber over a TCP socket (Deprecated)
++## Execute a domain transition to run jabberd services
+ ## </summary>
+ ## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jabber_domtrans_jabberd',`
++ gen_require(`
++ type jabberd_t, jabberd_exec_t;
++ ')
++
++ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
++')
++
++######################################
++## <summary>
++## Execute a domain transition to run jabberd router service
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jabber_domtrans_jabberd_router',`
++ gen_require(`
++ type jabberd_router_t, jabberd_router_exec_t;
++ ')
++
++ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
++')
++
++#######################################
++## <summary>
++## Read jabberd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+-interface(`jabber_tcp_connect',`
+- refpolicywarn(`$0($*) has been deprecated.')
++interface(`jabberd_read_lib_files',`
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Dontaudit inherited read jabberd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jabberd_dontaudit_read_lib_files',`
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
++
++ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
++')
++
++#######################################
++## <summary>
++## Create, read, write, and delete
++## jabberd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jabberd_manage_lib_files',`
++ gen_require(`
++ type jabberd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+ ')
+
+ ########################################
+@@ -35,11 +114,15 @@ interface(`jabber_admin',`
+ gen_require(`
+ type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
+ type jabberd_var_run_t, jabberd_initrc_exec_t;
++ type jabberd_router_t;
+ ')
+
+ allow $1 jabberd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, jabberd_t)
+
++ allow $1 jabberd_router_t:process { ptrace signal_perms };
++ ps_process_pattern($1, jabberd_router_t)
++
+ init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 jabberd_initrc_exec_t system_r;
+diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
+index da2127e..975bbcd 100644
+--- a/policy/modules/services/jabber.te
++++ b/policy/modules/services/jabber.te
+@@ -1,3 +1,4 @@
++
+ policy_module(jabber, 1.8.0)
+
+ ########################################
+@@ -5,13 +6,19 @@ policy_module(jabber, 1.8.0)
+ # Declarations
+ #
+
+-type jabberd_t;
++attribute jabberd_domain;
++
++type jabberd_t, jabberd_domain;
+ type jabberd_exec_t;
+ init_daemon_domain(jabberd_t, jabberd_exec_t)
+
+ type jabberd_initrc_exec_t;
+ init_script_file(jabberd_initrc_exec_t)
+
++type jabberd_router_t, jabberd_domain;
++type jabberd_router_exec_t;
++init_daemon_domain(jabberd_router_t, jabberd_router_exec_t)
++
+ type jabberd_log_t;
+ logging_log_file(jabberd_log_t)
+
+@@ -21,40 +28,78 @@ files_type(jabberd_var_lib_t)
+ type jabberd_var_run_t;
+ files_pid_file(jabberd_var_run_t)
+
+-########################################
++permissive jabberd_router_t;
++permissive jabberd_t;
++
++#######################################
+ #
+-# Local policy
++# Local policy for jabberd domains
+ #
+
+-allow jabberd_t self:capability dac_override;
+-dontaudit jabberd_t self:capability sys_tty_config;
+-allow jabberd_t self:process signal_perms;
+-allow jabberd_t self:fifo_file read_fifo_file_perms;
+-allow jabberd_t self:tcp_socket create_stream_socket_perms;
+-allow jabberd_t self:udp_socket create_socket_perms;
++allow jabberd_domain self:process signal_perms;
++allow jabberd_domain self:fifo_file read_fifo_file_perms;
++allow jabberd_domain self:tcp_socket create_stream_socket_perms;
++allow jabberd_domain self:udp_socket create_socket_perms;
++
++manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
++manage_dirs_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
++
++# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
++manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
++logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
++
++manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
++files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
++
++corenet_all_recvfrom_unlabeled(jabberd_domain)
++corenet_all_recvfrom_netlabel(jabberd_domain)
++corenet_tcp_sendrecv_generic_if(jabberd_domain)
++corenet_udp_sendrecv_generic_if(jabberd_domain)
++corenet_tcp_sendrecv_generic_node(jabberd_domain)
++corenet_udp_sendrecv_generic_node(jabberd_domain)
++corenet_tcp_sendrecv_all_ports(jabberd_domain)
++corenet_udp_sendrecv_all_ports(jabberd_domain)
++corenet_tcp_bind_generic_node(jabberd_domain)
++
++dev_read_urand(jabberd_domain)
++dev_read_urand(jabberd_domain)
++
++files_read_etc_files(jabberd_domain)
++files_read_etc_runtime_files(jabberd_domain)
++
++logging_send_syslog_msg(jabberd_domain)
++
++miscfiles_read_localization(jabberd_domain)
++
++sysnet_read_config(jabberd_domain)
+
+-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
++######################################
++#
++# Local policy for jabberd-router
++#
++
++allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
++
++corenet_tcp_bind_jabber_router_port(jabberd_router_t)
++corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+
+-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
++optional_policy(`
++ kerberos_use(jabberd_router_t)
++')
++
++########################################
++#
++# Local policy for jabberd
++#
+
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
++allow jabberd_t self:capability dac_override;
++dontaudit jabberd_t self:capability sys_tty_config;
+
+ kernel_read_kernel_sysctls(jabberd_t)
+-kernel_list_proc(jabberd_t)
+ kernel_read_proc_symlinks(jabberd_t)
++kernel_read_system_state(jabberd_t)
+
+-corenet_all_recvfrom_unlabeled(jabberd_t)
+-corenet_all_recvfrom_netlabel(jabberd_t)
+-corenet_tcp_sendrecv_generic_if(jabberd_t)
+-corenet_udp_sendrecv_generic_if(jabberd_t)
+-corenet_tcp_sendrecv_generic_node(jabberd_t)
+-corenet_udp_sendrecv_generic_node(jabberd_t)
+-corenet_tcp_sendrecv_all_ports(jabberd_t)
+-corenet_udp_sendrecv_all_ports(jabberd_t)
+-corenet_tcp_bind_generic_node(jabberd_t)
++corenet_tcp_connect_jabber_router_port(jabberd_t)
+ corenet_tcp_bind_jabber_client_port(jabberd_t)
+ corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+ corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+@@ -66,18 +111,9 @@ dev_read_rand(jabberd_t)
+
+ domain_use_interactive_fds(jabberd_t)
+
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
+-
+ fs_getattr_all_fs(jabberd_t)
+ fs_search_auto_mountpoints(jabberd_t)
+
+-logging_send_syslog_msg(jabberd_t)
+-
+-miscfiles_read_localization(jabberd_t)
+-
+-sysnet_read_config(jabberd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+ userdom_dontaudit_search_user_home_dirs(jabberd_t)
+
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
index 3525d24..e5db539 100644
--- a/policy/modules/services/kerberos.fc
@@ -17879,6 +18216,28 @@ index 67c7fdd..19bcae2 100644
files_list_var(mailman_$1_t)
files_list_var_lib(mailman_$1_t)
files_read_var_lib_symlinks(mailman_$1_t)
+diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
+index af4d572..ac97ed9 100644
+--- a/policy/modules/services/mailman.te
++++ b/policy/modules/services/mailman.te
+@@ -81,6 +81,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(mailman_mail_t)
++')
++
++optional_policy(`
+ cron_read_pipes(mailman_mail_t)
+ ')
+
+@@ -125,4 +129,4 @@ optional_policy(`
+
+ optional_policy(`
+ su_exec(mailman_queue_t)
+-')
+\ No newline at end of file
++')
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index db4fd6f..c28a876 100644
--- a/policy/modules/services/memcached.if
@@ -21985,6 +22344,21 @@ index cd683f9..2f03bad 100644
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
+diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
+index 355b2a2..1b01d75 100644
+--- a/policy/modules/services/qmail.te
++++ b/policy/modules/services/qmail.te
+@@ -121,6 +121,10 @@ mta_append_spool(qmail_local_t)
+ qmail_domtrans_queue(qmail_local_t)
+
+ optional_policy(`
++ uucp_domtrans(qmail_local_t)
++')
++
++optional_policy(`
+ spamassassin_domtrans_client(qmail_local_t)
+ ')
+
diff --git a/policy/modules/services/qpidd.fc b/policy/modules/services/qpidd.fc
new file mode 100644
index 0000000..f3b89e4
@@ -22657,7 +23031,7 @@ index c2ba53b..b19961e 100644
/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
-index de37806..b6a524b 100644
+index de37806..6928301 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -14,6 +14,8 @@
@@ -22723,7 +23097,7 @@ index de37806..b6a524b 100644
+#
+interface(`rhcs_rw_cluster_semaphores',`
+ gen_require(`
-+ type cluster_domain;
++ attribute cluster_domain;
+ ')
+
+ allow $1 cluster_domain:sem { rw_sem_perms destroy };
@@ -25454,6 +25828,36 @@ index fa54aee..40b8b8d 100644
-/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff --git a/policy/modules/services/uucp.if b/policy/modules/services/uucp.if
+index a4fbe31..0e4774c 100644
+--- a/policy/modules/services/uucp.if
++++ b/policy/modules/services/uucp.if
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ## <summary>
++## Execute the uucico program in the
++## uucpd_t domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`uucp_domtrans',`
++ gen_require(`
++ type uucpd_t, uucpd_exec_t;
++ ')
++
++ domtrans_pattern($1, uucpd_exec_t, uucpd_t)
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to append
+ ## to uucp log files.
+ ## </summary>
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index b775aaf..ec1562b 100644
--- a/policy/modules/services/uucp.te
@@ -26403,7 +26807,7 @@ index 6f1e3c7..39c2bb3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..6ff8f25 100644
+index da2601a..a1d911d 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -26663,7 +27067,16 @@ index da2601a..6ff8f25 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1224,9 +1316,20 @@ interface(`xserver_manage_core_devices',`
+@@ -1072,6 +1164,8 @@ interface(`xserver_domtrans',`
+
+ allow $1 xserver_t:process siginh;
+ domtrans_pattern($1, xserver_exec_t, xserver_t)
++
++ allow xserver_t $1:process getpgid;
+ ')
+
+ ########################################
+@@ -1224,9 +1318,20 @@ interface(`xserver_manage_core_devices',`
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -26684,7 +27097,7 @@ index da2601a..6ff8f25 100644
')
########################################
-@@ -1250,3 +1353,329 @@ interface(`xserver_unconfined',`
+@@ -1250,3 +1355,329 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -28331,7 +28744,7 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 7fddc24..06185fd 100644
+index 7fddc24..227958c 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -91,9 +91,12 @@ interface(`auth_use_pam',`
@@ -28347,15 +28760,18 @@ index 7fddc24..06185fd 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -107,6 +110,7 @@ interface(`auth_login_pgm_domain',`
+@@ -107,8 +110,10 @@ interface(`auth_login_pgm_domain',`
allow $1 self:capability ipc_lock;
allow $1 self:process setkeycreate;
allow $1 self:key manage_key_perms;
+ userdom_manage_all_users_keys($1)
files_list_var_lib($1)
++ manage_dirs_pattern($1, var_auth_t, var_auth_t)
manage_files_pattern($1, var_auth_t, var_auth_t)
-@@ -126,6 +130,8 @@ interface(`auth_login_pgm_domain',`
+
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+@@ -126,6 +131,8 @@ interface(`auth_login_pgm_domain',`
files_read_etc_files($1)
fs_list_auto_mountpoints($1)
@@ -28364,7 +28780,7 @@ index 7fddc24..06185fd 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -141,6 +147,7 @@ interface(`auth_login_pgm_domain',`
+@@ -141,6 +148,7 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -28372,7 +28788,7 @@ index 7fddc24..06185fd 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +158,38 @@ interface(`auth_login_pgm_domain',`
+@@ -151,8 +159,38 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -28413,7 +28829,7 @@ index 7fddc24..06185fd 100644
')
')
-@@ -365,13 +402,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -365,13 +403,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -28430,7 +28846,7 @@ index 7fddc24..06185fd 100644
')
########################################
-@@ -418,6 +457,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +458,7 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -28438,7 +28854,7 @@ index 7fddc24..06185fd 100644
')
########################################
-@@ -874,6 +914,26 @@ interface(`auth_exec_pam',`
+@@ -874,6 +915,26 @@ interface(`auth_exec_pam',`
########################################
## <summary>
@@ -28465,7 +28881,7 @@ index 7fddc24..06185fd 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -1500,6 +1560,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1561,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -28474,7 +28890,7 @@ index 7fddc24..06185fd 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1593,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1594,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -31593,7 +32009,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..24ffd8a 100644
+index fca6947..2639086 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -31813,10 +32229,14 @@ index fca6947..24ffd8a 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,6 +269,11 @@ optional_policy(`
+@@ -180,6 +269,15 @@ optional_policy(`
')
')
++optional_policy(`
++ livecd_rw_tmp_files(mount_t)
++')
++
+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+optional_policy(`
+ lvm_domtrans(mount_t)
@@ -31825,7 +32245,7 @@ index fca6947..24ffd8a 100644
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -187,6 +281,19 @@ optional_policy(`
+@@ -187,6 +285,19 @@ optional_policy(`
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -31845,7 +32265,7 @@ index fca6947..24ffd8a 100644
')
########################################
-@@ -195,6 +302,42 @@ optional_policy(`
+@@ -195,6 +306,42 @@ optional_policy(`
#
optional_policy(`
@@ -33536,7 +33956,7 @@ index 025348a..59bc26b 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..8451600 100644
+index a054cf5..7cc3698 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -33623,11 +34043,12 @@ index a054cf5..8451600 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +294,10 @@ optional_policy(`
+@@ -273,6 +294,11 @@ optional_policy(`
')
optional_policy(`
+ usbmuxd_domtrans(udev_t)
++ usbmuxd_stream_connect(udev_t)
+')
+
+optional_policy(`
@@ -37277,7 +37698,7 @@ index b785e35..d9b0868 100644
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --git a/policy/users b/policy/users
-index c4ebc7e..7ae41a6 100644
+index c4ebc7e..be2a04c 100644
--- a/policy/users
+++ b/policy/users
@@ -15,7 +15,7 @@
@@ -37285,7 +37706,7 @@ index c4ebc7e..7ae41a6 100644
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(system_u,, system_r unconfined_u, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0d858c7..00a2004 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.1
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Tue Aug 30 2010 Dan Walsh <dwalsh at redhat.com> 3.9.1-2
+- Dominic Grift Cleanup
+- Miroslav Grepl policy for jabberd
+- Various fixes for mount/livecd and prelink
+
* Mon Aug 30 2010 Dan Walsh <dwalsh at redhat.com> 3.9.1-1
- Merge with upstream
diff --git a/sources b/sources
index d39c41a..4192ac7 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
-9012ab09af5480459942d4a54de91db4 serefpolicy-3.9.0.tgz
1351ca1eca73598202c01ea63efba6d1 serefpolicy-3.9.1.tgz
More information about the scm-commits
mailing list