[selinux-policy: 3167/3172] dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:41:39 UTC 2010 

commit 3235a8bbe6912f769cac4659e61712f1dac64c3b
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Thu Oct 7 09:06:56 2010 -0400

    dontaudit sandbox sending signals to itself.  This can happen when they are running at different mcs.
    Disable transition from dbus_session_domain to telepathy for F14
    Allow boinc_project to use shm
    Allow certmonger to search through directories that contain certs
    Allow fail2ban the DAC Override so it can read log files owned by non root users

 policy/modules/apps/sandbox.te        |    2 ++
 policy/modules/apps/telepathy.if      |    4 +++-
 policy/modules/services/apache.if     |   21 +++++++++++++++++++++
 policy/modules/services/boinc.te      |    1 +
 policy/modules/services/certmonger.te |   11 +++++++++++
 policy/modules/services/fail2ban.te   |    2 +-
 6 files changed, 39 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
index 2419a2a..89fcce3 100644
--- a/policy/modules/apps/sandbox.te
+++ b/policy/modules/apps/sandbox.te
@@ -152,6 +152,8 @@ allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
 allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
 
 allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
+dontaudit sandbox_x_domain self:process signal;
+
 allow sandbox_x_domain self:shm create_shm_perms;
 allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
 allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
index 3d12484..21b65bc 100644
--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
@@ -29,7 +29,9 @@ template(`telepathy_domain_template',`
 	files_tmp_file(telepathy_$1_tmp_t)
 	ubac_constrained(telepathy_$1_tmp_t)
 
-	dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
+	ifdef(`TODO',`
+		dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
+	')
 ')
 
 #######################################
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index ba64143..6918ff2 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -580,6 +580,27 @@ interface(`apache_delete_cache_files',`
 
 ########################################
 ## <summary>
+##	Allow the specified domain to search
+##	apache configuration dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`apache_search_config',`
+	gen_require(`
+		type httpd_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 httpd_config_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to read
 ##	apache configuration files.
 ## </summary>
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
index c9622ef..4bc3f06 100644
--- a/policy/modules/services/boinc.te
+++ b/policy/modules/services/boinc.te
@@ -122,6 +122,7 @@ allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigs
 allow boinc_project_t self:process { execmem execstack };
 
 allow boinc_project_t self:fifo_file rw_fifo_file_perms;
+allow boinc_project_t self:sem create_sem_perms;
 
 manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index 1c87fb3..5595c96 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -58,6 +58,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
 
 sysnet_dns_name_resolve(certmonger_t)
 
+userdom_search_user_home_content(certmonger_t)
+
+optional_policy(`
+	apache_search_config(certmonger_t)
+')
+
+optional_policy(`
+	bind_search_cache(certmonger_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(certmonger_t)
 	dbus_connect_system_bus(certmonger_t)
@@ -70,3 +80,4 @@ optional_policy(`
 optional_policy(`
 	pcscd_stream_connect(certmonger_t)
 ')
+
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 7c5bf19..0a4216c 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -28,7 +28,7 @@ files_pid_file(fail2ban_var_run_t)
 # fail2ban local policy
 #
 
-allow fail2ban_t self:capability { sys_tty_config };
+allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
 allow fail2ban_t self:process signal;
 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };

More information about the scm-commits mailing list