[selinux-policy/f14/master: 3222/3230] Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Oct 12 20:17:33 UTC 2010
commit 4c437c88cbc96a8610aa5b62c4313853810180f2
Merge: 3853925 bd51fa3
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Oct 7 14:06:33 2010 -0400
Merge branch 'master' of http://oss.tresys.com/git/refpolicy
Conflicts:
policy/modules/admin/rpm.if
policy/modules/admin/shutdown.fc
policy/modules/admin/shutdown.te
policy/modules/kernel/corenetwork.te.in
policy/modules/roles/staff.te
policy/modules/roles/unprivuser.te
policy/modules/system/unconfined.te
policy/modules/system/userdomain.if
Changelog | 3 +
Makefile | 4 +
build.conf | 6 +
policy/modules/admin/alsa.if | 38 +++
policy/modules/admin/alsa.te | 2 +-
policy/modules/admin/bootloader.if | 3 +-
policy/modules/admin/bootloader.te | 13 +-
policy/modules/admin/brctl.if | 1 +
policy/modules/admin/brctl.te | 5 +-
policy/modules/admin/consoletype.te | 15 +-
policy/modules/admin/logrotate.if | 2 +
policy/modules/admin/logrotate.te | 2 +-
policy/modules/admin/netutils.if | 6 +
policy/modules/admin/netutils.te | 9 +-
policy/modules/admin/quota.if | 3 +-
policy/modules/admin/quota.te | 2 +-
policy/modules/admin/rpm.if | 11 +-
policy/modules/admin/rpm.te | 14 +-
policy/modules/admin/shutdown.fc | 6 +-
policy/modules/admin/shutdown.if | 5 +-
policy/modules/admin/shutdown.te | 5 +-
policy/modules/admin/tzdata.if | 1 +
policy/modules/admin/tzdata.te | 2 +-
policy/modules/admin/usermanage.if | 6 +-
policy/modules/admin/usermanage.te | 6 +-
policy/modules/kernel/corenetwork.te.in | 7 +-
policy/modules/roles/staff.te | 2 +-
policy/modules/roles/sysadm.te | 11 +-
policy/modules/roles/unprivuser.te | 2 +-
policy/modules/services/cyphesis.te | 2 +-
policy/modules/services/hadoop.fc | 55 +++++
policy/modules/services/hadoop.if | 331 +++++++++++++++++++++++++++
policy/modules/services/hadoop.te | 374 +++++++++++++++++++++++++++++++
policy/modules/system/init.if | 18 ++
policy/modules/system/unconfined.te | 3 +-
policy/modules/system/userdomain.if | 7 +
policy/modules/system/userdomain.te | 2 +-
37 files changed, 914 insertions(+), 70 deletions(-)
---
diff --cc policy/modules/admin/brctl.if
index fdb453c,2c2cdb6..b95a47f
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
@@@ -15,24 -15,6 +15,25 @@@ interface(`brctl_domtrans',
type brctl_t, brctl_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
+
+#####################################
+## <summary>
+## Execute brctl in the brctl domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`brctl_run',`
+ gen_require(`
+ type brctl_t, brctl_exec_t;
+ ')
+
+ brctl_domtrans($1)
+ role $2 types brctl_t;
+')
diff --cc policy/modules/admin/rpm.if
index ddbb3af,d33daa8..cad488d
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@@ -13,14 -13,10 +13,13 @@@
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
+ attribute rpm_transition_domain;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
+ typeattribute $1 rpm_transition_domain;
+ rpm_debuginfo_domtrans($1)
')
########################################
@@@ -88,13 -82,7 +85,12 @@@ interface(`rpm_run',
')
rpm_domtrans($1)
- role $2 types rpm_t;
- role $2 types rpm_script_t;
+ role $2 types { rpm_t rpm_script_t };
+
+ domain_system_change_exemption($1)
+ role_transition $2 rpm_exec_t system_r;
+ allow $2 system_r;
+
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
diff --cc policy/modules/admin/rpm.te
index bdba9c5,542b820..a91d384
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@@ -1,7 -1,5 +1,7 @@@
- policy_module(rpm, 1.11.1)
+ policy_module(rpm, 1.11.2)
+attribute rpm_transition_domain;
+
########################################
#
# Declarations
@@@ -106,10 -101,10 +104,11 @@@ files_var_filetrans(rpm_t, rpm_var_cach
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
-files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
+ kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
diff --cc policy/modules/admin/shutdown.te
index eb63a79,3863241..5280124
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@@ -43,7 -43,9 +45,8 @@@ term_use_all_terms(shutdown_t
auth_use_nsswitch(shutdown_t)
auth_write_login_records(shutdown_t)
-init_dontaudit_write_utmp(shutdown_t)
-init_read_utmp(shutdown_t)
+init_rw_utmp(shutdown_t)
+ init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
logging_search_logs(shutdown_t)
diff --cc policy/modules/kernel/corenetwork.te.in
index f15e5ba,36ba519..ba41f1f
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@@ -235,8 -212,10 +237,11 @@@ network_port(whois, tcp,43,s0, udp,43,s
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-network_port(xserver, tcp,6000-6020,s0)
+network_port(xserver, tcp,6000-6150,s0)
+network_port(zarafa, tcp,236,s0)
+ network_port(zookeeper_client, tcp,2181,s0)
+ network_port(zookeeper_election, tcp,3888,s0)
+ network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)
diff --cc policy/modules/system/unconfined.te
index 4474379,8a4ee77..f0dca4c
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@@ -4,5 -4,231 +4,4 @@@ policy_module(unconfined, 3.2.1
#
# Declarations
#
-
-# usage in this module of types created by these
-# calls is not correct, however we dont currently
-# have another method to add access to these types
-userdom_base_user_template(unconfined)
-userdom_manage_home_role(unconfined_r, unconfined_t)
-userdom_manage_tmp_role(unconfined_r, unconfined_t)
-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-
-type unconfined_exec_t;
-init_system_domain(unconfined_t, unconfined_exec_t)
-
-type unconfined_execmem_t;
-type unconfined_execmem_exec_t;
-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t)
-role unconfined_r types unconfined_execmem_t;
-
-########################################
-#
-# Local policy
-#
-
-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
-
-files_create_boot_flag(unconfined_t)
-
-mcs_killall(unconfined_t)
-mcs_ptrace_all(unconfined_t)
-
-init_run_daemon(unconfined_t, unconfined_r)
-
-libs_run_ldconfig(unconfined_t, unconfined_r)
-
-logging_send_syslog_msg(unconfined_t)
-logging_run_auditctl(unconfined_t, unconfined_r)
-
-mount_run_unconfined(unconfined_t, unconfined_r)
-
-seutil_run_setfiles(unconfined_t, unconfined_r)
-seutil_run_semanage(unconfined_t, unconfined_r)
-
-unconfined_domain(unconfined_t)
-
-userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-
-ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r)
- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- ada_domtrans(unconfined_t)
-')
-
-optional_policy(`
- apache_run_helper(unconfined_t, unconfined_r)
- apache_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- bind_run_ndc(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- bootloader_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- cron_unconfined_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- init_dbus_chat_script(unconfined_t)
-
- dbus_stub(unconfined_t)
-
- optional_policy(`
- avahi_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- bluetooth_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- consolekit_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- cups_dbus_chat_config(unconfined_t)
- ')
-
- optional_policy(`
- hal_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- networkmanager_dbus_chat(unconfined_t)
- ')
-
- optional_policy(`
- oddjob_dbus_chat(unconfined_t)
- ')
-')
-
-optional_policy(`
- firstboot_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- ftp_run_ftpdctl(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- hadoop_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- inn_domtrans(unconfined_t)
-')
-
-optional_policy(`
- java_run_unconfined(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- lpd_run_checkpc(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- modutils_run_update_mods(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- mono_domtrans(unconfined_t)
-')
-
-optional_policy(`
- mta_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
-')
-
-optional_policy(`
- prelink_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- portmap_run_helper(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- postfix_run_map(unconfined_t, unconfined_r)
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
-')
-
-optional_policy(`
- pyzor_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- # cjp: this should probably be removed:
- rpc_domtrans_nfsd(unconfined_t)
-')
-
-optional_policy(`
- rpm_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- samba_run_net(unconfined_t, unconfined_r)
- samba_run_winbind_helper(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- spamassassin_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
- sysnet_run_dhcpc(unconfined_t, unconfined_r)
- sysnet_dbus_chat_dhcpc(unconfined_t)
-')
-
-optional_policy(`
- tzdata_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- usermanage_run_admin_passwd(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- vpn_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- webalizer_run(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
- wine_domtrans(unconfined_t)
-')
-
-optional_policy(`
- xserver_domtrans(unconfined_t)
-')
-
-########################################
-#
-# Unconfined Execmem Local policy
-#
-
-allow unconfined_execmem_t self:process { execstack execmem };
-unconfined_domain_noaudit(unconfined_execmem_t)
-
-optional_policy(`
- dbus_stub(unconfined_execmem_t)
-
- init_dbus_chat_script(unconfined_execmem_t)
- unconfined_dbus_chat(unconfined_execmem_t)
-
- optional_policy(`
- hal_dbus_chat(unconfined_execmem_t)
- ')
-')
+attribute unconfined_services;
-
diff --cc policy/modules/system/userdomain.if
index 54365f8,35f1476..8d157ff
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@@ -645,7 -574,9 +645,9 @@@ template(`userdom_common_user_template'
')
optional_policy(`
+ alsa_read_rw_config($1_usertype)
+ alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
+ alsa_relabel_home_files($1_t)
')
optional_policy(`
@@@ -756,8 -644,13 +758,13 @@@
')
optional_policy(`
+ oident_manage_user_content($1_t)
+ oident_relabel_user_content($1_t)
+ ')
+
+ optional_policy(`
# to allow monitoring of pcmcia status
- pcmcia_read_pid($1_t)
+ pcmcia_read_pid($1_usertype)
')
optional_policy(`
More information about the scm-commits
mailing list