[selinux-policy] - gnomeclock executes a shell - Update for screen policy to handle pipe in homedir - Fixes for polyi
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 14 16:48:48 UTC 2011
commit 116d73139a7138dc451618f71dc40c56235b48e5
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jan 14 17:48:34 2011 +0000
- gnomeclock executes a shell
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Fixes for namespace policy and other fixes related to polyinstantiation
- Add namespace policy
- Allow dovecot-deliver transition to sendmail which is needed by sieve scri
- Fixes for init, psad policy which relate with confined users
- Do not audit bootloader attempts to read devicekit pid files
- Allow nagios service plugins to read /proc
modules-mls.conf | 7 +
modules-targeted.conf | 7 +
policy-F15.patch | 508 ++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 13 ++-
4 files changed, 426 insertions(+), 109 deletions(-)
---
diff --git a/modules-mls.conf b/modules-mls.conf
index ccfa3e8..2ecea15 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -2096,3 +2096,10 @@ shutdown = module
# The unlabelednet module.
#
unlabelednet = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script
+#
+namespace = module
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 905cd44..44b5b28 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2335,3 +2335,10 @@ keyboardd = module
# firewalld is firewall service daemon that provides dynamic customizable
#
firewalld = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script
+#
+namespace = module
diff --git a/policy-F15.patch b/policy-F15.patch
index bb4ab9d..87dc4e7 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -4376,7 +4376,7 @@ index 9a6d67d..5ac3ea5 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..593cefa 100644
+index 2a91fa8..319c66a 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -4458,7 +4458,7 @@ index 2a91fa8..593cefa 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,151 @@ optional_policy(`
+@@ -266,3 +291,161 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4513,6 +4513,9 @@ index 2a91fa8..593cefa 100644
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
++corenet_tcp_connect_streaming_port(mozilla_plugin_t)
++corenet_tcp_bind_generic_node(mozilla_plugin_t)
++corenet_udp_bind_generic_node(mozilla_plugin_t)
+
+dev_read_rand(mozilla_plugin_t)
+dev_read_urand(mozilla_plugin_t)
@@ -4536,6 +4539,8 @@ index 2a91fa8..593cefa 100644
+
+application_dontaudit_signull(mozilla_plugin_t)
+
++logging_send_syslog_msg(mozilla_plugin_t)
++
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+miscfiles_read_certs(mozilla_plugin_t)
@@ -4568,11 +4573,16 @@ index 2a91fa8..593cefa 100644
+')
+
+optional_policy(`
++ dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
+')
+
+optional_policy(`
++ git_dontaudit_read_session_content_files(mozilla_plugin_t)
++')
++
++optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+ gnome_setattr_home_config(mozilla_plugin_t)
+')
@@ -4694,6 +4704,111 @@ index 931304b..e8c6795 100644
nscd_socket_use(mplayer_t)
')
+diff --git a/policy/modules/apps/namespace.fc b/policy/modules/apps/namespace.fc
+new file mode 100644
+index 0000000..ce51c8d
+--- /dev/null
++++ b/policy/modules/apps/namespace.fc
+@@ -0,0 +1,3 @@
++
++/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
++
+diff --git a/policy/modules/apps/namespace.if b/policy/modules/apps/namespace.if
+new file mode 100644
+index 0000000..9747548
+--- /dev/null
++++ b/policy/modules/apps/namespace.if
+@@ -0,0 +1,46 @@
++
++## <summary>policy for namespace</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run namespace_init.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`namespace_init_domtrans',`
++ gen_require(`
++ type namespace_init_t, namespace_init_exec_t;
++ ')
++
++ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
++')
++
++
++########################################
++## <summary>
++## Execute namespace_init in the namespace_init domain, and
++## allow the specified role the namespace_init domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the namespace_init domain.
++## </summary>
++## </param>
++#
++interface(`namespace_init_run',`
++ gen_require(`
++ type namespace_init_t;
++ ')
++
++ namespace_init_domtrans($1)
++ role $2 types namespace_init_t;
++')
+diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
+new file mode 100644
+index 0000000..ce7dbac
+--- /dev/null
++++ b/policy/modules/apps/namespace.te
+@@ -0,0 +1,38 @@
++policy_module(namespace,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type namespace_init_t;
++type namespace_init_exec_t;
++init_system_domain(namespace_init_t, namespace_init_exec_t)
++role system_r types namespace_init_t;
++
++permissive namespace_init_t;
++
++########################################
++#
++# namespace_init local policy
++#
++
++allow namespace_init_t self:capability dac_override;
++
++allow namespace_init_t self:fifo_file manage_fifo_file_perms;
++allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_system_state(namespace_init_t)
++
++domain_use_interactive_fds(namespace_init_t)
++
++files_read_etc_files(namespace_init_t)
++files_polyinstantiate_all(namespace_init_t)
++
++miscfiles_read_localization(namespace_init_t)
++
++userdom_manage_user_home_content_dirs(namespace_init_t)
++userdom_manage_user_home_content_files(namespace_init_t)
++userdom_relabelto_user_home_dirs(namespace_init_t)
++userdom_relabelto_user_home_files(namespace_init_t)
++userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc
new file mode 100644
index 0000000..717eb3f
@@ -6913,11 +7028,41 @@ index 0000000..5259647
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
+
+diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
+index 1f2cde4..7bb3047 100644
+--- a/policy/modules/apps/screen.fc
++++ b/policy/modules/apps/screen.fc
+@@ -2,6 +2,7 @@
+ # /home
+ #
+ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
++HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+
+ #
+ # /usr
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index 320df26..879e804 100644
+index 320df26..3312145 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
-@@ -81,8 +81,6 @@ template(`screen_role_template',`
+@@ -64,6 +64,9 @@ template(`screen_role_template',`
+ files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
+
+ allow $1_screen_t screen_home_t:dir list_dir_perms;
++ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
++ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
++ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+ read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+
+@@ -73,6 +76,7 @@ template(`screen_role_template',`
+ allow $3 $1_screen_t:process { signal sigchld };
+ allow $1_screen_t $3:process signal;
+
++ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
+ manage_dirs_pattern($3, screen_home_t, screen_home_t)
+ manage_files_pattern($3, screen_home_t, screen_home_t)
+ manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
+@@ -81,8 +85,6 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -7981,7 +8126,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..d858795 100644
+index 34c9d01..aecd1ff 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -7995,7 +8140,16 @@ index 34c9d01..d858795 100644
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -128,8 +130,8 @@ ifdef(`distro_debian',`
+@@ -95,8 +97,6 @@ ifdef(`distro_redhat',`
+
+ /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+-/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
+-
+ /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
+@@ -128,8 +128,8 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -8005,7 +8159,7 @@ index 34c9d01..d858795 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -247,6 +249,8 @@ ifdef(`distro_gentoo',`
+@@ -247,6 +247,8 @@ ifdef(`distro_gentoo',`
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8014,7 +8168,7 @@ index 34c9d01..d858795 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -307,6 +311,7 @@ ifdef(`distro_redhat', `
+@@ -307,6 +309,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -8022,7 +8176,7 @@ index 34c9d01..d858795 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +321,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +319,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8142,7 +8296,7 @@ index b06df19..c0763c2 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index edefaf3..e9599e0 100644
+index edefaf3..14fc728 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@@ -8320,7 +8474,7 @@ index edefaf3..e9599e0 100644
-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
network_port(ssh, tcp,22,s0)
-+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
++network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
+network_port(sype, tcp,9911,s0, udp,9911,s0)
@@ -10860,7 +11014,7 @@ index dfe361a..496954e 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index e49c148..995fade 100644
+index e49c148..4d6bbf4 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -10937,6 +11091,14 @@ index e49c148..995fade 100644
files_mountpoint(removable_t)
#
+@@ -266,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
+
+ ########################################
+ #
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index b4ad6d7..67e89f0 100644
--- a/policy/modules/kernel/kernel.if
@@ -16029,6 +16191,23 @@ index 8b8143e..c1a2b96 100644
ps_process_pattern($1, asterisk_t)
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
+index b3b0176..cb0c6e7 100644
+--- a/policy/modules/services/asterisk.te
++++ b/policy/modules/services/asterisk.te
+@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+ manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
+ files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
+
++manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+ manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
+
+ kernel_read_system_state(asterisk_t)
+ kernel_read_kernel_sysctls(asterisk_t)
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d80a16b..a43e006 100644
--- a/policy/modules/services/automount.if
@@ -21316,10 +21495,10 @@ index 0000000..9d8f5de
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..01c3755
+index 0000000..5df774f
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,171 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -21439,8 +21618,7 @@ index 0000000..01c3755
+')
+
+optional_policy(`
-+ kerberos_read_config(dirsrv_t)
-+ kerberos_dontaudit_write_config(dirsrv_t)
++ kerberos_use(dirsrv_t)
+')
+
+optional_policy(`
@@ -21745,7 +21923,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..e8f3b0e 100644
+index cbe14e4..ae635c6 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -21853,7 +22031,13 @@ index cbe14e4..e8f3b0e 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +272,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+@@ -249,23 +268,39 @@ optional_policy(`
+ #
+ # dovecot deliver local policy
+ #
++
++allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
+ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
@@ -21889,7 +22073,7 @@ index cbe14e4..e8f3b0e 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -301,5 +334,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +336,15 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -21899,6 +22083,11 @@ index cbe14e4..e8f3b0e 100644
+optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
++')
++
++optional_policy(`
++ # Handle sieve scripts
++ sendmail_domtrans(dovecot_deliver_t)
')
diff --git a/policy/modules/services/drbd.fc b/policy/modules/services/drbd.fc
new file mode 100644
@@ -22835,10 +23024,10 @@ index 54f0737..2b552c5 100644
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
-index 458aac6..3780650 100644
+index 458aac6..03645a9 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
-@@ -1 +1,520 @@
+@@ -1 +1,539 @@
-## <summary>GIT revision control system</summary>
+## <summary>Fast Version Control System.</summary>
+## <desc>
@@ -23214,6 +23403,25 @@ index 458aac6..3780650 100644
+ ')
+')
+
++#######################################
++## <summary>
++## Dontaudit the specified domain to read
++## Git daemon session content files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`git_dontaudit_read_session_content_files',`
++ gen_require(`
++ type git_session_content_t;
++ ')
++
++ dontaudit $1 git_session_content_t:file read_file_perms;
++')
++
+########################################
+## <summary>
+## Allow the specified domain to read
@@ -23598,6 +23806,18 @@ index 671d8fd..25c7ab8 100644
+ dontaudit $1 gnomeclock_t:dbus send_msg;
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
+diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
+index 4fde46b..41dfb2b 100644
+--- a/policy/modules/services/gnomeclock.te
++++ b/policy/modules/services/gnomeclock.te
+@@ -20,6 +20,7 @@ allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
+ allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+
+ corecmd_exec_bin(gnomeclock_t)
++corecmd_exec_shell(gnomeclock_t)
+
+ files_read_etc_files(gnomeclock_t)
+ files_read_usr_files(gnomeclock_t)
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 7d97298..d6b2959 100644
--- a/policy/modules/services/gpm.if
@@ -27393,7 +27613,7 @@ index e9c0982..a12d5ea 100644
admin_pattern($1, mysqld_tmp_t)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..024120d 100644
+index 0a0d63c..579f237 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -27423,7 +27643,7 @@ index 0a0d63c..024120d 100644
allow mysqld_t mysqld_etc_t:dir list_dir_perms;
allow mysqld_t mysqld_log_t:file manage_file_perms;
-@@ -78,9 +79,10 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
@@ -27435,7 +27655,14 @@ index 0a0d63c..024120d 100644
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
-@@ -127,8 +129,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
+
++corecmd_exec_bin(mysqld_t)
++corecmd_exec_shell(mysqld_t)
++
+ corenet_all_recvfrom_unlabeled(mysqld_t)
+ corenet_all_recvfrom_netlabel(mysqld_t)
+ corenet_tcp_sendrecv_generic_if(mysqld_t)
+@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
userdom_read_user_home_content_files(mysqld_t)
ifdef(`distro_redhat',`
@@ -27445,7 +27672,7 @@ index 0a0d63c..024120d 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -155,6 +156,7 @@ optional_policy(`
+@@ -155,6 +159,7 @@ optional_policy(`
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
dontaudit mysqld_safe_t self:capability sys_ptrace;
@@ -27453,7 +27680,7 @@ index 0a0d63c..024120d 100644
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,6 +177,7 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -175,6 +180,7 @@ dev_list_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
@@ -27461,7 +27688,7 @@ index 0a0d63c..024120d 100644
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-@@ -183,11 +186,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+@@ -183,11 +189,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
hostname_exec(mysqld_safe_t)
@@ -31563,7 +31790,7 @@ index 29b9295..2a70dd1 100644
pyzor_signal(procmail_t)
')
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
-index bc329d1..f040c20 100644
+index bc329d1..0589f97 100644
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
@@ -91,7 +91,6 @@ interface(`psad_manage_config',`
@@ -31583,7 +31810,7 @@ index bc329d1..f040c20 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -176,6 +175,26 @@ interface(`psad_append_log',`
+@@ -176,6 +175,45 @@ interface(`psad_append_log',`
########################################
## <summary>
@@ -31605,12 +31832,31 @@ index bc329d1..f040c20 100644
+ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
++#######################################
++## <summary>
++## Allow the specified domain to setattr to psad's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`psad_setattr_log',`
++ gen_require(`
++ type psad_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
++')
++
+########################################
+## <summary>
## Read and write psad fifo files.
## </summary>
## <param name="domain">
-@@ -186,7 +205,7 @@ interface(`psad_append_log',`
+@@ -186,7 +224,7 @@ interface(`psad_append_log',`
#
interface(`psad_rw_fifo_file',`
gen_require(`
@@ -31619,7 +31865,34 @@ index bc329d1..f040c20 100644
')
files_search_var_lib($1)
-@@ -233,7 +252,7 @@ interface(`psad_rw_tmp_files',`
+@@ -196,6 +234,26 @@ interface(`psad_rw_fifo_file',`
+
+ #######################################
+ ## <summary>
++## Allow setattr to psad fifo files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`psad_setattr_fifo_file',`
++ gen_require(`
++ type psad_t, psad_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 psad_var_lib_t:fifo_file setattr;
++ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
++')
++
++#######################################
++## <summary>
+ ## Read and write psad tmp files.
+ ## </summary>
+ ## <param name="domain">
+@@ -233,7 +291,7 @@ interface(`psad_rw_tmp_files',`
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
@@ -31628,7 +31901,7 @@ index bc329d1..f040c20 100644
type psad_tmp_t;
')
-@@ -245,18 +264,18 @@ interface(`psad_admin',`
+@@ -245,18 +303,18 @@ interface(`psad_admin',`
role_transition $2 psad_initrc_exec_t system_r;
allow $2 system_r;
@@ -36564,7 +36837,7 @@ index 22adaca..784c363 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..2b6aef5 100644
+index 2dad3c8..1d1b95f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -36628,21 +36901,21 @@ index 2dad3c8..2b6aef5 100644
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
-@@ -76,9 +77,12 @@ ubac_constrained(ssh_tmpfs_t)
+@@ -76,8 +77,12 @@ ubac_constrained(ssh_tmpfs_t)
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
-files_type(ssh_home_t)
userdom_user_home_content(ssh_home_t)
-
++files_poly_parent(ssh_home_t)
++
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
-+
+
##############################
#
- # SSH client local policy
-@@ -95,15 +99,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -95,15 +100,11 @@ allow ssh_t self:sem create_sem_perms;
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -36659,7 +36932,7 @@ index 2dad3c8..2b6aef5 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,6 +113,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,6 +114,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -36667,7 +36940,7 @@ index 2dad3c8..2b6aef5 100644
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -124,9 +125,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+@@ -124,9 +126,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -36681,7 +36954,7 @@ index 2dad3c8..2b6aef5 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,6 +140,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,6 +141,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -36690,7 +36963,7 @@ index 2dad3c8..2b6aef5 100644
dev_read_urand(ssh_t)
-@@ -162,6 +166,7 @@ logging_read_generic_logs(ssh_t)
+@@ -162,6 +167,7 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -36698,7 +36971,7 @@ index 2dad3c8..2b6aef5 100644
seutil_read_config(ssh_t)
-@@ -169,14 +174,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -169,14 +175,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -36717,7 +36990,7 @@ index 2dad3c8..2b6aef5 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +204,57 @@ optional_policy(`
+@@ -200,6 +205,57 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -36775,7 +37048,7 @@ index 2dad3c8..2b6aef5 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +264,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +265,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -36784,7 +37057,7 @@ index 2dad3c8..2b6aef5 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +287,43 @@ optional_policy(`
+@@ -232,33 +288,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -36837,7 +37110,7 @@ index 2dad3c8..2b6aef5 100644
')
optional_policy(`
-@@ -266,11 +331,24 @@ optional_policy(`
+@@ -266,11 +332,24 @@ optional_policy(`
')
optional_policy(`
@@ -36863,7 +37136,7 @@ index 2dad3c8..2b6aef5 100644
')
optional_policy(`
-@@ -284,6 +362,11 @@ optional_policy(`
+@@ -284,6 +363,11 @@ optional_policy(`
')
optional_policy(`
@@ -36875,7 +37148,7 @@ index 2dad3c8..2b6aef5 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +375,26 @@ optional_policy(`
+@@ -292,26 +376,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -36921,7 +37194,7 @@ index 2dad3c8..2b6aef5 100644
') dnl endif TODO
########################################
-@@ -324,7 +407,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +408,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -36929,7 +37202,7 @@ index 2dad3c8..2b6aef5 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +435,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +436,6 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -40294,7 +40567,7 @@ index da2601a..61bce48 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 145fc4b..d1f5057 100644
+index 145fc4b..f596720 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -40619,7 +40892,7 @@ index 145fc4b..d1f5057 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -301,20 +413,32 @@ optional_policy(`
+@@ -301,20 +413,33 @@ optional_policy(`
# XDM Local policy
#
@@ -40649,6 +40922,7 @@ index 145fc4b..d1f5057 100644
+
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
++
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
+userdom_signull_unpriv_users(xdm_t)
@@ -40656,7 +40930,7 @@ index 145fc4b..d1f5057 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -322,43 +446,69 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -322,43 +447,69 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -40733,7 +41007,7 @@ index 145fc4b..d1f5057 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -367,18 +517,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -367,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -40761,7 +41035,7 @@ index 145fc4b..d1f5057 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -390,18 +548,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -390,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -40785,7 +41059,7 @@ index 145fc4b..d1f5057 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -410,18 +572,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -410,18 +573,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -40812,7 +41086,7 @@ index 145fc4b..d1f5057 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -432,9 +599,17 @@ files_list_mnt(xdm_t)
+@@ -432,9 +600,17 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -40830,7 +41104,7 @@ index 145fc4b..d1f5057 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +618,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -443,28 +619,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -40869,7 +41143,7 @@ index 145fc4b..d1f5057 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,9 +656,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -473,9 +657,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -40900,7 +41174,7 @@ index 145fc4b..d1f5057 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -491,6 +695,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -491,6 +696,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -40913,7 +41187,7 @@ index 145fc4b..d1f5057 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -504,11 +714,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -504,11 +715,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -40935,7 +41209,7 @@ index 145fc4b..d1f5057 100644
')
optional_policy(`
-@@ -516,12 +736,49 @@ optional_policy(`
+@@ -516,12 +737,49 @@ optional_policy(`
')
optional_policy(`
@@ -40985,7 +41259,7 @@ index 145fc4b..d1f5057 100644
hostname_exec(xdm_t)
')
-@@ -539,28 +796,64 @@ optional_policy(`
+@@ -539,28 +797,64 @@ optional_policy(`
')
optional_policy(`
@@ -41059,7 +41333,7 @@ index 145fc4b..d1f5057 100644
')
optional_policy(`
-@@ -572,6 +865,10 @@ optional_policy(`
+@@ -572,6 +866,10 @@ optional_policy(`
')
optional_policy(`
@@ -41070,7 +41344,7 @@ index 145fc4b..d1f5057 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +893,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +894,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -41079,7 +41353,7 @@ index 145fc4b..d1f5057 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +907,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +908,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -41094,7 +41368,7 @@ index 145fc4b..d1f5057 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +934,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +935,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -41116,7 +41390,7 @@ index 145fc4b..d1f5057 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +954,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +955,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -41124,7 +41398,7 @@ index 145fc4b..d1f5057 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +981,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +982,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -41132,7 +41406,7 @@ index 145fc4b..d1f5057 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +990,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,11 +991,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -41150,7 +41424,7 @@ index 145fc4b..d1f5057 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1011,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +1012,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -41164,7 +41438,7 @@ index 145fc4b..d1f5057 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1039,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1040,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -41179,7 +41453,7 @@ index 145fc4b..d1f5057 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1099,28 @@ optional_policy(`
+@@ -773,12 +1100,28 @@ optional_policy(`
')
optional_policy(`
@@ -41209,7 +41483,7 @@ index 145fc4b..d1f5057 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1129,10 @@ optional_policy(`
+@@ -787,6 +1130,10 @@ optional_policy(`
')
optional_policy(`
@@ -41220,7 +41494,7 @@ index 145fc4b..d1f5057 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1148,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1149,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -41234,7 +41508,7 @@ index 145fc4b..d1f5057 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1159,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -813,7 +1160,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -41243,7 +41517,7 @@ index 145fc4b..d1f5057 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1172,9 @@ init_use_fds(xserver_t)
+@@ -826,6 +1173,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -41253,7 +41527,7 @@ index 145fc4b..d1f5057 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1182,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -833,6 +1183,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -41265,7 +41539,7 @@ index 145fc4b..d1f5057 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1195,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1196,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -41282,7 +41556,7 @@ index 145fc4b..d1f5057 100644
')
optional_policy(`
-@@ -853,6 +1210,10 @@ optional_policy(`
+@@ -853,6 +1211,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -41293,7 +41567,7 @@ index 145fc4b..d1f5057 100644
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1257,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -896,7 +1258,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -41302,7 +41576,7 @@ index 145fc4b..d1f5057 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1311,31 @@ allow x_domain self:x_resource { read write };
+@@ -950,11 +1312,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -41334,7 +41608,7 @@ index 145fc4b..d1f5057 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1357,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -976,18 +1358,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -42350,7 +42624,7 @@ index bea0ade..a0feb45 100644
optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..069790d 100644
+index 54d122b..46929ca 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
@@ -42396,17 +42670,19 @@ index 54d122b..069790d 100644
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
-@@ -394,3 +409,11 @@ optional_policy(`
+@@ -394,3 +409,13 @@ optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
+
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(polydomain)
-+ userdom_manage_user_home_content_dirs(polydomain)
-+ userdom_manage_user_home_content_files(polydomain)
-+ userdom_relabelto_user_home_dirs(polydomain)
-+ userdom_relabelto_user_home_files(polydomain)
++')
++
++optional_policy(`
++ tunable_policy(`allow_polyinstantiation',`
++ namespace_init_domtrans(polydomain)
++ ')
+')
diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
index 89cc088..81e5ed4 100644
@@ -42759,7 +43035,7 @@ index 6fed22c..06e5395 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index ed152c4..be3bb8f 100644
+index ed152c4..a398d39 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,40 @@ interface(`init_script_domain',`
@@ -43060,7 +43336,7 @@ index ed152c4..be3bb8f 100644
')
########################################
-@@ -868,8 +1004,12 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1004,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -43071,9 +43347,11 @@ index ed152c4..be3bb8f 100644
+ # service script searches all filesystems via mountpoint
+ fs_search_all($1)
domtrans_pattern($1, $2, initrc_t)
++ allow $1 $2:file ioctl;
files_search_etc($1)
')
-@@ -1130,12 +1270,7 @@ interface(`init_read_script_state',`
+
+@@ -1130,12 +1271,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -43087,7 +43365,7 @@ index ed152c4..be3bb8f 100644
')
########################################
-@@ -1375,6 +1510,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1511,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -43115,7 +43393,7 @@ index ed152c4..be3bb8f 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1617,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1618,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -43141,7 +43419,7 @@ index ed152c4..be3bb8f 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1674,7 +1849,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -43150,7 +43428,7 @@ index ed152c4..be3bb8f 100644
')
########################################
-@@ -1749,3 +1924,93 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +1925,93 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -43245,7 +43523,7 @@ index ed152c4..be3bb8f 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 0580e7c..1618f9d 100644
+index 0580e7c..90ca53f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -43824,7 +44102,17 @@ index 0580e7c..1618f9d 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,6 +998,10 @@ optional_policy(`
+@@ -734,10 +994,20 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ psad_setattr_fifo_file(initrc_t)
++ psad_setattr_log(initrc_t)
++ psad_write_log(initrc_t)
++')
++
++optional_policy(`
+ puppet_rw_tmp(initrc_t)
')
optional_policy(`
@@ -43835,7 +44123,7 @@ index 0580e7c..1618f9d 100644
quota_manage_flags(initrc_t)
')
-@@ -746,6 +1010,10 @@ optional_policy(`
+@@ -746,6 +1016,10 @@ optional_policy(`
')
optional_policy(`
@@ -43846,7 +44134,7 @@ index 0580e7c..1618f9d 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -767,8 +1035,6 @@ optional_policy(`
+@@ -767,8 +1041,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -43855,7 +44143,7 @@ index 0580e7c..1618f9d 100644
')
optional_policy(`
-@@ -777,14 +1043,21 @@ optional_policy(`
+@@ -777,14 +1049,21 @@ optional_policy(`
')
optional_policy(`
@@ -43877,7 +44165,7 @@ index 0580e7c..1618f9d 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -806,11 +1079,19 @@ optional_policy(`
+@@ -806,11 +1085,19 @@ optional_policy(`
')
optional_policy(`
@@ -43898,7 +44186,7 @@ index 0580e7c..1618f9d 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -820,6 +1101,25 @@ optional_policy(`
+@@ -820,6 +1107,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -43924,7 +44212,7 @@ index 0580e7c..1618f9d 100644
')
optional_policy(`
-@@ -845,3 +1145,59 @@ optional_policy(`
+@@ -845,3 +1151,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -51401,7 +51689,7 @@ index 28b88de..10340bc 100644
+ type_transition $1 user_tmp_t:process $2;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index df29ca1..97b3c20 100644
+index df29ca1..b13e0f3 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0)
@@ -51443,7 +51731,7 @@ index df29ca1..97b3c20 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,18 +87,21 @@ ubac_constrained(user_home_dir_t)
+@@ -71,21 +87,25 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -51466,7 +51754,11 @@ index df29ca1..97b3c20 100644
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
-@@ -94,3 +113,25 @@ userdom_user_home_content(user_tmpfs_t)
++files_poly_parent(user_tmp_t)
+
+ type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+ files_tmpfs_file(user_tmpfs_t)
+@@ -94,3 +114,25 @@ userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b77d2c2..570253c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.12
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,17 @@ exit 0
%endif
%changelog
+* Fri Jan 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.12-7
+- gnomeclock executes a shell
+- Update for screen policy to handle pipe in homedir
+- Fixes for polyinstatiated homedir
+- Fixes for namespace policy and other fixes related to polyinstantiation
+- Add namespace policy
+- Allow dovecot-deliver transition to sendmail which is needed by sieve scripts
+- Fixes for init, psad policy which relate with confined users
+- Do not audit bootloader attempts to read devicekit pid files
+- Allow nagios service plugins to read /proc
+
* Tue Jan 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.12-6
- Add firewalld policy
- Allow vmware_host to read samba config
More information about the scm-commits
mailing list