[selinux-policy] - Change usbmuxd_t to dontaudit attempts to read chr_file - Add mysld_safe_exec_t for libra domains
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 30 15:54:57 UTC 2011
commit 975370d58e510001241db65603aeb4f563f5de00
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jun 30 17:55:41 2011 +0200
- Change usbmuxd_t to dontaudit attempts to read chr_file
- Add mysld_safe_exec_t for libra domains to be able to start private mysql dom
- Allow pppd to search /var/lock dir
- Add rhsmcertd policy
modules-targeted.conf | 7 +
policy-F16.patch | 643 ++++++++++++++++++++++++++++++++++++++++++++-----
selinux-policy.spec | 8 +-
3 files changed, 596 insertions(+), 62 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index ff58950..d3569e1 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2410,3 +2410,10 @@ dspam = module
# lldpad - Link Layer Discovery Protocol (LLDP) agent daemon
#
lldpad = module
+
+# Layer: services
+# Module: rhsmcertd
+#
+# Subscription Management Certificate Daemon policy
+#
+rhsmcertd = module
diff --git a/policy-F16.patch b/policy-F16.patch
index e0f0e9c..d7e32b1 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -2359,7 +2359,7 @@ index d0604cf..3089f30 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 8966ec9..f4e6c4b 100644
+index 8966ec9..8fbe943 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
@@ -2406,7 +2406,7 @@ index 8966ec9..f4e6c4b 100644
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
-@@ -54,10 +58,20 @@ logging_send_audit_msgs(shutdown_t)
+@@ -54,10 +58,24 @@ logging_send_audit_msgs(shutdown_t)
miscfiles_read_localization(shutdown_t)
optional_policy(`
@@ -2424,6 +2424,10 @@ index 8966ec9..f4e6c4b 100644
+')
+
+optional_policy(`
++ rhev_sigchld_agentd(shutdown_t)
++')
++
++optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
+ xserver_xdm_append_log(shutdown_t)
')
@@ -8487,10 +8491,10 @@ index 0000000..6efdeca
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..d6d2f78
+index 0000000..61a5e86
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,492 @@
+@@ -0,0 +1,493 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8667,6 +8671,7 @@ index 0000000..d6d2f78
+allow sandbox_x_domain self:msgq create_msgq_perms;
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
++allow sandbox_x_domain self:netlink_selinux_socket { create_socket_perms };
+
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
@@ -9169,7 +9174,7 @@ index 7590165..9a7ebe5 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3cfb128..de71ea8 100644
+index 3cfb128..cfeed29 100644
--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
@@ -11,7 +11,6 @@
@@ -9197,7 +9202,18 @@ index 3cfb128..de71ea8 100644
gen_require(`
attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -179,3 +179,75 @@ interface(`telepathy_salut_stream_connect', `
+@@ -78,6 +78,10 @@ template(`telepathy_role', `
+ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
+ ')
+
++ optional_policy(`
++ telepathy_dbus_chat($2)
++ ')
++
+ ########################################
+ ## <summary>
+ ## Stream connect to Telepathy Gabble
+@@ -179,3 +183,75 @@ interface(`telepathy_salut_stream_connect', `
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')
@@ -9274,7 +9290,7 @@ index 3cfb128..de71ea8 100644
+ ')
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..f41eb44 100644
+index 2533ea0..f605e0a 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
@@ -9301,7 +9317,18 @@ index 2533ea0..f41eb44 100644
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -168,6 +178,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -112,6 +122,10 @@ optional_policy(`
+ dbus_system_bus_client(telepathy_gabble_t)
+ ')
+
++optional_policy(`
++ gnome_read_home_config(telepathy_gabble_t)
++')
++
+ #######################################
+ #
+ # Telepathy Idle local policy.
+@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_logger_t)
')
@@ -9313,7 +9340,7 @@ index 2533ea0..f41eb44 100644
#######################################
#
# Telepathy Mission-Control local policy.
-@@ -176,6 +191,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@@ -9321,7 +9348,7 @@ index 2533ea0..f41eb44 100644
dev_read_rand(telepathy_mission_control_t)
-@@ -194,6 +210,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +214,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_mission_control_t)
')
@@ -9334,7 +9361,7 @@ index 2533ea0..f41eb44 100644
#######################################
#
# Telepathy Butterfly and Haze local policy.
-@@ -205,8 +227,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +231,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -9346,7 +9373,7 @@ index 2533ea0..f41eb44 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +271,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +275,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
@@ -9357,7 +9384,15 @@ index 2533ea0..f41eb44 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -376,5 +405,23 @@ optional_policy(`
+@@ -365,6 +398,7 @@ dev_read_urand(telepathy_domain)
+
+ kernel_read_system_state(telepathy_domain)
+
++fs_getattr_all_fs(telepathy_domain)
+ fs_search_auto_mountpoints(telepathy_domain)
+
+ auth_use_nsswitch(telepathy_domain)
+@@ -376,5 +410,23 @@ optional_policy(`
')
optional_policy(`
@@ -9374,13 +9409,13 @@ index 2533ea0..f41eb44 100644
')
+
+# Just for F15
-+#optional_policy(`
-+# gen_require(`
-+# role unconfined_r;
-+# ')
-+#
-+# role unconfined_r types telepathy_domain;
-+#')
++optional_policy(`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ role unconfined_r types telepathy_domain;
++')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
@@ -18486,7 +18521,7 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..4b5f106 100644
+index e88b95f..0eb55db 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -18557,7 +18592,7 @@ index e88b95f..4b5f106 100644
')
')
-@@ -76,23 +87,98 @@ optional_policy(`
+@@ -76,23 +87,102 @@ optional_policy(`
')
optional_policy(`
@@ -18575,10 +18610,9 @@ index e88b95f..4b5f106 100644
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
@@ -18596,11 +18630,16 @@ index e88b95f..4b5f106 100644
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
++ pcscd_read_pub_files(xguest_usertype)
++ pcscd_stream_connect(xguest_usertype)
+')
+
+optional_policy(`
-+ pcscd_read_pub_files(xguest_usertype)
-+ pcscd_stream_connect(xguest_usertype)
++ rhsmcertd_dontaudit_dbus_chat(xguest_t)
')
optional_policy(`
@@ -18643,7 +18682,7 @@ index e88b95f..4b5f106 100644
+ corenet_tcp_connect_speech_port(xguest_usertype)
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
- ')
++ ')
+
+ #optional_policy(`
+ # telepathy_dbus_session_role(xguest_r, xguest_t)
@@ -18653,7 +18692,7 @@ index e88b95f..4b5f106 100644
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
-+ ')
+ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
@@ -24050,14 +24089,17 @@ index 6077339..d10acd2 100644
dev_read_lvm_control(clogd_t)
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cmirrord.fc b/policy/modules/services/cmirrord.fc
-index 049e2b6..e500fa5 100644
+index 049e2b6..dcc7de8 100644
--- a/policy/modules/services/cmirrord.fc
+++ b/policy/modules/services/cmirrord.fc
-@@ -1,3 +1,4 @@
+@@ -1,5 +1,6 @@
+
/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0)
- /usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+-/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
++/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0)
+
+ /var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0)
diff --git a/policy/modules/services/cmirrord.if b/policy/modules/services/cmirrord.if
index f8463c0..bed51fb 100644
--- a/policy/modules/services/cmirrord.if
@@ -24536,12 +24578,15 @@ index 0258b48..8535cc6 100644
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..101c266 100644
+index 74505cc..a58903f 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
-@@ -43,6 +43,7 @@ files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+@@ -41,8 +41,9 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+ manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+ files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
- kernel_getattr_proc_files(colord_t)
+-kernel_getattr_proc_files(colord_t)
++kernel_read_system_state(colord_t)
kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
@@ -24767,11 +24812,14 @@ index e67a003..192332a 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..2098ee9 100644
+index 3a6d7eb..3f0e601 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
-@@ -3,6 +3,7 @@
+@@ -1,8 +1,10 @@
+ /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
++/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
@@ -35836,7 +35884,7 @@ index f17583b..6b17513 100644
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..f11e4f2 100644
+index e9c0982..14af30a 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -35897,7 +35945,7 @@ index e9c0982..f11e4f2 100644
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
-@@ -252,7 +289,7 @@ interface(`mysql_write_log',`
+@@ -252,12 +289,12 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
@@ -35906,7 +35954,38 @@ index e9c0982..f11e4f2 100644
')
######################################
-@@ -329,10 +366,9 @@ interface(`mysql_search_pid_files',`
+ ## <summary>
+-## Execute MySQL server in the mysql domain.
++## Execute MySQL safe script in the mysql safe domain.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -273,6 +310,24 @@ interface(`mysql_domtrans_mysql_safe',`
+ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
+ ')
+
++######################################
++## <summary>
++## Execute MySQL_safe in the coller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_safe_exec',`
++ gen_require(`
++ type mysqld_safe_exec_t;
++ ')
++
++ can_exec($1, mysqld_safe_exec_t)
++')
++
+ #####################################
+ ## <summary>
+ ## Read MySQL PID files.
+@@ -329,10 +384,9 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@@ -35920,7 +35999,7 @@ index e9c0982..f11e4f2 100644
')
allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +379,19 @@ interface(`mysql_admin',`
+@@ -343,13 +397,19 @@ interface(`mysql_admin',`
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -39207,7 +39286,7 @@ index 69c331e..0555635 100644
auth_rw_login_records(portslave_t)
diff --git a/policy/modules/services/postfix.fc b/policy/modules/services/postfix.fc
-index a3e85c9..cb05623 100644
+index a3e85c9..6b97fa5 100644
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -1,5 +1,6 @@
@@ -39218,7 +39297,7 @@ index a3e85c9..cb05623 100644
ifdef(`distro_redhat', `
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-@@ -16,22 +17,24 @@ ifdef(`distro_redhat', `
+@@ -16,22 +17,23 @@ ifdef(`distro_redhat', `
/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
', `
@@ -39252,11 +39331,10 @@ index a3e85c9..cb05623 100644
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-+')
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -42,9 +45,10 @@ ifdef(`distro_redhat', `
+@@ -42,9 +44,10 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -40352,7 +40430,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..79b1678 100644
+index 2af42e7..53f977a 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -40390,7 +40468,7 @@ index 2af42e7..79b1678 100644
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
-@@ -84,28 +84,28 @@ allow pppd_t self:packet_socket create_socket_perms;
+@@ -84,28 +84,29 @@ allow pppd_t self:packet_socket create_socket_perms;
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
@@ -40409,6 +40487,7 @@ index 2af42e7..79b1678 100644
-allow pppd_t pppd_lock_t:file manage_file_perms;
-files_lock_filetrans(pppd_t, pppd_lock_t, file)
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
++files_search_locks(pppd_t)
-allow pppd_t pppd_log_t:file manage_file_perms;
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
@@ -40425,7 +40504,7 @@ index 2af42e7..79b1678 100644
allow pppd_t pptp_t:process signal;
-@@ -166,6 +166,8 @@ init_dontaudit_write_utmp(pppd_t)
+@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -40434,7 +40513,7 @@ index 2af42e7..79b1678 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,7 +178,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,7 +179,7 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -40443,7 +40522,7 @@ index 2af42e7..79b1678 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
-@@ -194,6 +196,8 @@ optional_policy(`
+@@ -194,6 +197,8 @@ optional_policy(`
optional_policy(`
mta_send_mail(pppd_t)
@@ -40452,7 +40531,7 @@ index 2af42e7..79b1678 100644
')
optional_policy(`
-@@ -243,9 +247,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -43028,10 +43107,10 @@ index 0000000..4e7605a
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
diff --git a/policy/modules/services/rhev.if b/policy/modules/services/rhev.if
new file mode 100644
-index 0000000..88f6a9e
+index 0000000..bf11e25
--- /dev/null
+++ b/policy/modules/services/rhev.if
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,76 @@
+## <summary>rhev polic module contains policies for rhev apps</summary>
+
+#####################################
@@ -43090,6 +43169,24 @@ index 0000000..88f6a9e
+ files_search_pids($1)
+ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
+')
++
++######################################
++## <summary>
++## Send sigchld to rhev-agentd
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`rhev_sigchld_agentd',`
++ gen_require(`
++ type rhev_agentd_t;
++ ')
++
++ allow $1 rhev_agentd_t:process sigchld;
++')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
index 0000000..bc97a21
@@ -43204,6 +43301,400 @@ index 0f262a7..4d10897 100644
term_create_pty(rhgb_t, rhgb_devpts_t)
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc
+new file mode 100644
+index 0000000..5094d93
+--- /dev/null
++++ b/policy/modules/services/rhsmcertd.fc
+@@ -0,0 +1,12 @@
++
++/etc/rc\.d/init\.d/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_initrc_exec_t,s0)
++
++/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
++
++/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
++
++/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0)
++
++/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
++
++/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
+diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if
+new file mode 100644
+index 0000000..811c52e
+--- /dev/null
++++ b/policy/modules/services/rhsmcertd.if
+@@ -0,0 +1,305 @@
++
++## <summary>Subscription Management Certificate Daemon policy</summary>
++
++########################################
++## <summary>
++## Transition to rhsmcertd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_domtrans',`
++ gen_require(`
++ type rhsmcertd_t, rhsmcertd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t)
++')
++
++
++########################################
++## <summary>
++## Execute rhsmcertd server in the rhsmcertd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_initrc_domtrans',`
++ gen_require(`
++ type rhsmcertd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++## Read rhsmcertd's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rhsmcertd_read_log',`
++ gen_require(`
++ type rhsmcertd_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
++')
++
++########################################
++## <summary>
++## Append to rhsmcertd log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_append_log',`
++ gen_require(`
++ type rhsmcertd_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
++')
++
++########################################
++## <summary>
++## Manage rhsmcertd log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_manage_log',`
++ gen_require(`
++ type rhsmcertd_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
++ manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
++ manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t)
++')
++
++########################################
++## <summary>
++## Search rhsmcertd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_search_lib',`
++ gen_require(`
++ type rhsmcertd_var_lib_t;
++ ')
++
++ allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read rhsmcertd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_read_lib_files',`
++ gen_require(`
++ type rhsmcertd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rhsmcertd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_manage_lib_files',`
++ gen_require(`
++ type rhsmcertd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage rhsmcertd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_manage_lib_dirs',`
++ gen_require(`
++ type rhsmcertd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read rhsmcertd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_read_pid_files',`
++ gen_require(`
++ type rhsmcertd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 rhsmcertd_var_run_t:file read_file_perms;
++')
++
++####################################
++## <summary>
++## Connect to rhsmcertd over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_stream_connect',`
++ gen_require(`
++ type rhsmcertd_t, rhsmcertd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t)
++')
++
++#######################################
++## <summary>
++## Send and receive messages from
++## rhsmcertd over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_dbus_chat',`
++ gen_require(`
++ type rhsmcertd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 rhsmcertd_t:dbus send_msg;
++ allow rhsmcertd_t $1:dbus send_msg;
++')
++
++######################################
++## <summary>
++## Dontaudit Send and receive messages from
++## rhsmcertd over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhsmcertd_dontaudit_dbus_chat',`
++ gen_require(`
++ type rhsmcertd_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 rhsmcertd_t:dbus send_msg;
++ dontaudit rhsmcertd_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an rhsmcertd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rhsmcertd_admin',`
++ gen_require(`
++ type rhsmcertd_t;
++ type rhsmcertd_initrc_exec_t;
++ type rhsmcertd_log_t;
++ type rhsmcertd_var_lib_t;
++ type rhsmcertd_var_run_t;
++ ')
++
++ allow $1 rhsmcertd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, rhsmcertd_t)
++
++ rhsmcertd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 rhsmcertd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, rhsmcertd_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, rhsmcertd_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, rhsmcertd_var_run_t)
++
++')
++
+diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
+new file mode 100644
+index 0000000..19fe6b0
+--- /dev/null
++++ b/policy/modules/services/rhsmcertd.te
+@@ -0,0 +1,59 @@
++policy_module(rhsmcertd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rhsmcertd_t;
++type rhsmcertd_exec_t;
++init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t)
++
++permissive rhsmcertd_t;
++
++type rhsmcertd_initrc_exec_t;
++init_script_file(rhsmcertd_initrc_exec_t)
++
++type rhsmcertd_log_t;
++logging_log_file(rhsmcertd_log_t)
++
++type rhsmcertd_lock_t;
++files_lock_file(rhsmcertd_lock_t)
++
++type rhsmcertd_var_lib_t;
++files_type(rhsmcertd_var_lib_t)
++
++type rhsmcertd_var_run_t;
++files_pid_file(rhsmcertd_var_run_t)
++
++########################################
++#
++# rhsmcertd local policy
++#
++
++allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
++allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
++manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
++
++manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
++files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
++
++manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
++manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
++
++manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++
++kernel_read_system_state(rhsmcertd_t)
++
++corecmd_exec_bin(rhsmcertd_t)
++
++dev_read_urand(rhsmcertd_t)
++
++files_read_etc_files(rhsmcertd_t)
++files_read_usr_files(rhsmcertd_t)
++
++miscfiles_read_localization(rhsmcertd_t)
++miscfiles_read_certs(rhsmcertd_t)
diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc
index 5b08327..ed5dc05 100644
--- a/policy/modules/services/ricci.fc
@@ -48137,6 +48628,18 @@ index c2cf97e..037a1e8 100644
allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)
+diff --git a/policy/modules/services/usbmuxd.te b/policy/modules/services/usbmuxd.te
+index 4440aa6..34ffbfd 100644
+--- a/policy/modules/services/usbmuxd.te
++++ b/policy/modules/services/usbmuxd.te
+@@ -40,3 +40,7 @@ miscfiles_read_localization(usbmuxd_t)
+ auth_use_nsswitch(usbmuxd_t)
+
+ logging_send_syslog_msg(usbmuxd_t)
++
++optional_policy(`
++ virt_dontaudit_read_chr_dev(usbmuxd_t)
++')
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index d4349e9..4d112ba 100644
--- a/policy/modules/services/uucp.te
@@ -48497,7 +49000,7 @@ index 2124b6a..9682c44 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..7e8e54f 100644
+index 7c5d8d8..5c0a7a4 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,14 +13,15 @@
@@ -48765,7 +49268,7 @@ index 7c5d8d8..7e8e54f 100644
')
allow $1 virtd_t:process { ptrace signal_perms };
-@@ -515,4 +590,170 @@ interface(`virt_admin',`
+@@ -515,4 +590,188 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -48935,6 +49438,24 @@ index 7c5d8d8..7e8e54f 100644
+
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++')
++
++########################################
++## <summary>
++## Dontaudit attempts to Read virt_image_type devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_dontaudit_read_chr_dev',`
++ gen_require(`
++ attribute virt_image_type;
++ ')
++
++ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3eca020..4dec4ad 100644
@@ -52264,7 +52785,7 @@ index 7f88f5f..bd6493d 100644
sysnet_dns_name_resolve(zabbix_t)
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
-index 3defaa1..7fc57b2 100644
+index 3defaa1..2ad2488 100644
--- a/policy/modules/services/zarafa.fc
+++ b/policy/modules/services/zarafa.fc
@@ -8,7 +8,8 @@
@@ -52272,8 +52793,8 @@ index 3defaa1..7fc57b2 100644
/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
-/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
-+/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
@@ -56143,7 +56664,7 @@ index 831b909..57064ad 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..7354066 100644
+index b6ec597..eedd444 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
@@ -56247,7 +56768,7 @@ index b6ec597..7354066 100644
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
++allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 syslog;
# setpgid for metalog
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0675adf..3128019 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jun 30 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-2
+- Change usbmuxd_t to dontaudit attempts to read chr_file
+- Add mysld_safe_exec_t for libra domains to be able to start private mysql domains
+- Allow pppd to search /var/lock dir
+- Add rhsmcertd policy
+
* Mon Jun 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-1
- Update to upstream
More information about the scm-commits
mailing list