[selinux-policy/f13/master] - Add virt_home_ type files located in ~/.libvirt directory - virt creates monitor sockets in the us
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 1 12:52:48 UTC 2011
commit e74b348928c02e100e96980a61fd38f5a0b8b64d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 1 13:52:15 2011 +0000
- Add virt_home_ type files located in ~/.libvirt directory
- virt creates monitor sockets in the users home dir
- Allow lvm setfscreate
- mta search /var/lib/logcheck
- sssd needs to bind to random UDP ports
- certmonger wants to read keytab files
policy-F13.patch | 312 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 10 ++-
2 files changed, 239 insertions(+), 83 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index bb69297..93008f9 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -290,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
--- nsaserefpolicy/policy/mcs 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/mcs 2011-02-22 18:00:53.341097838 +0000
++++ serefpolicy-3.7.19/policy/mcs 2011-03-01 12:53:22.768577523 +0000
@@ -86,10 +86,10 @@
(( h1 dom h2 ) and ( l2 eq h2 ));
@@ -332,7 +332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
( h1 dom h2 );
-@@ -126,10 +132,22 @@
+@@ -126,10 +132,25 @@
mlsconstrain db_tuple { relabelfrom select update delete use }
( h1 dom h2 );
@@ -352,6 +352,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
++mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
++ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
++
+mlsconstrain packet { send recv }
+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
+
@@ -2966,8 +2969,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2011-02-07 15:02:32.542796002 +0000
-@@ -0,0 +1,71 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2011-02-25 17:15:02.692365619 +0000
+@@ -0,0 +1,75 @@
+policy_module(shutdown,1.0.0)
+
+########################################
@@ -3026,6 +3029,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+miscfiles_read_localization(shutdown_t)
+
+optional_policy(`
++ cron_system_entry(shutdown_t, shutdown_exec_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(shutdown_t)
+ dbus_connect_system_bus(shutdown_t)
+')
@@ -19064,8 +19071,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-12-15 14:05:16.000000000 +0000
-@@ -0,0 +1,92 @@
++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2011-02-25 17:14:37.956974505 +0000
+@@ -0,0 +1,93 @@
+policy_module(certmonger,1.0.0)
+
+########################################
@@ -19151,6 +19158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+
+optional_policy(`
+ kerberos_use(certmonger_t)
++ kerberos_read_keytab(certmonger_t)
+')
+
+optional_policy(`
@@ -23589,7 +23597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.19/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te 2010-10-13 06:36:11.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te 2011-03-01 12:38:16.907876101 +0000
@@ -19,6 +19,9 @@
type dnsmasq_lease_t;
files_type(dnsmasq_lease_t)
@@ -23626,7 +23634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
-@@ -87,6 +93,22 @@
+@@ -87,6 +93,23 @@
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
optional_policy(`
@@ -23639,6 +23647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
+
+optional_policy(`
+ dbus_system_bus_client(dnsmasq_t)
++ dbus_connect_system_bus(dnsmasq_t)
+')
+
+optional_policy(`
@@ -27335,7 +27344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2011-01-04 14:53:26.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2011-02-25 12:50:49.452607424 +0000
@@ -21,8 +21,8 @@
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -27489,7 +27498,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -245,6 +256,10 @@
+@@ -238,6 +249,10 @@
+ ')
+
+ optional_policy(`
++ logwatch_search_cache_dir(mailserver_delivery)
++')
++
++optional_policy(`
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib(mailserver_delivery)
+
+@@ -245,6 +260,10 @@
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -27500,7 +27520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
#
# User send mail local policy
-@@ -288,3 +303,33 @@
+@@ -288,3 +307,33 @@
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -33617,7 +33637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te
--- nsaserefpolicy/policy/modules/services/puppet.te 2010-04-13 18:44:36.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2011-02-23 12:36:31.000366945 +0000
++++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2011-02-25 13:14:14.528020225 +0000
@@ -14,6 +14,13 @@
## </desc>
gen_tunable(puppet_manage_all_files, false)
@@ -33647,7 +33667,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
kernel_read_system_state(puppetmaster_t)
kernel_read_crypto_sysctls(puppetmaster_t)
-@@ -213,15 +227,31 @@
+@@ -210,18 +224,35 @@
+ dev_read_rand(puppetmaster_t)
+ dev_read_urand(puppetmaster_t)
+
++domain_obj_id_change_exemption(puppetmaster_t)
domain_read_all_domains_state(puppetmaster_t)
files_read_etc_files(puppetmaster_t)
@@ -33679,7 +33703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -232,3 +262,8 @@
+@@ -232,3 +263,8 @@
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -36433,7 +36457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2011-01-27 14:24:59.458455001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2011-02-25 12:35:52.540685721 +0000
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -38854,7 +38878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
sssd_initrc_domtrans($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.19/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2010-08-18 11:10:17.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2011-03-01 12:58:07.985556649 +0000
@@ -29,9 +29,12 @@
#
# sssd local policy
@@ -38869,23 +38893,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -50,6 +53,7 @@
+@@ -50,6 +53,10 @@
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
kernel_read_system_state(sssd_t)
+kernel_read_network_state(sssd_t)
++
++corenet_udp_bind_generic_port(sssd_t)
++corenet_dontaudit_udp_bind_all_ports(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -81,6 +85,8 @@
+@@ -61,6 +68,7 @@
+ files_list_tmp(sssd_t)
+ files_read_etc_files(sssd_t)
+ files_read_usr_files(sssd_t)
++files_list_var_lib(sssd_t)
+
+ fs_list_inotifyfs(sssd_t)
+
+@@ -81,6 +89,11 @@
miscfiles_read_localization(sssd_t)
++sysnet_dns_name_resolve(sssd_t)
++sysnet_use_ldap(sssd_t)
++
+userdom_manage_tmp_role(system_r, sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
+@@ -89,3 +102,11 @@
+ optional_policy(`
+ kerberos_manage_host_rcache(sssd_t)
+ ')
++
++optional_policy(`
++ dirsrv_stream_connect(sssd_t)
++')
++
++optional_policy(`
++ ldap_stream_connect(sssd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.19/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/sysstat.te 2010-07-27 13:46:39.000000000 +0000
@@ -39448,8 +39498,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-08-18 12:33:42.000000000 +0000
-@@ -12,18 +12,19 @@
++++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2011-03-01 12:46:03.926380019 +0000
+@@ -1,4 +1,5 @@
+-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+ HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+
+@@ -12,18 +13,19 @@
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -39689,7 +39746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2011-01-24 17:03:51.777455001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2011-03-01 12:47:10.941730376 +0000
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -39711,7 +39768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
## Allow virt to use usb devices
## </p>
## </desc>
-@@ -51,12 +58,12 @@
+@@ -51,35 +58,44 @@
virt_domain_template(svirt)
role system_r types svirt_t;
@@ -39727,7 +39784,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -66,20 +73,26 @@
+ type virt_etc_rw_t;
+ files_type(virt_etc_rw_t)
+
++type virt_home_t;
++userdom_user_home_content(virt_home_t)
++
# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
@@ -39754,7 +39816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virtd_t;
type virtd_exec_t;
-@@ -90,6 +103,11 @@
+@@ -90,6 +106,11 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -39766,7 +39828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -105,15 +123,12 @@
+@@ -105,15 +126,12 @@
allow svirt_t self:udp_socket create_socket_perms;
@@ -39783,7 +39845,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -148,11 +163,13 @@
+@@ -134,6 +152,8 @@
+ userdom_search_user_home_content(svirt_t)
+ userdom_read_user_home_content_symlinks(svirt_t)
+ userdom_read_all_users_state(svirt_t)
++append_files_pattern(svirt_t, virt_home_t, virt_home_t)
++stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t)
+
+ tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(svirt_t)
+@@ -148,11 +168,13 @@
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -39797,7 +39868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
tunable_policy(`virt_use_sysfs',`
-@@ -161,11 +178,18 @@
+@@ -161,11 +183,18 @@
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -39816,7 +39887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
xen_rw_image_files(svirt_t)
')
-@@ -179,22 +203,32 @@
+@@ -179,22 +208,32 @@
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -39852,7 +39923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -205,8 +239,14 @@
+@@ -205,8 +244,14 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -39869,7 +39940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -225,6 +265,7 @@
+@@ -225,6 +270,7 @@
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -39877,7 +39948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -248,18 +289,27 @@
+@@ -248,18 +294,27 @@
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -39906,7 +39977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -267,6 +317,18 @@
+@@ -267,6 +322,18 @@
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -39925,14 +39996,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -290,16 +352,26 @@
+@@ -290,16 +357,31 @@
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -39947,12 +40018,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
++manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
++userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+
+consoletype_exec(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -318,6 +390,10 @@
+@@ -318,6 +400,10 @@
')
optional_policy(`
@@ -39963,7 +40039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -370,6 +446,8 @@
+@@ -370,6 +456,8 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -39972,7 +40048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -407,6 +485,19 @@
+@@ -407,6 +495,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -39992,7 +40068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +518,7 @@
+@@ -427,6 +528,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -40000,7 +40076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -434,10 +526,12 @@
+@@ -434,10 +536,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -40013,7 +40089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -445,6 +539,11 @@
+@@ -445,6 +549,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -40025,7 +40101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +561,13 @@
+@@ -462,8 +571,13 @@
')
optional_policy(`
@@ -42224,7 +42300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.19/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2011-01-14 13:32:33.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2011-03-01 12:58:30.780995518 +0000
@@ -6,9 +6,17 @@
# Declarations
#
@@ -42252,7 +42328,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
-@@ -395,3 +403,13 @@
+@@ -100,6 +108,9 @@
+ files_read_etc_files(chkpwd_t)
+ # for nscd
+ files_dontaudit_search_var(chkpwd_t)
++#671882
++files_read_usr_symlinks(chkpwd_t)
++files_list_tmp(chkpwd_t)
+
+ fs_dontaudit_getattr_xattr_fs(chkpwd_t)
+
+@@ -395,3 +406,13 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -44658,7 +44744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.19/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2011-02-03 10:53:43.756796001 +0000
++++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2011-02-25 16:51:35.365008252 +0000
@@ -13,6 +13,9 @@
type clvmd_initrc_exec_t;
init_script_file(clvmd_initrc_exec_t)
@@ -44669,6 +44755,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
+@@ -25,7 +28,7 @@
+ role system_r types lvm_t;
+
+ type lvm_etc_t;
+-files_type(lvm_etc_t)
++files_config_file(lvm_etc_t)
+
+ type lvm_lock_t;
+ files_lock_file(lvm_lock_t)
@@ -57,6 +60,10 @@
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
@@ -44692,15 +44787,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
ccs_stream_connect(clvmd_t)
')
-@@ -171,6 +183,7 @@
- allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+@@ -168,13 +180,15 @@
+ # net_admin for multipath
+ allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
+ dontaudit lvm_t self:capability sys_tty_config;
+-allow lvm_t self:process { sigchld sigkill sigstop signull signal };
++allow lvm_t self:process { setfscreate sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
+allow lvm_t self:sem create_sem_perms;
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -218,6 +231,7 @@
+ allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow lvm_t self:sem create_sem_perms;
+
+ allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
+@@ -191,8 +205,9 @@
+ can_exec(lvm_t, lvm_exec_t)
+
+ # Creating lock files
++manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+ manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+-files_lock_filetrans(lvm_t, lvm_lock_t, file)
++files_lock_filetrans(lvm_t, lvm_lock_t, { file dir })
+
+ manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+ manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+@@ -201,7 +216,7 @@
+ manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+ manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
++files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file sock_file })
+
+ read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+ read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+@@ -211,6 +226,7 @@
+ files_etc_filetrans(lvm_t, lvm_metadata_t, file)
+ files_search_mnt(lvm_t)
+
++kernel_get_sysvipc_info(lvm_t)
+ kernel_read_system_state(lvm_t)
+ kernel_read_kernel_sysctls(lvm_t)
+ # Read system variables in /proc/sys
+@@ -218,6 +234,7 @@
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@@ -44708,7 +44840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -244,6 +258,7 @@
+@@ -244,6 +261,7 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -44716,7 +44848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -253,8 +268,9 @@
+@@ -253,8 +271,9 @@
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -44727,7 +44859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -264,6 +280,7 @@
+@@ -264,6 +283,7 @@
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
@@ -44735,7 +44867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -311,6 +328,11 @@
+@@ -311,6 +331,11 @@
')
optional_policy(`
@@ -44747,7 +44879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,6 +353,10 @@
+@@ -331,6 +356,10 @@
')
optional_policy(`
@@ -48095,7 +48227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2011-02-07 16:39:28.257796001 +0000
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2011-02-25 17:52:11.239507921 +0000
@@ -30,8 +30,9 @@
')
@@ -49238,7 +49370,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1116,10 +1325,13 @@
+@@ -1102,6 +1311,9 @@
+ dev_rename_all_blk_files($1_t)
+ dev_rename_all_chr_files($1_t)
+ dev_create_generic_symlinks($1_t)
++ # needed by lsusb
++ dev_rw_generic_usb_dev($1_t)
++ dev_rw_usbfs($1_t)
+
+ domain_setpriority_all_domains($1_t)
+ domain_read_all_domains_state($1_t)
+@@ -1116,15 +1328,19 @@
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -49252,7 +49394,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1139,6 +1351,7 @@
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
++ storage_dontaudit_read_fixed_disk($1_t)
+
+ term_use_all_terms($1_t)
+
+@@ -1139,6 +1355,7 @@
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -49260,7 +49408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1207,6 +1420,8 @@
+@@ -1207,6 +1424,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -49269,7 +49417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1219,6 +1434,7 @@
+@@ -1219,6 +1438,7 @@
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -49277,7 +49425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1234,6 +1450,7 @@
+@@ -1234,6 +1454,7 @@
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -49285,7 +49433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1272,11 +1489,15 @@
+@@ -1272,11 +1493,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -49301,7 +49449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,6 +1608,7 @@
+@@ -1387,6 +1612,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -49309,7 +49457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1433,6 +1655,14 @@
+@@ -1433,6 +1659,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -49324,7 +49472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1678,11 @@
+@@ -1448,9 +1682,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -49336,7 +49484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1739,42 @@
+@@ -1507,6 +1743,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -49379,7 +49527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1581,6 +1849,8 @@
+@@ -1581,6 +1853,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -49388,7 +49536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1595,10 +1865,12 @@
+@@ -1595,10 +1869,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -49403,7 +49551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1641,6 +1913,24 @@
+@@ -1641,6 +1917,24 @@
########################################
## <summary>
@@ -49428,7 +49576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1692,10 +1982,30 @@
+@@ -1692,10 +1986,30 @@
type user_home_dir_t, user_home_t;
')
@@ -49459,7 +49607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Do not audit attempts to read user home files.
-@@ -1708,11 +2018,14 @@
+@@ -1708,11 +2022,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -49477,7 +49625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1802,8 +2115,7 @@
+@@ -1802,8 +2119,7 @@
type user_home_dir_t, user_home_t;
')
@@ -49487,7 +49635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1815,24 +2127,17 @@
+@@ -1815,24 +2131,17 @@
## Domain allowed access.
## </summary>
## </param>
@@ -49516,7 +49664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
-@@ -1866,6 +2171,7 @@
+@@ -1866,6 +2175,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -49524,7 +49672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2408,25 @@
+@@ -2102,6 +2412,25 @@
########################################
## <summary>
@@ -49550,7 +49698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
## </summary>
-@@ -2218,6 +2543,25 @@
+@@ -2218,6 +2547,25 @@
########################################
## <summary>
@@ -49576,7 +49724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
## </summary>
-@@ -2427,13 +2771,14 @@
+@@ -2427,13 +2775,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -49592,7 +49740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
-@@ -2454,6 +2799,24 @@
+@@ -2454,6 +2803,24 @@
########################################
## <summary>
@@ -49617,7 +49765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2747,6 +3110,25 @@
+@@ -2747,6 +3114,25 @@
########################################
## <summary>
@@ -49643,7 +49791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2787,7 +3169,7 @@
+@@ -2787,7 +3173,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -49652,7 +49800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3185,13 @@
+@@ -2803,11 +3189,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -49668,7 +49816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3328,7 @@
+@@ -2944,7 +3332,7 @@
type user_tmp_t;
')
@@ -49677,7 +49825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3365,7 @@
+@@ -2981,6 +3369,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -49685,7 +49833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3496,725 @@
+@@ -3111,3 +3500,725 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7e10342..a59ea5f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 95%{?dist}
+Release: 96%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,14 @@ exit 0
%endif
%changelog
+* Tue Mar 1 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-96
+- Add virt_home_ type files located in ~/.libvirt directory
+- virt creates monitor sockets in the users home dir
+- Allow lvm setfscreate
+- mta search /var/lib/logcheck
+- sssd needs to bind to random UDP ports
+- certmonger wants to read keytab files
+
* Thu Feb 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-95
- Fix spec file to not restore context on /var/lib
- Fix for policykit
More information about the scm-commits
mailing list