[selinux-policy/f16] - Add fs_read_fusefs_dirs interface - Allow mailman to read /dev/urandom - Allow clamd to read spamd
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Nov 28 20:21:52 UTC 2011
commit 0685f04414489e714886309f376a4f0b28374465
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Nov 28 21:21:23 2011 +0100
- Add fs_read_fusefs_dirs interface
- Allow mailman to read /dev/urandom
- Allow clamd to read spamd pid file
- Allow mount to read /dev/urandom
- Add use_fusefs_home_dirs also for system_dbus_t
policy-F16.patch | 154 ++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 9 +++-
2 files changed, 113 insertions(+), 50 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 9e336fa..e147e6f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -18609,7 +18609,7 @@ index 22821ff..20251b0 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..50b0acf 100644
+index 97fcdac..630ff53 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18855,7 +18855,33 @@ index 97fcdac..50b0acf 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1984,6 +2126,25 @@ interface(`fs_manage_fusefs_files',`
+@@ -1886,6 +2028,25 @@ interface(`fs_dontaudit_list_fusefs',`
+ dontaudit $1 fusefs_t:dir list_dir_perms;
+ ')
+
++#######################################
++## <summary>
++## Do not audit attempts to list the contents
++## of directories on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_read_fusefs_dirs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ list_dirs_pattern($1, fusefs_t, fusefs_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete directories
+@@ -1984,6 +2145,25 @@ interface(`fs_manage_fusefs_files',`
manage_files_pattern($1, fusefs_t, fusefs_t)
')
@@ -18881,7 +18907,7 @@ index 97fcdac..50b0acf 100644
########################################
## <summary>
## Do not audit attempts to create,
-@@ -2080,6 +2241,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2260,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -18906,7 +18932,7 @@ index 97fcdac..50b0acf 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,6 +2327,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2346,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -18914,7 +18940,7 @@ index 97fcdac..50b0acf 100644
')
########################################
-@@ -2480,6 +2660,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2679,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -18922,7 +18948,7 @@ index 97fcdac..50b0acf 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2518,6 +2699,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2718,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -18930,7 +18956,7 @@ index 97fcdac..50b0acf 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2544,6 +2726,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2745,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -18956,7 +18982,7 @@ index 97fcdac..50b0acf 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2584,6 +2785,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2804,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -18999,7 +19025,7 @@ index 97fcdac..50b0acf 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2598,7 +2835,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2854,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -19008,7 +19034,7 @@ index 97fcdac..50b0acf 100644
')
########################################
-@@ -2736,7 +2973,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2992,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -19017,7 +19043,7 @@ index 97fcdac..50b0acf 100644
## </summary>
## </param>
#
-@@ -2772,7 +3009,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3028,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -19026,7 +19052,7 @@ index 97fcdac..50b0acf 100644
## </summary>
## </param>
#
-@@ -2965,6 +3202,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3221,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -19034,7 +19060,7 @@ index 97fcdac..50b0acf 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3005,6 +3243,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3262,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -19042,7 +19068,7 @@ index 97fcdac..50b0acf 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3045,6 +3284,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3303,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -19050,7 +19076,7 @@ index 97fcdac..50b0acf 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3958,6 +4198,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4217,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -19093,7 +19119,7 @@ index 97fcdac..50b0acf 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4175,6 +4451,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4470,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -19118,7 +19144,7 @@ index 97fcdac..50b0acf 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4251,6 +4545,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4564,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -19144,7 +19170,7 @@ index 97fcdac..50b0acf 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4770,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4789,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -19153,7 +19179,7 @@ index 97fcdac..50b0acf 100644
')
########################################
-@@ -4503,7 +4818,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4837,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -19162,7 +19188,7 @@ index 97fcdac..50b0acf 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5181,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5200,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -29495,7 +29521,7 @@ index 1f11572..9eb2461 100644
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..4bc077f 100644
+index f758323..4c06224 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,16 @@
@@ -29569,7 +29595,7 @@ index f758323..4bc077f 100644
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
-@@ -142,13 +147,30 @@ optional_policy(`
+@@ -142,13 +147,31 @@ optional_policy(`
')
optional_policy(`
@@ -29589,6 +29615,7 @@ index f758323..4bc077f 100644
+
+optional_policy(`
+ spamd_stream_connect(clamd_t)
++ spamd_read_pid(clamd_t)
+')
+
tunable_policy(`clamd_use_jit',`
@@ -29601,7 +29628,7 @@ index f758323..4bc077f 100644
')
########################################
-@@ -178,10 +200,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +201,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -29620,7 +29647,7 @@ index f758323..4bc077f 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +217,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +218,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -29628,7 +29655,7 @@ index f758323..4bc077f 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +236,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +237,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -29651,7 +29678,7 @@ index f758323..4bc077f 100644
########################################
#
# clamscam local policy
-@@ -242,15 +273,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +274,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -29681,7 +29708,7 @@ index f758323..4bc077f 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +309,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +310,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -30735,10 +30762,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..e4d7098
+index 0000000..ca71d08
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,80 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -30812,7 +30839,8 @@ index 0000000..e4d7098
+
+optional_policy(`
+ apache_content_template(collectd)
-+
++
++ files_search_var_lib(httpd_collectd_script_t)
+ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
+ miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
@@ -33687,7 +33715,7 @@ index 1a1becd..0aa5aaf 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..f0266a9 100644
+index 1bff6ee..ad305bc 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -33749,10 +33777,16 @@ index 1bff6ee..f0266a9 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -136,11 +143,33 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -136,11 +143,39 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_read_fusefs_dirs(system_dbusd_t)
++ fs_read_fusefs_files(system_dbusd_t)
++ fs_read_fusefs_symlinks(system_dbusd_t)
++')
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(system_dbusd_t)
+')
@@ -33783,7 +33817,7 @@ index 1bff6ee..f0266a9 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +180,166 @@ optional_policy(`
+@@ -151,12 +186,166 @@ optional_policy(`
')
optional_policy(`
@@ -33921,7 +33955,7 @@ index 1bff6ee..f0266a9 100644
+ fs_manage_nfs_dirs(session_bus_type)
+ fs_manage_nfs_files(session_bus_type)
+')
-+
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(session_bus_type)
+ fs_manage_cifs_files(session_bus_type)
@@ -33934,7 +33968,7 @@ index 1bff6ee..f0266a9 100644
+optional_policy(`
+ hal_dbus_chat(session_bus_type)
+')
-
++
+optional_policy(`
+ xserver_search_xdm_lib(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
@@ -42487,7 +42521,7 @@ index 67c7fdd..d7338be 100644
## <summary>
## Execute mailman CGI scripts in the
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
-index af4d572..cea085e 100644
+index af4d572..0c0925e 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
@@ -42500,7 +42534,7 @@ index af4d572..cea085e 100644
mailman_domain_template(mail)
init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
-@@ -61,14 +64,22 @@ optional_policy(`
+@@ -61,14 +64,24 @@ optional_policy(`
# Mailman mail local policy
#
@@ -42522,10 +42556,12 @@ index af4d572..cea085e 100644
+corenet_tcp_connect_innd_port(mailman_mail_t)
+corenet_tcp_connect_spamd_port(mailman_mail_t)
+
++dev_read_urand(mailman_mail_t)
++
files_search_spool(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,11 +92,16 @@ optional_policy(`
+@@ -81,11 +94,16 @@ optional_policy(`
')
optional_policy(`
@@ -42542,7 +42578,7 @@ index af4d572..cea085e 100644
')
########################################
-@@ -104,6 +120,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+@@ -104,6 +122,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
kernel_read_proc_symlinks(mailman_queue_t)
@@ -42551,7 +42587,7 @@ index af4d572..cea085e 100644
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
-@@ -125,4 +143,4 @@ optional_policy(`
+@@ -125,4 +145,4 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
@@ -58304,7 +58340,7 @@ index 6b3abf9..a785741 100644
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
-index c954f31..c7cadcb 100644
+index c954f31..d5e959d 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -14,6 +14,7 @@
@@ -58423,7 +58459,7 @@ index c954f31..c7cadcb 100644
allow $1 spamd_tmp_t:file read_file_perms;
')
-@@ -223,5 +291,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+@@ -223,5 +291,91 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
type spamd_tmp_t;
')
@@ -58431,6 +58467,25 @@ index c954f31..c7cadcb 100644
+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
+')
+
++#######################################
++## <summary>
++## Read spamd pid file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to connect.
++## </summary>
++## </param>
++#
++interface(`spamd_read_pid',`
++ gen_require(`
++ type spamd_t, spamd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
++')
++
+########################################
+## <summary>
+## Connect to run spamd.
@@ -72156,7 +72211,7 @@ index 8b5c196..da41726 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..bb2ac39 100644
+index 15832c7..2596ae0 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
@@ -72233,7 +72288,7 @@ index 15832c7..bb2ac39 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -57,65 +88,93 @@ kernel_request_load_module(mount_t)
+@@ -57,65 +88,94 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -72242,6 +72297,7 @@ index 15832c7..bb2ac39 100644
dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
+dev_read_rand(mount_t)
++dev_read_urand(mount_t)
dev_read_sysfs(mount_t)
dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
@@ -72336,7 +72392,7 @@ index 15832c7..bb2ac39 100644
logging_send_syslog_msg(mount_t)
-@@ -126,6 +185,8 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +186,8 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -72345,7 +72401,7 @@ index 15832c7..bb2ac39 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,26 +202,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +203,28 @@ ifdef(`distro_ubuntu',`
')
')
@@ -72384,7 +72440,7 @@ index 15832c7..bb2ac39 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +237,8 @@ optional_policy(`
+@@ -174,6 +238,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -72393,7 +72449,7 @@ index 15832c7..bb2ac39 100644
')
optional_policy(`
-@@ -181,6 +246,28 @@ optional_policy(`
+@@ -181,6 +247,28 @@ optional_policy(`
')
optional_policy(`
@@ -72422,7 +72478,7 @@ index 15832c7..bb2ac39 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +275,87 @@ optional_policy(`
+@@ -188,21 +276,87 @@ optional_policy(`
')
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d77d15e..dc18443 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 61%{?dist}
+Release: 62%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Nov 28 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-62
+- Add fs_read_fusefs_dirs interface
+- Allow mailman to read /dev/urandom
+- Allow clamd to read spamd pid file
+- Allow mount to read /dev/urandom
+- Add use_fusefs_home_dirs also for system_dbus_t
+
* Fri Nov 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-61
- Needs to require new version policycoreutils
More information about the scm-commits
mailing list