[selinux-policy/f16] - For some reason chfn tries to stat all devices, dontaudit this - On resume, devicekit_power is res
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 6 21:08:32 UTC 2011
commit a2f7d6a48e3799b30620308c3ecda873aee08985
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Sep 6 23:08:08 2011 +0200
- For some reason chfn tries to stat all devices, dontaudit this
- On resume, devicekit_power is resetting X using xmodutil, so it needs to talk to the Xserver
- Allow saslauthd to be able to manipulate afs kernel subsystem at login
- allow xdm_t to execute content labeled xdm_tmp_t, needed for xdm to be able to run gnome-shell
- /etc/passwd.adjunct and /etc/passwd.adjunct.old need to be labeled shadow_t
policy-F16.patch | 161 ++++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 9 +++-
2 files changed, 102 insertions(+), 68 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 213601a..178c903 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3621,10 +3621,10 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..3d2f418 100644
+index 441cf22..0df5af0 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -79,8 +79,8 @@ selinux_compute_create_context(chfn_t)
+@@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -3635,9 +3635,10 @@ index 441cf22..3d2f418 100644
fs_getattr_xattr_fs(chfn_t)
fs_search_auto_mountpoints(chfn_t)
-@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
+
# for SSP
dev_read_urand(chfn_t)
++dev_dontaudit_getattr_all(chfn_t)
-auth_domtrans_chk_passwd(chfn_t)
-auth_dontaudit_read_shadow(chfn_t)
@@ -3646,7 +3647,7 @@ index 441cf22..3d2f418 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
-@@ -118,6 +116,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+@@ -118,6 +117,10 @@ userdom_use_unpriv_users_fds(chfn_t)
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
@@ -3657,7 +3658,7 @@ index 441cf22..3d2f418 100644
########################################
#
# Crack local policy
-@@ -194,8 +196,7 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +197,7 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -3667,7 +3668,7 @@ index 441cf22..3d2f418 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -291,17 +292,18 @@ selinux_compute_create_context(passwd_t)
+@@ -291,17 +293,18 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3690,7 +3691,7 @@ index 441cf22..3d2f418 100644
domain_use_interactive_fds(passwd_t)
-@@ -323,7 +325,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +326,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -3699,7 +3700,7 @@ index 441cf22..3d2f418 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +334,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3707,7 +3708,7 @@ index 441cf22..3d2f418 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,8 +384,7 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,8 +385,7 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3717,7 +3718,7 @@ index 441cf22..3d2f418 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +428,7 @@ optional_policy(`
+@@ -426,7 +429,7 @@ optional_policy(`
# Useradd local policy
#
@@ -3726,7 +3727,7 @@ index 441cf22..3d2f418 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,6 +450,9 @@ corecmd_exec_shell(useradd_t)
+@@ -448,6 +451,9 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3736,7 +3737,7 @@ index 441cf22..3d2f418 100644
domain_use_interactive_fds(useradd_t)
domain_read_all_domains_state(useradd_t)
-@@ -460,6 +465,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,6 +466,7 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -3744,7 +3745,7 @@ index 441cf22..3d2f418 100644
# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
-@@ -469,8 +475,7 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +476,7 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -3754,7 +3755,7 @@ index 441cf22..3d2f418 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,21 +503,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +504,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -25800,10 +25801,10 @@ index fa62787..ffd0da5 100644
admin_pattern($1, certmaster_etc_rw_t)
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
-index 3384132..daef4e1 100644
+index 3384132..97d3269 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
-@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
+@@ -43,23 +43,25 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
@@ -25826,6 +25827,8 @@ index 3384132..daef4e1 100644
corenet_tcp_bind_generic_node(certmaster_t)
corenet_tcp_bind_certmaster_port(certmaster_t)
++dev_read_urand(certmaster_t)
++
files_search_etc(certmaster_t)
+files_read_usr_files(certmaster_t)
files_list_var(certmaster_t)
@@ -30915,7 +30918,7 @@ index f706b99..13d3a35 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..5a06fc7 100644
+index f231f17..544ab05 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -31100,7 +31103,7 @@ index f231f17..5a06fc7 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +325,25 @@ optional_policy(`
+@@ -276,9 +325,30 @@ optional_policy(`
')
optional_policy(`
@@ -31126,6 +31129,11 @@ index f231f17..5a06fc7 100644
+optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
++
++optional_policy(`
++ corenet_tcp_connect_xserver_port(devicekit_power_t)
++ xserver_stream_connect(devicekit_power_t)
++')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
index 767e0c7..7956248 100644
--- a/policy/modules/services/dhcp.fc
@@ -35311,10 +35319,10 @@ index 0000000..3b1870a
+
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..030a521
+index 0000000..3d67b98
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,131 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -35329,6 +35337,9 @@ index 0000000..030a521
+type glance_registry_initrc_exec_t;
+init_script_file(glance_registry_initrc_exec_t)
+
++type glance_registry_tmp_t;
++files_tmp_file(glance_registry_tmp_t)
++
+type glance_api_t;
+type glance_api_exec_t;
+init_daemon_domain(glance_api_t, glance_api_exec_t)
@@ -35357,6 +35368,10 @@ index 0000000..030a521
+allow glance_registry_t self:unix_stream_socket create_stream_socket_perms;
+allow glance_registry_t self:tcp_socket create_stream_socket_perms;
+
++manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
++manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
++files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
++
+manage_dirs_pattern(glance_registry_t, glance_log_t, glance_log_t)
+manage_files_pattern(glance_registry_t, glance_log_t, glance_log_t)
+logging_log_filetrans(glance_registry_t, glance_log_t, { dir file })
@@ -35423,6 +35438,8 @@ index 0000000..030a521
+
+dev_read_urand(glance_api_t)
+
++fs_getattr_xattr_fs(glance_api_t)
++
+domain_use_interactive_fds(glance_api_t)
+
+files_read_etc_files(glance_api_t)
@@ -51351,7 +51368,7 @@ index f1aea88..a5a75a8 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index cfc60dd..53a9d2d 100644
+index cfc60dd..791c5b3 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -51364,7 +51381,7 @@ index cfc60dd..53a9d2d 100644
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
-@@ -38,17 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
@@ -51381,14 +51398,14 @@ index cfc60dd..53a9d2d 100644
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
-
++kernel_rw_afs_state(saslauthd_t)
++
+#577519
+corecmd_exec_bin(saslauthd_t)
-+
+
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
- corenet_tcp_sendrecv_generic_if(saslauthd_t)
-@@ -94,6 +93,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+@@ -94,6 +94,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
@@ -53919,7 +53936,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..4ecf377 100644
+index 8ffa257..69e86c3 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -53928,7 +53945,7 @@ index 8ffa257..4ecf377 100644
#
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+
-+allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
@@ -58161,7 +58178,7 @@ index 130ced9..b6fb17a 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..00b270e 100644
+index 143c893..453a478 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -58527,7 +58544,7 @@ index 143c893..00b270e 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +454,63 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -58545,6 +58562,7 @@ index 143c893..00b270e 100644
+files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
+relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
+relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
++can_exec(xdm_t, xdm_tmp_t)
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -58596,7 +58614,7 @@ index 143c893..00b270e 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -58624,7 +58642,7 @@ index 143c893..00b270e 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +549,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -58678,7 +58696,7 @@ index 143c893..00b270e 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -435,9 +602,23 @@ files_list_mnt(xdm_t)
+@@ -435,9 +603,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -58702,7 +58720,7 @@ index 143c893..00b270e 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +627,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +628,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -58742,7 +58760,7 @@ index 143c893..00b270e 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -58773,7 +58791,7 @@ index 143c893..00b270e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -58788,7 +58806,7 @@ index 143c893..00b270e 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -58810,7 +58828,7 @@ index 143c893..00b270e 100644
')
optional_policy(`
-@@ -519,12 +748,62 @@ optional_policy(`
+@@ -519,12 +749,62 @@ optional_policy(`
')
optional_policy(`
@@ -58873,7 +58891,7 @@ index 143c893..00b270e 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +821,69 @@ optional_policy(`
+@@ -542,28 +822,69 @@ optional_policy(`
')
optional_policy(`
@@ -58952,7 +58970,7 @@ index 143c893..00b270e 100644
')
optional_policy(`
-@@ -575,6 +895,14 @@ optional_policy(`
+@@ -575,6 +896,14 @@ optional_policy(`
')
optional_policy(`
@@ -58967,7 +58985,7 @@ index 143c893..00b270e 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +927,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +928,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -58976,7 +58994,7 @@ index 143c893..00b270e 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +941,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -58992,7 +59010,7 @@ index 143c893..00b270e 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +968,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -59014,7 +59032,7 @@ index 143c893..00b270e 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +988,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +989,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -59022,7 +59040,7 @@ index 143c893..00b270e 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,7 +1015,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,7 +1016,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -59030,7 +59048,7 @@ index 143c893..00b270e 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -682,11 +1024,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -682,11 +1025,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -59048,7 +59066,7 @@ index 143c893..00b270e 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1045,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1046,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -59062,7 +59080,7 @@ index 143c893..00b270e 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1064,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1065,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -59071,7 +59089,7 @@ index 143c893..00b270e 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1071,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1072,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -59086,7 +59104,7 @@ index 143c893..00b270e 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1130,40 @@ optional_policy(`
+@@ -778,16 +1131,40 @@ optional_policy(`
')
optional_policy(`
@@ -59128,7 +59146,7 @@ index 143c893..00b270e 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1172,10 @@ optional_policy(`
+@@ -796,6 +1173,10 @@ optional_policy(`
')
optional_policy(`
@@ -59139,7 +59157,7 @@ index 143c893..00b270e 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1191,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1192,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -59153,7 +59171,7 @@ index 143c893..00b270e 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1202,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1203,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -59162,7 +59180,7 @@ index 143c893..00b270e 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,6 +1215,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1216,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -59172,7 +59190,7 @@ index 143c893..00b270e 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1225,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1226,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -59184,7 +59202,7 @@ index 143c893..00b270e 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1238,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1239,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -59201,7 +59219,7 @@ index 143c893..00b270e 100644
')
optional_policy(`
-@@ -862,6 +1253,10 @@ optional_policy(`
+@@ -862,6 +1254,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -59212,7 +59230,7 @@ index 143c893..00b270e 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1300,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1301,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -59221,7 +59239,7 @@ index 143c893..00b270e 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1354,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1355,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -59253,7 +59271,7 @@ index 143c893..00b270e 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1400,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1401,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -59702,10 +59720,18 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..5b765ce 100644
+index 28ad538..59742f4 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', `
+@@ -5,6 +5,7 @@
+ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
+ /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+
+ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
+@@ -30,6 +31,7 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -59713,7 +59739,7 @@ index 28ad538..5b765ce 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +46,4 @@ ifdef(`distro_gentoo', `
+@@ -45,5 +47,4 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
@@ -64579,7 +64605,7 @@ index 9c0faab..dd6530e 100644
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..d5408ff 100644
+index a0eef20..fcfad00 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,11 +18,12 @@ type insmod_t;
@@ -64712,13 +64738,14 @@ index a0eef20..d5408ff 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -187,28 +206,27 @@ optional_policy(`
+@@ -187,28 +206,28 @@ optional_policy(`
')
optional_policy(`
- firstboot_dontaudit_rw_pipes(insmod_t)
- firstboot_dontaudit_rw_stream_sockets(insmod_t)
+ devicekit_use_fds_disk(insmod_t)
++ devicekit_dontaudit_read_pid_files(insmod_t)
')
optional_policy(`
@@ -64747,7 +64774,7 @@ index a0eef20..d5408ff 100644
')
optional_policy(`
-@@ -236,6 +254,10 @@ optional_policy(`
+@@ -236,6 +255,10 @@ optional_policy(`
')
optional_policy(`
@@ -64758,7 +64785,7 @@ index a0eef20..d5408ff 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
-@@ -296,7 +318,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d9ad8a4..d62a65b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 24%{?dist}
+Release: 25%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-25
+- For some reason chfn tries to stat all devices, dontaudit this
+- On resume, devicekit_power is resetting X using xmodutil, so it needs to talk to the Xserver
+- Allow saslauthd to be able to manipulate afs kernel subsystem at login
+- allow xdm_t to execute content labeled xdm_tmp_t, needed for xdm to be able to run gnome-shell
+- /etc/passwd.adjunct and /etc/passwd.adjunct.old need to be labeled shadow_t
+
* Tue Sep 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-24
- Add exim_exec_t label for /usr/sbin/exim_tidydb
- Call init_dontaudit_rw_stream_socket() interface in mta policy
More information about the scm-commits
mailing list