[selinux-policy/f17] * Mon Aug 6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-144 - Allow sendmail to read/write postfi
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Aug 6 10:51:30 UTC 2012
commit e01b4650f34a5d33920c25f310e2ceaeb827462e
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Aug 6 12:51:05 2012 +0200
* Mon Aug 6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-144
- Allow sendmail to read/write postfix_delivery_t
- Update sanlock policy to solve all AVC's
- Change virt interface so confined users can optionally manage virt content
- setroubleshoot was trying to getattr on sysctl and proc stuff
- Need to allow svirt_t ability to getattr on nfs_t file system
- Allow staff users to run svirt_t processes
- Add new booleans to allow staff user and unprivuser to use boxes
policy-F16.patch | 243 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 11 ++-
2 files changed, 172 insertions(+), 82 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index a633395..fa8fb12 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -87291,14 +87291,21 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..93323c7 100644
+index 2be17d2..3bcca19 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,57 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,64 @@ policy_module(staff, 2.2.0)
role staff_r;
userdom_unpriv_user_template(staff)
+fs_exec_noxattr(staff_t)
++
++## <desc>
++## <p>
++## allow staff user to create and transition to svirt domains.
++## </p>
++## </desc>
++gen_tunable(staff_use_svirt, false)
########################################
#
@@ -87352,7 +87359,7 @@ index 2be17d2..93323c7 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,23 +68,122 @@ optional_policy(`
+@@ -23,23 +75,122 @@ optional_policy(`
')
optional_policy(`
@@ -87477,7 +87484,7 @@ index 2be17d2..93323c7 100644
')
optional_policy(`
-@@ -48,10 +192,59 @@ optional_policy(`
+@@ -48,10 +199,59 @@ optional_policy(`
')
optional_policy(`
@@ -87537,7 +87544,7 @@ index 2be17d2..93323c7 100644
xserver_role(staff_r, staff_t)
')
-@@ -61,10 +254,6 @@ ifndef(`distro_redhat',`
+@@ -61,10 +261,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -87548,7 +87555,7 @@ index 2be17d2..93323c7 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -89,18 +278,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +285,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -87567,7 +87574,7 @@ index 2be17d2..93323c7 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +302,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +309,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -87578,7 +87585,7 @@ index 2be17d2..93323c7 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +314,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +321,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -87589,7 +87596,7 @@ index 2be17d2..93323c7 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +345,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +352,15 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -87597,6 +87604,14 @@ index 2be17d2..93323c7 100644
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(staff_t)
+')
++
++virt_transition_svirt(staff_t, staff_r)
++virt_filetrans_home_content(staff_t)
++tunable_policy(`staff_use_svirt',`
++ allow staff_t self:fifo_file relabelfrom;
++ dev_rw_kvm(staff_t)
++ virt_manage_images(staff_t)
++')
diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if
index ff92430..36740ea 100644
--- a/policy/modules/roles/sysadm.if
@@ -89207,10 +89222,23 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..7e0ea58 100644
+index e5bfdd4..e6f6011 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,105 @@ role user_r;
+@@ -1,5 +1,12 @@
+ policy_module(unprivuser, 2.2.0)
+
++## <desc>
++## <p>
++## Allow unprivledged user to create and transition to svirt domains.
++## </p>
++## </desc>
++gen_tunable(unprivuser_use_svirt, false)
++
+ # this module should be named user, but that is
+ # a compile error since user is a keyword.
+
+@@ -12,15 +19,105 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -89316,7 +89344,7 @@ index e5bfdd4..7e0ea58 100644
vlock_run(user_t, user_r)
')
-@@ -62,19 +152,11 @@ ifndef(`distro_redhat',`
+@@ -62,19 +159,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -89337,7 +89365,7 @@ index e5bfdd4..7e0ea58 100644
')
optional_policy(`
-@@ -98,10 +180,6 @@ ifndef(`distro_redhat',`
+@@ -98,10 +187,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -89348,7 +89376,7 @@ index e5bfdd4..7e0ea58 100644
postgresql_role(user_r, user_t)
')
-@@ -118,11 +196,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +203,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -89361,11 +89389,16 @@ index e5bfdd4..7e0ea58 100644
')
optional_policy(`
-@@ -157,3 +231,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +238,9 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
+
++virt_transition_svirt(user_t, user_r)
++virt_filetrans_home_content(user_t)
++tunable_policy(`unprivuser_use_svirt',`
++ virt_manage_images(user_t)
++')
diff --git a/policy/modules/roles/webadm.te b/policy/modules/roles/webadm.te
index 0ecc786..0143f70 100644
--- a/policy/modules/roles/webadm.te
@@ -116377,7 +116410,7 @@ index 256166a..a8fe27a 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..c3643f0 100644
+index 343cee3..74a5b1a 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -116531,7 +116564,7 @@ index 343cee3..c3643f0 100644
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,10 +257,15 @@ interface(`mta_mailserver_sender',`
+@@ -306,10 +257,16 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -116544,11 +116577,12 @@ index 343cee3..c3643f0 100644
+
+ optional_policy(`
+ mta_rw_delivery_tcp_sockets($1)
++ mta_rw_delivery_pipe($1)
+ ')
')
#######################################
-@@ -362,6 +318,8 @@ interface(`mta_send_mail',`
+@@ -362,6 +319,8 @@ interface(`mta_send_mail',`
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
@@ -116557,7 +116591,7 @@ index 343cee3..c3643f0 100644
')
########################################
-@@ -391,12 +349,19 @@ interface(`mta_send_mail',`
+@@ -391,12 +350,19 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -116579,7 +116613,7 @@ index 343cee3..c3643f0 100644
')
########################################
-@@ -409,7 +374,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +375,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -116587,7 +116621,7 @@ index 343cee3..c3643f0 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +384,60 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +385,60 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -116648,7 +116682,7 @@ index 343cee3..c3643f0 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +456,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +457,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -116675,7 +116709,7 @@ index 343cee3..c3643f0 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -494,6 +532,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +533,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -116683,7 +116717,7 @@ index 343cee3..c3643f0 100644
')
########################################
-@@ -532,7 +571,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +572,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -116692,7 +116726,7 @@ index 343cee3..c3643f0 100644
')
########################################
-@@ -552,7 +591,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +592,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -116701,7 +116735,7 @@ index 343cee3..c3643f0 100644
')
#######################################
-@@ -574,6 +613,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -574,6 +614,44 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -116724,10 +116758,29 @@ index 343cee3..c3643f0 100644
+ allow $1 mailserver_delivery:tcp_socket { read write };
+')
+
++#####################################
++## <summary>
++## Allow attempts to read and write fifo
++## file of mail delivery domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`mta_rw_delivery_pipe',`
++ gen_require(`
++ attribute mailserver_delivery;
++ ')
++
++ allow $1 mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
++')
++
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
-@@ -646,8 +704,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +724,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -116738,7 +116791,7 @@ index 343cee3..c3643f0 100644
')
#######################################
-@@ -677,7 +735,26 @@ interface(`mta_spool_filetrans',`
+@@ -677,7 +755,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
@@ -116766,7 +116819,7 @@ index 343cee3..c3643f0 100644
')
########################################
-@@ -697,8 +774,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +794,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -116777,7 +116830,7 @@ index 343cee3..c3643f0 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +915,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +935,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -116786,7 +116839,7 @@ index 343cee3..c3643f0 100644
')
########################################
-@@ -864,6 +941,36 @@ interface(`mta_manage_queue',`
+@@ -864,6 +961,36 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -116823,7 +116876,7 @@ index 343cee3..c3643f0 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -899,3 +1006,170 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +1026,170 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -132827,7 +132880,7 @@ index 0000000..3eb745d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..e9c2efe
+index 0000000..a535b8c
--- /dev/null
+++ b/policy/modules/services/sanlock.te
@@ -0,0 +1,103 @@
@@ -132877,8 +132930,8 @@ index 0000000..e9c2efe
+#
+# sanlock local policy
+#
-+allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice };
-+allow sanlock_t self:process { setsched signull signal sigkill };
++allow sanlock_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice sys_resource };
++allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
+
+allow sanlock_t self:fifo_file rw_fifo_file_perms;
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
@@ -133530,7 +133583,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..4e69f51 100644
+index 086cd5f..50880aa 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -133553,7 +133606,7 @@ index 086cd5f..4e69f51 100644
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -49,17 +52,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
+@@ -49,17 +52,22 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
# pid file
@@ -133568,6 +133621,7 @@ index 086cd5f..4e69f51 100644
kernel_read_net_sysctls(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
++kernel_read_irq_sysctls(setroubleshootd_t)
+kernel_read_unlabeled_state(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
@@ -133576,7 +133630,15 @@ index 086cd5f..4e69f51 100644
corenet_all_recvfrom_unlabeled(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
-@@ -85,6 +92,7 @@ files_getattr_all_files(setroubleshootd_t)
+@@ -74,6 +82,7 @@ dev_read_urand(setroubleshootd_t)
+ dev_read_sysfs(setroubleshootd_t)
+ dev_getattr_all_blk_files(setroubleshootd_t)
+ dev_getattr_all_chr_files(setroubleshootd_t)
++dev_getattr_mtrr_dev(setroubleshootd_t)
+
+ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+ domain_signull_all_domains(setroubleshootd_t)
+@@ -85,6 +94,7 @@ files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
files_getattr_all_sockets(setroubleshootd_t)
files_read_all_symlinks(setroubleshootd_t)
@@ -133584,7 +133646,7 @@ index 086cd5f..4e69f51 100644
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
-@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
+@@ -95,6 +105,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
@@ -133592,7 +133654,7 @@ index 086cd5f..4e69f51 100644
term_dontaudit_use_all_ptys(setroubleshootd_t)
term_dontaudit_use_all_ttys(setroubleshootd_t)
-@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t)
+@@ -104,6 +115,8 @@ auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@@ -133601,7 +133663,7 @@ index 086cd5f..4e69f51 100644
miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
-@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+@@ -112,8 +125,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -133610,7 +133672,7 @@ index 086cd5f..4e69f51 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +132,23 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -133634,7 +133696,7 @@ index 086cd5f..4e69f51 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,7 +173,12 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -151,7 +175,12 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -133647,7 +133709,7 @@ index 086cd5f..4e69f51 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +191,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +193,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -139274,7 +139336,7 @@ index 2124b6a..5072bd7 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..85b7d8b 100644
+index 7c5d8d8..6fc6ad4 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,45 @@
@@ -139679,15 +139741,27 @@ index 7c5d8d8..85b7d8b 100644
')
########################################
-@@ -466,6 +642,7 @@ interface(`virt_manage_images',`
+@@ -466,18 +642,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+-
+- tunable_policy(`virt_use_nfs',`
+- fs_manage_nfs_dirs($1)
+- fs_manage_nfs_files($1)
+- fs_read_nfs_symlinks($1)
+- ')
+-
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+- ')
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+ ')
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
-@@ -500,10 +677,19 @@ interface(`virt_manage_images',`
+ ########################################
+@@ -500,10 +665,19 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -139708,7 +139782,7 @@ index 7c5d8d8..85b7d8b 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -515,4 +701,248 @@ interface(`virt_admin',`
+@@ -515,4 +689,248 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -139958,7 +140032,7 @@ index 7c5d8d8..85b7d8b 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..caef8cf 100644
+index 3eca020..4ca7290 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,60 +1,91 @@
@@ -140028,15 +140102,15 @@ index 3eca020..caef8cf 100644
+gen_tunable(virt_use_sanlock, false)
+
+## <desc>
-+## <p>
+ ## <p>
+-## Allow virt to use usb devices
+## Allow confined virtual guests to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
- ## <p>
--## Allow virt to use usb devices
++## <p>
+## Allow confined virtual guests to use usb devices
## </p>
## </desc>
@@ -140181,12 +140255,13 @@ index 3eca020..caef8cf 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +228,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +228,17 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
+ fs_manage_nfs_named_sockets(svirt_t)
+ fs_read_nfs_symlinks(svirt_t)
++ fs_getattr_nfs(svirt_t)
')
tunable_policy(`virt_use_samba',`
@@ -140194,10 +140269,11 @@ index 3eca020..caef8cf 100644
fs_manage_cifs_files(svirt_t)
+ fs_manage_cifs_named_sockets(svirt_t)
+ fs_read_cifs_symlinks(virtd_t)
++ fs_getattr_cifs(svirt_t)
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +245,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +247,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -140226,7 +140302,7 @@ index 3eca020..caef8cf 100644
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +275,41 @@ optional_policy(`
+@@ -173,22 +277,41 @@ optional_policy(`
# virtd local policy
#
@@ -140275,7 +140351,7 @@ index 3eca020..caef8cf 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +320,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +322,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -140296,7 +140372,7 @@ index 3eca020..caef8cf 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +347,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +349,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -140312,7 +140388,7 @@ index 3eca020..caef8cf 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +375,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +377,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -140346,7 +140422,7 @@ index 3eca020..caef8cf 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +408,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +410,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -140365,7 +140441,7 @@ index 3eca020..caef8cf 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +434,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +436,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -140374,14 +140450,14 @@ index 3eca020..caef8cf 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +445,32 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +447,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -140407,7 +140483,7 @@ index 3eca020..caef8cf 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +489,10 @@ optional_policy(`
+@@ -313,6 +491,10 @@ optional_policy(`
')
optional_policy(`
@@ -140418,7 +140494,7 @@ index 3eca020..caef8cf 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,19 +506,30 @@ optional_policy(`
+@@ -326,19 +508,30 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -140450,7 +140526,7 @@ index 3eca020..caef8cf 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -353,6 +544,12 @@ optional_policy(`
+@@ -353,6 +546,12 @@ optional_policy(`
')
optional_policy(`
@@ -140463,7 +140539,7 @@ index 3eca020..caef8cf 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -360,11 +557,11 @@ optional_policy(`
+@@ -360,11 +559,11 @@ optional_policy(`
')
optional_policy(`
@@ -140480,7 +140556,7 @@ index 3eca020..caef8cf 100644
')
optional_policy(`
-@@ -375,6 +572,7 @@ optional_policy(`
+@@ -375,6 +574,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -140488,7 +140564,7 @@ index 3eca020..caef8cf 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -394,20 +592,36 @@ optional_policy(`
+@@ -394,20 +594,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -140528,7 +140604,7 @@ index 3eca020..caef8cf 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +632,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +634,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -140542,7 +140618,7 @@ index 3eca020..caef8cf 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +645,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +647,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -140555,7 +140631,7 @@ index 3eca020..caef8cf 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +658,430 @@ files_search_all(virt_domain)
+@@ -440,25 +660,435 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -140681,6 +140757,18 @@ index 3eca020..caef8cf 100644
+ ')
+')
+
++tunable_policy(`virt_use_nfs',`
++ fs_manage_nfs_dirs(virsh_t)
++ fs_manage_nfs_files(virsh_t)
++ fs_read_nfs_symlinks(virsh_t)
++')
++
++tunable_policy(`virt_use_samba',`
++ fs_manage_cifs_files(virsh_t)
++ fs_manage_cifs_files(virsh_t)
++ fs_read_cifs_symlinks(virsh_t)
++')
++
+optional_policy(`
+ vhostmd_rw_tmpfs_files(virsh_t)
+ vhostmd_stream_connect(virsh_t)
@@ -140688,13 +140776,6 @@ index 3eca020..caef8cf 100644
+')
+
+optional_policy(`
-+ virt_domtrans(virsh_t)
-+ virt_manage_images(virsh_t)
-+ virt_manage_config(virsh_t)
-+ virt_stream_connect(virsh_t)
-+')
-+
-+optional_policy(`
+ ssh_basic_client_template(virsh, virsh_t, system_r)
+
+ kernel_read_xen_state(virsh_ssh_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9ef8a5a..258a48d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 143%{?dist}
+Release: 144%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Aug 6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-144
+- Allow sendmail to read/write postfix_delivery_t
+- Update sanlock policy to solve all AVC's
+- Change virt interface so confined users can optionally manage virt content
+- setroubleshoot was trying to getattr on sysctl and proc stuff
+- Need to allow svirt_t ability to getattr on nfs_t file system
+- Allow staff users to run svirt_t processes
+- Add new booleans to allow staff user and unprivuser to use boxes
+
* Thu Aug 2 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-143
- Alias firstboot_tmp_t to tmp_t
- Add support for sqlgre
More information about the scm-commits
mailing list