[selinux-policy/f18] Fix bogus regex found by eparis
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Aug 14 18:40:55 UTC 2012
commit 167e539a84f3aca8b2e021dbf4c5d90a5f7ebac1
Author: rhatdan <dwalsh at redhat.com>
Date: Tue Aug 14 14:40:28 2012 -0400
Fix bogus regex found by eparis
- Fix manage run interface since lvm needs more access
- syslogd is searching cgroups directory
- Fixes to allow virt-sandbox-service to manage lxc var run content
policy-rawhide.patch | 27 ++++++++++++++++++---------
policy_contrib-rawhide.patch | 36 +++++++++++++++++++++++++-----------
selinux-policy.spec | 8 +++++++-
3 files changed, 50 insertions(+), 21 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index d7f9f09..4dbca51 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -82974,7 +82974,7 @@ index d26fe81..efdc556 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..2fa0660 100644
+index 4a88fa1..07ae4e3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -83340,7 +83340,7 @@ index 4a88fa1..2fa0660 100644
+ systemd_manage_all_unit_files(init_t)
+ systemd_logger_stream_connect(init_t)
+ systemd_config_all_services(init_t)
-+ systemd_relabelto_fifo_file_passwd_run(initrc_t)
++ systemd_relabelto_fifo_file_passwd_run(init_t)
+ systemd_config_all_services(initrc_t)
+
+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
@@ -85841,7 +85841,7 @@ index 321bb13..e7fd936 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 0034021..ca33705 100644
+index 0034021..8c87704 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.19.0)
@@ -86090,7 +86090,14 @@ index 0034021..ca33705 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -448,7 +520,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -442,13 +514,16 @@ files_read_kernel_symbol_table(syslogd_t)
+
+ fs_getattr_all_fs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
++fs_search_cgroup_dirs(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -86100,7 +86107,7 @@ index 0034021..ca33705 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -460,6 +534,7 @@ init_use_fds(syslogd_t)
+@@ -460,6 +535,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -86108,7 +86115,7 @@ index 0034021..ca33705 100644
miscfiles_read_localization(syslogd_t)
-@@ -493,15 +568,29 @@ optional_policy(`
+@@ -493,15 +569,29 @@ optional_policy(`
')
optional_policy(`
@@ -89944,10 +89951,10 @@ index 0000000..7da5bf6
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..79ba5c5
+index 0000000..846c140
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,754 @@
+@@ -0,0 +1,756 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -90437,7 +90444,7 @@ index 0000000..79ba5c5
+ type systemd_passwd_var_run_t;
+ ')
+
-+ allow $1 systemd_passwd_var_run_t:dir relabelto;
++ allow $1 systemd_passwd_var_run_t:fifo_file relabelto;
+')
+
+#######################################
@@ -90457,6 +90464,8 @@ index 0000000..79ba5c5
+ ')
+
+ init_search_pid_dirs($1)
++ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+ manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
+
+ allow systemd_passwd_agent_t $1:process signull;
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 96e12a7..3e6d6eb 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -17213,9 +17213,18 @@ index 0000000..98ba6e1
+
+
diff --git a/dovecot.fc b/dovecot.fc
-index 3a3ecb2..c5c1e32 100644
+index 3a3ecb2..4448055 100644
--- a/dovecot.fc
+++ b/dovecot.fc
+@@ -2,7 +2,7 @@
+ #
+ # /etc
+ #
+-/etc/dovecot(/.*)?* gen_context(system_u:object_r:dovecot_etc_t,s0)
++/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
+ /etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
+ /etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
+
@@ -24,12 +24,13 @@ ifdef(`distro_debian',`
ifdef(`distro_debian', `
@@ -60820,7 +60829,7 @@ index f9310f3..e830a59 100644
auth_use_nsswitch(varnishd_t)
diff --git a/vdagent.fc b/vdagent.fc
-index 21c5f41..5a2b836 100644
+index 21c5f41..3ae71ae 100644
--- a/vdagent.fc
+++ b/vdagent.fc
@@ -1,7 +1,7 @@
@@ -60831,7 +60840,8 @@ index 21c5f41..5a2b836 100644
+/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0)
/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
- /var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
+-/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
++/var/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
diff --git a/vdagent.if b/vdagent.if
index e59a074..b708678 100644
--- a/vdagent.if
@@ -61911,7 +61921,7 @@ index 6f0736b..3e6749b 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..eb0a7dc 100644
+index 947bbc6..2474408 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
@@ -61976,15 +61986,15 @@ index 947bbc6..eb0a7dc 100644
+gen_tunable(virt_use_sanlock, false)
+
+## <desc>
- ## <p>
--## Allow virt to use usb devices
++## <p>
+## Allow confined virtual guests to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
-+## <p>
+ ## <p>
+-## Allow virt to use usb devices
+## Allow confined virtual guests to use usb devices
## </p>
## </desc>
@@ -62552,17 +62562,17 @@ index 947bbc6..eb0a7dc 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-@@ -459,13 +684,461 @@ logging_send_syslog_msg(virt_domain)
+@@ -459,13 +684,465 @@ logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
@@ -62619,6 +62629,9 @@ index 947bbc6..eb0a7dc 100644
+manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+virt_transition_svirt_lxc(virsh_t, system_r)
+
++manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
++
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
+kernel_read_system_state(virsh_t)
@@ -62917,6 +62930,7 @@ index 947bbc6..eb0a7dc 100644
+
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
++ apache_read_sys_content(svirt_lxc_domain)
+')
+
+virt_lxc_domain_template(svirt_lxc_net)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c203b04..1d33ce4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 14 2012 Dan Walsh <dwalsh at redhat.com> 3.11.1-7
+- Fix bogus regex found by eparis
+- Fix manage run interface since lvm needs more access
+- syslogd is searching cgroups directory
+- Fixes to allow virt-sandbox-service to manage lxc var run content
+
* Mon Aug 13 2012 Dan Walsh <dwalsh at redhat.com> 3.11.1-6
- Fix Boolean settings
- Add new libjavascriptcoregtk as textrel_shlib_t
More information about the scm-commits
mailing list