[selinux-policy/f18] - Add label for efivarfs - Allow certmonger to send signal to itself - Allow plugin-config to read o
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Dec 12 15:41:05 UTC 2012
commit 187eec1f4a79ccbdfbe981ccb576ea24509e59e9
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Dec 12 16:39:46 2012 +0100
- Add label for efivarfs
- Allow certmonger to send signal to itself
- Allow plugin-config to read own process status
- Add more fixes for pacemaker
- apache/drupal can run clamscan on uploaded content
- Allow chrome_sandbox_nacl_t to read pid 1 content
policy-rawhide.patch | 24 ++++++--
policy_contrib-rawhide.patch | 120 ++++++++++++++++++++++++++++-------------
selinux-policy.spec | 10 +++-
3 files changed, 109 insertions(+), 45 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 3f5a7bb..336e460 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -121520,7 +121520,7 @@ index 7c6b791..aa86bf7 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 376bae8..7c84405 100644
+index 376bae8..36a5041 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -121549,7 +121549,19 @@ index 376bae8..7c84405 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -96,6 +99,7 @@ type hugetlbfs_t;
+@@ -88,6 +91,11 @@ fs_noxattr_type(ecryptfs_t)
+ files_mountpoint(ecryptfs_t)
+ genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
+
++type efivarfs_t;
++fs_noxattr_type(efivarfs_t)
++files_mountpoint(efivarfs_t)
++genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
++
+ type futexfs_t;
+ fs_type(futexfs_t)
+ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
+@@ -96,6 +104,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -121557,7 +121569,7 @@ index 376bae8..7c84405 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -144,11 +148,6 @@ fs_type(spufs_t)
+@@ -144,11 +153,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -121569,7 +121581,7 @@ index 376bae8..7c84405 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -175,6 +174,7 @@ fs_type(tmpfs_t)
+@@ -175,6 +179,7 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -121577,7 +121589,7 @@ index 376bae8..7c84405 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +254,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +259,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -121586,7 +121598,7 @@ index 376bae8..7c84405 100644
files_mountpoint(removable_t)
#
-@@ -273,6 +275,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +280,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index adfc825..69f8e07 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -3139,7 +3139,7 @@ index 6480167..7b2ad39 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 0833afb..2032414 100644
+index 0833afb..3d0cc42 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
@@ -4276,7 +4276,13 @@ index 0833afb..2032414 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -859,10 +1403,20 @@ optional_policy(`
+@@ -854,15 +1398,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+
+ optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
++ clamav_domtrans_clamscan(httpd_t)
+ ')
+
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -4297,7 +4303,7 @@ index 0833afb..2032414 100644
')
########################################
-@@ -878,11 +1432,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,11 +1433,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -4309,7 +4315,7 @@ index 0833afb..2032414 100644
########################################
#
-@@ -908,11 +1460,138 @@ optional_policy(`
+@@ -908,11 +1461,138 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -8139,10 +8145,10 @@ index 7a6e5ba..7475aa5 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index c3e3f79..5449b48 100644
+index c3e3f79..89db900 100644
--- a/certmonger.te
+++ b/certmonger.te
-@@ -18,12 +18,18 @@ files_pid_file(certmonger_var_run_t)
+@@ -18,13 +18,19 @@ files_pid_file(certmonger_var_run_t)
type certmonger_var_lib_t;
files_type(certmonger_var_lib_t)
@@ -8155,13 +8161,15 @@ index c3e3f79..5449b48 100644
#
-allow certmonger_t self:capability { kill sys_nice };
+-allow certmonger_t self:process { getsched setsched sigkill };
+allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
+dontaudit certmonger_t self:capability sys_tty_config;
+allow certmonger_t self:capability2 block_suspend;
+
- allow certmonger_t self:process { getsched setsched sigkill };
++allow certmonger_t self:process { getsched setsched sigkill signal };
allow certmonger_t self:fifo_file rw_file_perms;
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+ allow certmonger_t self:tcp_socket create_stream_socket_perms;
@@ -38,25 +44,52 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
@@ -8845,10 +8853,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..df0a069
+index 0000000..6298388
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,192 @@
+@@ -0,0 +1,193 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -9024,13 +9032,14 @@ index 0000000..df0a069
+kernel_read_state(chrome_sandbox_nacl_t)
+kernel_read_system_state(chrome_sandbox_nacl_t)
+
++corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
++
+dev_read_urand(chrome_sandbox_nacl_t)
+dev_read_sysfs(chrome_sandbox_nacl_t)
+
+files_read_etc_files(chrome_sandbox_nacl_t)
+
-+
-+corecmd_sbin_entry_type(chrome_sandbox_nacl_t)
++init_read_state(chrome_sandbox_nacl_t)
+
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
@@ -12236,7 +12245,7 @@ index 5220c9d..885b25d 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
-index 04969e5..0815968 100644
+index 04969e5..65c8353 100644
--- a/corosync.te
+++ b/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -12303,8 +12312,7 @@ index 04969e5..0815968 100644
kernel_read_system_state(corosync_t)
+kernel_read_network_state(corosync_t)
-+kernel_read_net_sysctls(corosync_t)
-+kernel_read_kernel_sysctls(corosync_t)
++kernel_read_all_sysctls(corosync_t)
corecmd_exec_bin(corosync_t)
+corecmd_exec_shell(corosync_t)
@@ -12313,6 +12321,7 @@ index 04969e5..0815968 100644
+corenet_tcp_connect_saphostctrl_port(corosync_t)
dev_read_urand(corosync_t)
++dev_read_sysfs(corosync_t)
domain_read_all_domains_state(corosync_t)
@@ -34515,7 +34524,7 @@ index b397fde..c7c031d 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..bb729e7 100644
+index d4fcb75..22603ee 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -34920,7 +34929,7 @@ index d4fcb75..bb729e7 100644
')
optional_policy(`
-@@ -447,10 +521,113 @@ optional_policy(`
+@@ -447,10 +521,115 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -34933,13 +34942,13 @@ index d4fcb75..bb729e7 100644
+
+optional_policy(`
+ rtkit_scheduled(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+ udev_read_db(mozilla_plugin_t)
')
optional_policy(`
++ udev_read_db(mozilla_plugin_t)
++')
++
++optional_policy(`
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
xserver_read_xdm_pid(mozilla_plugin_t)
@@ -34962,6 +34971,8 @@ index d4fcb75..bb729e7 100644
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_config_t)
++
+dev_search_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
@@ -38553,7 +38564,7 @@ index 2324d9e..7ccb55f 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/networkmanager.te b/networkmanager.te
-index 0619395..2fda066 100644
+index 0619395..3a77265 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -38807,18 +38818,19 @@ index 0619395..2fda066 100644
')
optional_policy(`
-@@ -254,6 +337,10 @@ optional_policy(`
+@@ -254,6 +337,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(NetworkManager_t)
++ systemd_dbus_chat_logind(NetworkManager_t)
+')
+
+optional_policy(`
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +350,7 @@ optional_policy(`
+@@ -263,6 +351,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -38826,7 +38838,7 @@ index 0619395..2fda066 100644
')
########################################
-@@ -284,6 +372,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -284,6 +373,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -43972,10 +43984,10 @@ index 0000000..e05c78f
+')
diff --git a/pacemaker.te b/pacemaker.te
new file mode 100644
-index 0000000..ff79a8c
+index 0000000..3a97ac3
--- /dev/null
+++ b/pacemaker.te
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,86 @@
+policy_module(pacemaker, 1.0.0)
+
+########################################
@@ -43996,6 +44008,9 @@ index 0000000..ff79a8c
+type pacemaker_var_run_t;
+files_pid_file(pacemaker_var_run_t)
+
++type pacemaker_tmp_t;
++files_tmp_file(pacemaker_tmp_t)
++
+type pacemaker_tmpfs_t;
+files_tmpfs_file(pacemaker_tmpfs_t)
+
@@ -44008,7 +44023,7 @@ index 0000000..ff79a8c
+#
+
+allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
-+allow pacemaker_t self:process { fork setrlimit signal };
++allow pacemaker_t self:process { fork setrlimit signal setpgid };
+allow pacemaker_t self:fifo_file rw_fifo_file_perms;
+allow pacemaker_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
@@ -44020,16 +44035,35 @@ index 0000000..ff79a8c
+manage_files_pattern(pacemaker_t, pacemaker_var_run_t, pacemaker_var_run_t)
+files_pid_filetrans(pacemaker_t, pacemaker_var_run_t, { dir file })
+
++manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
++manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
++files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
++
+manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
+manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
+fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })
+
++kernel_read_system_state(pacemaker_t)
++kernel_read_network_state(pacemaker_t)
++kernel_read_all_sysctls(pacemaker_t)
++kernel_read_messages(pacemaker_t)
++kernel_getattr_core_if(pacemaker_t)
++kernel_read_software_raid_state(pacemaker_t)
++
++corecmd_exec_bin(pacemaker_t)
++corecmd_exec_shell(pacemaker_t)
++
+domain_use_interactive_fds(pacemaker_t)
+domain_read_all_domains_state(pacemaker_t)
+
++dev_getattr_mtrr_dev(pacemaker_t)
+dev_read_rand(pacemaker_t)
+dev_read_urand(pacemaker_t)
+
++files_read_kernel_symbol_table(pacemaker_t)
++
++fs_getattr_all_fs(pacemaker_t)
++
+auth_use_nsswitch(pacemaker_t)
+
+logging_send_syslog_msg(pacemaker_t)
@@ -58395,7 +58429,7 @@ index a07b2f4..22e0db0 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/samba.fc b/samba.fc
-index 69a6074..2722318 100644
+index 69a6074..2ccac49 100644
--- a/samba.fc
+++ b/samba.fc
@@ -14,6 +14,9 @@
@@ -58412,7 +58446,7 @@ index 69a6074..2722318 100644
/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-+/var/nmbd/unexpected(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
++/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
@@ -69910,7 +69944,7 @@ index 2124b6a..e55e393 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..2e6c056 100644
+index 6f0736b..fd143c4 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -70428,7 +70462,7 @@ index 6f0736b..2e6c056 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +729,302 @@ interface(`virt_admin',`
+@@ -517,4 +729,306 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -70464,14 +70498,18 @@ index 6f0736b..2e6c056 100644
+ type svirt_t;
+ type virt_bridgehelper_t;
+ type svirt_image_t;
++ type svirt_socket_t;
+ ')
+
+ allow $1 svirt_t:process transition;
+ role $2 types svirt_t;
+ role $2 types virt_bridgehelper_t;
++ role $2 types svirt_socket_t;
+
+ allow $1 svirt_image_t:file { relabelfrom relabelto };
+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
++ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
++ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
+
+ virt_signal_svirt($1)
+
@@ -70732,7 +70770,7 @@ index 6f0736b..2e6c056 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..3b2df69 100644
+index 947bbc6..9154fef 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -71421,7 +71459,7 @@ index 947bbc6..3b2df69 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +653,593 @@ dev_write_sound(virt_domain)
+@@ -438,34 +653,599 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -71443,12 +71481,12 @@ index 947bbc6..3b2df69 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -71632,7 +71670,7 @@ index 947bbc6..3b2df69 100644
+ fs_manage_nfs_dirs(virsh_t)
+ fs_manage_nfs_files(virsh_t)
+ fs_read_nfs_symlinks(virsh_t)
-+')
+ ')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files(virsh_t)
@@ -72018,7 +72056,13 @@ index 947bbc6..3b2df69 100644
+
+optional_policy(`
+ devicekit_manage_pid_files(virt_qemu_ga_t)
- ')
++')
++
++type svirt_socket_t;
++role system_r types svirt_socket_t;
++allow svirt_t svirt_socket_t:unix_stream_socket connectto;
++
++
diff --git a/vlock.te b/vlock.te
index 2511093..669dc13 100644
--- a/vlock.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2addea8..c5b5703 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 62%{?dist}
+Release: 63%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Dec 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-63
+- Add label for efivarfs
+- Allow certmonger to send signal to itself
+- Allow plugin-config to read own process status
+- Add more fixes for pacemaker
+- apache/drupal can run clamscan on uploaded content
+- Allow chrome_sandbox_nacl_t to read pid 1 content
+
* Tue Dec 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-62
- Fix MCS Constraints to control ingres and egres controls on the network.
- Change name of svirt_nokvm_t to svirt_tcg_t
More information about the scm-commits
mailing list