[selinux-policy/f18] Additional rules for svirt_t
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Dec 17 10:51:14 UTC 2012
commit 0d52471ee18c10c5b58dde64bd72fe0958e2fec6
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Dec 17 11:49:56 2012 +0100
Additional rules for svirt_t
policy-rawhide.patch | 118 +++++++++++++++++++-------------
policy_contrib-rawhide.patch | 155 ++++++++++++++++++++++++-----------------
2 files changed, 162 insertions(+), 111 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 0706dc0..2f29e17 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -58,6 +58,21 @@ index 313d837..ef3c532 100644
@echo "Success."
########################################
+diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
+index d387b42..150f281 100644
+--- a/config/appconfig-mcs/virtual_domain_context
++++ b/config/appconfig-mcs/virtual_domain_context
+@@ -1 +1,2 @@
+ system_u:system_r:svirt_t:s0
++system_u:system_r:svirt_tcg_t:s0
+diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
+index c049e10..150f281 100644
+--- a/config/appconfig-standard/virtual_domain_context
++++ b/config/appconfig-standard/virtual_domain_context
+@@ -1 +1,2 @@
+-system_u:system_r:svirt_t
++system_u:system_r:svirt_t:s0
++system_u:system_r:svirt_tcg_t:s0
diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8
new file mode 100644
index 0000000..62a48d7
@@ -117684,7 +117699,7 @@ index 8796ca3..cb02728 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..d042988 100644
+index e1e814d..37f3b90 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -118302,7 +118317,7 @@ index e1e814d..d042988 100644
')
########################################
-@@ -4126,6 +4493,127 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +4493,133 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -118362,12 +118377,18 @@ index e1e814d..d042988 100644
+
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
+')
@@ -118430,7 +118451,7 @@ index e1e814d..d042988 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4148,6 +4636,26 @@ interface(`files_associate_tmp',`
+@@ -4148,6 +4642,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -118457,7 +118478,7 @@ index e1e814d..d042988 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4161,6 +4669,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,6 +4675,7 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -118465,7 +118486,7 @@ index e1e814d..d042988 100644
allow $1 tmp_t:dir getattr;
')
-@@ -4171,7 +4680,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4171,7 +4686,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -118474,7 +118495,7 @@ index e1e814d..d042988 100644
## </summary>
## </param>
#
-@@ -4198,6 +4707,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4713,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -118482,7 +118503,7 @@ index e1e814d..d042988 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4744,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4750,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -118490,7 +118511,7 @@ index e1e814d..d042988 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4754,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4760,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -118499,7 +118520,7 @@ index e1e814d..d042988 100644
## </summary>
## </param>
#
-@@ -4255,6 +4766,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4772,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -118525,7 +118546,7 @@ index e1e814d..d042988 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4270,6 +4800,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4806,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -118533,7 +118554,7 @@ index e1e814d..d042988 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4842,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4848,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -118566,7 +118587,7 @@ index e1e814d..d042988 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4365,6 +4922,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,6 +4928,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -118609,7 +118630,7 @@ index e1e814d..d042988 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4383,6 +4976,42 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4383,6 +4982,42 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -118652,7 +118673,7 @@ index e1e814d..d042988 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4428,7 +5057,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4428,7 +5063,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -118661,7 +118682,7 @@ index e1e814d..d042988 100644
## </summary>
## </param>
#
-@@ -4488,7 +5117,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4488,7 +5123,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -118670,7 +118691,7 @@ index e1e814d..d042988 100644
## </summary>
## </param>
#
-@@ -4573,6 +5202,16 @@ interface(`files_purge_tmp',`
+@@ -4573,6 +5208,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -118687,7 +118708,7 @@ index e1e814d..d042988 100644
')
########################################
-@@ -5150,12 +5789,30 @@ interface(`files_list_var',`
+@@ -5150,12 +5795,30 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -118721,7 +118742,7 @@ index e1e814d..d042988 100644
## </summary>
## </param>
#
-@@ -5505,6 +6162,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5505,6 +6168,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -118747,7 +118768,7 @@ index e1e814d..d042988 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6226,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6232,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -118756,7 +118777,7 @@ index e1e814d..d042988 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5558,12 +6234,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6240,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -118772,7 +118793,7 @@ index e1e814d..d042988 100644
')
########################################
-@@ -5581,6 +6258,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6264,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -118780,7 +118801,7 @@ index e1e814d..d042988 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6285,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6291,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -118808,7 +118829,7 @@ index e1e814d..d042988 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5615,13 +6312,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6318,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -118825,7 +118846,7 @@ index e1e814d..d042988 100644
')
########################################
-@@ -5640,7 +6336,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6342,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -118834,7 +118855,7 @@ index e1e814d..d042988 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6369,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6375,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -118842,7 +118863,7 @@ index e1e814d..d042988 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6396,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6402,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -118852,7 +118873,7 @@ index e1e814d..d042988 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6412,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6418,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -118870,7 +118891,7 @@ index e1e814d..d042988 100644
')
########################################
-@@ -5743,8 +6436,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6442,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -118880,7 +118901,7 @@ index e1e814d..d042988 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6478,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6484,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -118890,7 +118911,7 @@ index e1e814d..d042988 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6500,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6506,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -118900,7 +118921,7 @@ index e1e814d..d042988 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6537,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6543,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -118910,7 +118931,7 @@ index e1e814d..d042988 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6600,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6606,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -118954,7 +118975,7 @@ index e1e814d..d042988 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5933,6 +6659,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6665,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -118980,7 +119001,7 @@ index e1e814d..d042988 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6048,7 +6793,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6799,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -118988,7 +119009,7 @@ index e1e814d..d042988 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6157,30 +6901,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,30 +6907,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -119023,7 +119044,7 @@ index e1e814d..d042988 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6188,43 +6927,35 @@ interface(`files_read_all_pids',`
+@@ -6188,43 +6933,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -119074,7 +119095,7 @@ index e1e814d..d042988 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6232,21 +6963,17 @@ interface(`files_delete_all_pids',`
+@@ -6232,21 +6969,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -119099,7 +119120,7 @@ index e1e814d..d042988 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6254,56 +6981,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6254,56 +6987,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -119175,7 +119196,7 @@ index e1e814d..d042988 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6311,18 +7041,17 @@ interface(`files_list_spool',`
+@@ -6311,18 +7047,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -119198,7 +119219,7 @@ index e1e814d..d042988 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,19 +7059,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6330,19 +7065,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -119223,7 +119244,7 @@ index e1e814d..d042988 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6350,55 +7078,62 @@ interface(`files_read_generic_spool',`
+@@ -6350,55 +7084,62 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -119310,7 +119331,7 @@ index e1e814d..d042988 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6406,25 +7141,283 @@ interface(`files_spool_filetrans',`
+@@ -6406,25 +7147,283 @@ interface(`files_spool_filetrans',`
## </summary>
## </param>
#
@@ -119609,7 +119630,7 @@ index e1e814d..d042988 100644
# is remounted for polyinstantiation aware programs (like gdm)
allow $1 polyparent:dir { getattr mounton };
-@@ -6467,3 +7460,457 @@ interface(`files_unconfined',`
+@@ -6467,3 +7466,457 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -126870,7 +126891,7 @@ index 4318f73..e4d0b31 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..613a47e 100644
+index 078bcd7..022c7db 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,9 +1,23 @@
@@ -126897,8 +126918,11 @@ index 078bcd7..613a47e 100644
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
-@@ -14,3 +28,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+@@ -12,5 +26,10 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+ /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
++/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -140959,7 +140983,7 @@ index 41a1853..af08353 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index ed363e1..3407878 100644
+index ed363e1..808e49e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0)
@@ -141161,7 +141185,7 @@ index ed363e1..3407878 100644
+optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
-+ networkmanager_read_lib_files(dhcpc_t)
++ networkmanager_manage_lib(dhcpc_t)
+')
+
+optional_policy(`
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index efe0c0b..e670e6d 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -14623,7 +14623,7 @@ index 0000000..33656de
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/cups.fc b/cups.fc
-index 848bb92..108b23c 100644
+index 848bb92..600efa5 100644
--- a/cups.fc
+++ b/cups.fc
@@ -19,7 +19,10 @@
@@ -14637,7 +14637,7 @@ index 848bb92..108b23c 100644
/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -52,18 +55,31 @@
+@@ -52,18 +55,32 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -14669,6 +14669,7 @@ index 848bb92..108b23c 100644
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
++/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
index 305ddf4..f3cd95f 100644
@@ -23051,7 +23052,7 @@ index 7ff9d6d..b1c97f2 100644
allow $1 glance_api_t:process signal_perms;
ps_process_pattern($1, glance_api_t)
diff --git a/glance.te b/glance.te
-index 4afb81f..58a8c1c 100644
+index 4afb81f..efff577 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.0)
@@ -23064,17 +23065,20 @@ index 4afb81f..58a8c1c 100644
init_daemon_domain(glance_registry_t, glance_registry_exec_t)
type glance_registry_initrc_exec_t;
-@@ -17,8 +16,7 @@ init_script_file(glance_registry_initrc_exec_t)
+@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t)
type glance_registry_tmp_t;
files_tmp_file(glance_registry_tmp_t)
-type glance_api_t, glance_domain;
-type glance_api_exec_t;
++type glance_registry_tmpfs_t;
++files_tmpfs_file(glance_registry_tmpfs_t)
++
+glance_basic_types_template(glance_api)
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
-@@ -54,16 +52,18 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -54,16 +55,18 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -23096,8 +23100,14 @@ index 4afb81f..58a8c1c 100644
optional_policy(`
sysnet_dns_name_resolve(glance_domain)
-@@ -80,6 +80,14 @@ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
+@@ -78,8 +81,20 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+ manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
+ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
++manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
++manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
++fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
++
corenet_tcp_bind_generic_node(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)
+corenet_tcp_connect_mysqld_port(glance_registry_t)
@@ -23111,7 +23121,7 @@ index 4afb81f..58a8c1c 100644
########################################
#
-@@ -94,11 +102,15 @@ can_exec(glance_api_t, glance_tmp_t)
+@@ -94,11 +109,15 @@ can_exec(glance_api_t, glance_tmp_t)
corecmd_exec_shell(glance_api_t)
corenet_tcp_bind_generic_node(glance_api_t)
@@ -23474,10 +23484,10 @@ index 00a19e3..5a2dbfd 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index f5afe78..6d054a2 100644
+index f5afe78..2a96043 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,44 +1,1047 @@
+@@ -1,44 +1,1048 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -23762,6 +23772,7 @@ index f5afe78..6d054a2 100644
+ allow $1 gnome_home_type:dir manage_dir_perms;
+ allow $1 gnome_home_type:file manage_file_perms;
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
++ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
+ userdom_search_user_home_dirs($1)
+')
+
@@ -24543,7 +24554,7 @@ index f5afe78..6d054a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +1049,91 @@ interface(`gnome_role',`
+@@ -46,37 +1050,91 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -24646,7 +24657,7 @@ index f5afe78..6d054a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +1141,107 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +1142,107 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -24765,7 +24776,7 @@ index f5afe78..6d054a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +1249,36 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1250,36 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -24806,7 +24817,7 @@ index f5afe78..6d054a2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1286,279 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1287,279 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -38393,7 +38404,7 @@ index 386543b..8fe1d63 100644
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 2324d9e..7ccb55f 100644
+index 2324d9e..7c9fca9 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -38494,7 +38505,7 @@ index 2324d9e..7ccb55f 100644
########################################
## <summary>
## Read NetworkManager PID files.
-@@ -191,3 +255,90 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +255,110 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -38546,6 +38557,26 @@ index 2324d9e..7ccb55f 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
+
++#######################################
++## <summary>
++## Allow the specified domain to manage
++## to Network Manager lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_manage_lib',`
++ gen_require(`
++ type NetworkManager_log_t;
++ ')
++
++ manage_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
++')
++
++
+########################################
+## <summary>
+## Transition to networkmanager named content
@@ -70829,7 +70860,7 @@ index 6f0736b..d91242a 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..ce27313 100644
+index 947bbc6..0b607f1 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -71074,7 +71105,7 @@ index 947bbc6..ce27313 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
-@@ -131,67 +223,65 @@ corenet_udp_bind_all_ports(svirt_t)
+@@ -131,67 +223,69 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
@@ -71102,27 +71133,29 @@ index 947bbc6..ce27313 100644
-tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs(svirt_t)
- fs_manage_cifs_files(svirt_t)
--')
--
++optional_policy(`
++ xen_rw_image_files(svirt_t)
+ ')
+
-tunable_policy(`virt_use_sysfs',`
- dev_rw_sysfs(svirt_t)
--')
--
++optional_policy(`
++ nscd_use(svirt_t)
+ ')
+
-tunable_policy(`virt_use_usb',`
- dev_rw_usbfs(svirt_t)
- fs_manage_dos_dirs(svirt_t)
- fs_manage_dos_files(svirt_t)
-')
--
- optional_policy(`
- xen_rw_image_files(svirt_t)
- ')
-
+#######################################
+#
+# svirt_prot_exec local policy
+#
-+
+
+-optional_policy(`
+- xen_rw_image_files(svirt_t)
+-')
+allow svirt_tcg_t self:process { execmem execstack };
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
@@ -71131,7 +71164,7 @@ index 947bbc6..ce27313 100644
+corenet_udp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_connect_all_ports(svirt_tcg_t)
-+
+
########################################
#
# virtd local policy
@@ -71183,7 +71216,7 @@ index 947bbc6..ce27313 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +292,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +296,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -71218,7 +71251,7 @@ index 947bbc6..ce27313 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +324,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +328,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -71242,7 +71275,7 @@ index 947bbc6..ce27313 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +352,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +356,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -71276,7 +71309,7 @@ index 947bbc6..ce27313 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +384,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +388,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -71295,7 +71328,7 @@ index 947bbc6..ce27313 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +410,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +414,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -71305,7 +71338,7 @@ index 947bbc6..ce27313 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +420,33 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +424,33 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -71339,7 +71372,7 @@ index 947bbc6..ce27313 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +465,10 @@ optional_policy(`
+@@ -322,6 +469,10 @@ optional_policy(`
')
optional_policy(`
@@ -71350,7 +71383,7 @@ index 947bbc6..ce27313 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +482,34 @@ optional_policy(`
+@@ -335,19 +486,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -71386,7 +71419,7 @@ index 947bbc6..ce27313 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +524,12 @@ optional_policy(`
+@@ -362,6 +528,12 @@ optional_policy(`
')
optional_policy(`
@@ -71399,7 +71432,7 @@ index 947bbc6..ce27313 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +537,11 @@ optional_policy(`
+@@ -369,11 +541,11 @@ optional_policy(`
')
optional_policy(`
@@ -71416,7 +71449,7 @@ index 947bbc6..ce27313 100644
')
optional_policy(`
-@@ -384,6 +552,7 @@ optional_policy(`
+@@ -384,6 +556,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -71424,7 +71457,7 @@ index 947bbc6..ce27313 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +571,85 @@ optional_policy(`
+@@ -402,35 +575,85 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -71519,7 +71552,7 @@ index 947bbc6..ce27313 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +657,601 @@ dev_write_sound(virt_domain)
+@@ -438,34 +661,601 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -71587,7 +71620,7 @@ index 947bbc6..ce27313 100644
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
- ')
++')
+
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
@@ -71985,7 +72018,7 @@ index 947bbc6..ce27313 100644
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
+ apache_read_sys_content(svirt_lxc_domain)
-+')
+ ')
+
+virt_lxc_domain_template(svirt_lxc_net)
+
@@ -72959,7 +72992,7 @@ index fc0adf8..cf479f3 100644
# Manual transition from userhelper
optional_policy(`
diff --git a/wm.if b/wm.if
-index b3efef7..c1be6ab 100644
+index b3efef7..177cf16 100644
--- a/wm.if
+++ b/wm.if
@@ -31,17 +31,14 @@ template(`wm_role_template',`
@@ -72982,7 +73015,7 @@ index b3efef7..c1be6ab 100644
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
allow $3 $1_wm_t:process { signal sigchld signull };
-@@ -50,42 +47,18 @@ template(`wm_role_template',`
+@@ -50,19 +47,19 @@ template(`wm_role_template',`
allow $1_wm_t $3:dbus send_msg;
allow $3 $1_wm_t:dbus send_msg;
@@ -73002,17 +73035,19 @@ index b3efef7..c1be6ab 100644
-
- files_read_etc_files($1_wm_t)
- files_read_usr_files($1_wm_t)
--
++ auth_use_nsswitch($1_wm_t)
+
- fs_getattr_tmpfs($1_wm_t)
--
-- mls_file_read_all_levels($1_wm_t)
-- mls_file_write_all_levels($1_wm_t)
-- mls_xwin_read_all_levels($1_wm_t)
-- mls_xwin_write_all_levels($1_wm_t)
-- mls_fd_use_all_levels($1_wm_t)
--
- auth_use_nsswitch($1_wm_t)
++ kernel_read_system_state($1_wm_t)
+
+ mls_file_read_all_levels($1_wm_t)
+ mls_file_write_all_levels($1_wm_t)
+@@ -70,22 +67,6 @@ template(`wm_role_template',`
+ mls_xwin_write_all_levels($1_wm_t)
+ mls_fd_use_all_levels($1_wm_t)
+- auth_use_nsswitch($1_wm_t)
+-
- application_signull($1_wm_t)
-
- miscfiles_read_fonts($1_wm_t)
@@ -73031,7 +73066,7 @@ index b3efef7..c1be6ab 100644
xserver_role($2, $1_wm_t)
xserver_manage_core_devices($1_wm_t)
diff --git a/wm.te b/wm.te
-index 19d447e..9c0a1c2 100644
+index 19d447e..996a3d4 100644
--- a/wm.te
+++ b/wm.te
@@ -1,5 +1,7 @@
@@ -73042,7 +73077,7 @@ index 19d447e..9c0a1c2 100644
########################################
#
# Declarations
-@@ -7,3 +9,42 @@ policy_module(wm, 1.2.0)
+@@ -7,3 +9,34 @@ policy_module(wm, 1.2.0)
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
@@ -73052,8 +73087,6 @@ index 19d447e..9c0a1c2 100644
+allow wm_domain self:shm create_shm_perms;
+allow wm_domain self:unix_dgram_socket create_socket_perms;
+
-+kernel_read_system_state(wm_domain)
-+
+dev_read_urand(wm_domain)
+
+files_read_etc_files(wm_domain)
@@ -73061,12 +73094,6 @@ index 19d447e..9c0a1c2 100644
+
+fs_getattr_tmpfs(wm_domain)
+
-+mls_file_read_all_levels(wm_domain)
-+mls_file_write_all_levels(wm_domain)
-+mls_xwin_read_all_levels(wm_domain)
-+mls_xwin_write_all_levels(wm_domain)
-+mls_fd_use_all_levels(wm_domain)
-+
+application_signull(wm_domain)
+
+miscfiles_read_fonts(wm_domain)
More information about the scm-commits
mailing list