[selinux-policy] +- Add labeling for /var/run/systemd/journal/syslog +- libvirt sends signals to ifconfig +- Allow do
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 11 19:37:56 UTC 2012
commit 68079f6d89171dd06c1e66d1b1afb590def7e368
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Jan 11 20:37:45 2012 +0100
+- Add labeling for /var/run/systemd/journal/syslog
+- libvirt sends signals to ifconfig
+- Allow domains that read logind session files to list them
policy-F16.patch | 65 ++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 7 ++++-
2 files changed, 45 insertions(+), 27 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index ec6758d..d7cffee 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -65286,7 +65286,7 @@ index 7c5d8d8..e6bb21e 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..bc0bf43 100644
+index 3eca020..c0eaf5e 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
@@ -65688,7 +65688,7 @@ index 3eca020..bc0bf43 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +423,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +423,31 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -65700,6 +65700,7 @@ index 3eca020..bc0bf43 100644
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
++sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
sysnet_read_config(virtd_t)
@@ -65719,7 +65720,7 @@ index 3eca020..bc0bf43 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +465,10 @@ optional_policy(`
+@@ -313,6 +466,10 @@ optional_policy(`
')
optional_policy(`
@@ -65730,7 +65731,7 @@ index 3eca020..bc0bf43 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +482,14 @@ optional_policy(`
+@@ -326,6 +483,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -65745,7 +65746,7 @@ index 3eca020..bc0bf43 100644
')
optional_policy(`
-@@ -334,11 +498,14 @@ optional_policy(`
+@@ -334,11 +499,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -65760,7 +65761,7 @@ index 3eca020..bc0bf43 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +527,11 @@ optional_policy(`
+@@ -360,11 +528,11 @@ optional_policy(`
')
optional_policy(`
@@ -65777,7 +65778,7 @@ index 3eca020..bc0bf43 100644
')
optional_policy(`
-@@ -394,20 +561,36 @@ optional_policy(`
+@@ -394,20 +562,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -65817,7 +65818,7 @@ index 3eca020..bc0bf43 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +601,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +602,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -65830,7 +65831,7 @@ index 3eca020..bc0bf43 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +613,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +614,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -65843,7 +65844,7 @@ index 3eca020..bc0bf43 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +626,365 @@ files_search_all(virt_domain)
+@@ -440,25 +627,365 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -71376,7 +71377,7 @@ index 354ce93..4738083 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..ef5a3c8 100644
+index 94fd8dd..5a52670 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -72068,7 +72069,7 @@ index 94fd8dd..ef5a3c8 100644
+ ')
+
+ files_search_pids($1)
-+ filetrans_pattern($1, init_var_run_t, $2, $3)
++ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
+#######################################
@@ -74730,13 +74731,14 @@ index a0b379d..2291a13 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..314efca 100644
+index 02f4c97..170e2e0 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -17,12 +17,26 @@
+@@ -17,12 +17,27 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -74761,7 +74763,7 @@ index 02f4c97..314efca 100644
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,7 +52,7 @@ ifdef(`distro_suse', `
+@@ -38,7 +53,7 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -74770,7 +74772,15 @@ index 02f4c97..314efca 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -73,4 +87,8 @@ ifdef(`distro_redhat',`
+@@ -66,6 +81,7 @@ ifdef(`distro_redhat',`
+ /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+ /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
+ /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+ /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+@@ -73,4 +89,9 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -74779,8 +74789,9 @@ index 02f4c97..314efca 100644
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 831b909..9889380 100644
+index 831b909..118f708 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -74865,7 +74876,7 @@ index 831b909..9889380 100644
########################################
## <summary>
## Send system log messages.
-@@ -545,6 +602,44 @@ interface(`logging_send_syslog_msg',`
+@@ -545,6 +602,45 @@ interface(`logging_send_syslog_msg',`
########################################
## <summary>
@@ -74884,6 +74895,7 @@ index 831b909..9889380 100644
+
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file)
++ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
+')
+
+########################################
@@ -74910,7 +74922,7 @@ index 831b909..9889380 100644
## Read the auditd configuration files.
## </summary>
## <param name="domain">
-@@ -734,7 +829,25 @@ interface(`logging_append_all_logs',`
+@@ -734,7 +830,25 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
@@ -74937,7 +74949,7 @@ index 831b909..9889380 100644
')
########################################
-@@ -817,7 +930,7 @@ interface(`logging_manage_all_logs',`
+@@ -817,7 +931,7 @@ interface(`logging_manage_all_logs',`
files_search_var($1)
manage_files_pattern($1, logfile, logfile)
@@ -74946,7 +74958,7 @@ index 831b909..9889380 100644
')
########################################
-@@ -843,6 +956,44 @@ interface(`logging_read_generic_logs',`
+@@ -843,6 +957,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
@@ -74991,7 +75003,7 @@ index 831b909..9889380 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -944,9 +1095,13 @@ interface(`logging_admin_audit',`
+@@ -944,9 +1096,13 @@ interface(`logging_admin_audit',`
type auditd_initrc_exec_t;
')
@@ -75006,7 +75018,7 @@ index 831b909..9889380 100644
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
-@@ -990,10 +1145,15 @@ interface(`logging_admin_syslog',`
+@@ -990,10 +1146,15 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -75024,7 +75036,7 @@ index 831b909..9889380 100644
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1015,6 +1175,8 @@ interface(`logging_admin_syslog',`
+@@ -1015,6 +1176,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -78595,10 +78607,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..75e7f1c
+index 0000000..7581e7d
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,542 @@
+@@ -0,0 +1,543 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -78823,6 +78835,7 @@ index 0000000..75e7f1c
+ ')
+
+ init_search_pid_dirs($1)
++ allow $1 systemd_logind_sessions_t:dir list_dir_perms;
+ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c577be1..81cc614 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 73%{?dist}
+Release: 74%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-74
+- Add labeling for /var/run/systemd/journal/syslog
+- libvirt sends signals to ifconfig
+- Allow domains that read logind session files to list them
+
* Wed Jan 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-73
- Fixed destined form libvirt-sandbox
- Allow apps that list sysfs to also read sympolicy links in this filesystem
More information about the scm-commits
mailing list