[selinux-policy/f19] Make realmd+IPA working
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Apr 18 15:01:55 UTC 2013
commit 6605b9869d386dec08cb84d62ae7c827a114a0a6
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Apr 18 17:01:29 2013 +0200
Make realmd+IPA working
policy-rawhide-contrib.patch | 159 ++++++++++++++++++++++-------------------
selinux-policy.spec | 1 +
2 files changed, 86 insertions(+), 74 deletions(-)
---
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 636ef2c..932a185 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -7316,10 +7316,10 @@ index 0000000..98ab9ed
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
-index 0000000..340b755
+index 0000000..d4eb297
--- /dev/null
+++ b/authconfig.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
@@ -7330,6 +7330,7 @@ index 0000000..340b755
+type authconfig_t;
+type authconfig_exec_t;
+application_domain(authconfig_t, authconfig_exec_t)
++role system_r types authconfig_t;
+
+type authconfig_var_lib_t;
+files_type(authconfig_var_lib_t)
@@ -11571,7 +11572,7 @@ index 973d208..2b650a7 100644
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
-index c223f81..b2efe4b 100644
+index c223f81..83d5104 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
@@ -11611,6 +11612,14 @@ index c223f81..b2efe4b 100644
')
########################################
+@@ -199,7 +222,4 @@ interface(`cobbler_admin',`
+
+ logging_search_logs($1)
+ admin_pattern($1, cobbler_var_log_t)
+-
+- apache_search_sys_content($1)
+- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
+ ')
diff --git a/cobbler.te b/cobbler.te
index 2a71346..bf24fca 100644
--- a/cobbler.te
@@ -20963,7 +20972,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..d16e5e8 100644
+index a7bfaf0..93e583c 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21150,7 +21159,7 @@ index a7bfaf0..d16e5e8 100644
init_getattr_utmp(dovecot_t)
-@@ -166,36 +160,29 @@ auth_use_nsswitch(dovecot_t)
+@@ -166,44 +160,42 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
@@ -21163,12 +21172,6 @@ index a7bfaf0..d16e5e8 100644
- fs_manage_nfs_files(dovecot_t)
- fs_manage_nfs_symlinks(dovecot_t)
-')
--
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(dovecot_t)
-- fs_manage_cifs_files(dovecot_t)
-- fs_manage_cifs_symlinks(dovecot_t)
--')
+userdom_home_manager(dovecot_t)
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_manage_user_home_content_dirs(dovecot_t)
@@ -21178,12 +21181,20 @@ index a7bfaf0..d16e5e8 100644
+userdom_manage_user_home_content_sockets(dovecot_t)
+userdom_filetrans_home_content(dovecot_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(dovecot_t)
+- fs_manage_cifs_files(dovecot_t)
+- fs_manage_cifs_symlinks(dovecot_t)
++optional_policy(`
++ mta_manage_home_rw(dovecot_t)
++ mta_manage_spool(dovecot_t)
+ ')
+
optional_policy(`
-- kerberos_keytab_template(dovecot, dovecot_t)
+ kerberos_keytab_template(dovecot, dovecot_t)
- kerberos_manage_host_rcache(dovecot_t)
- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
-+ mta_manage_home_rw(dovecot_t)
-+ mta_manage_spool(dovecot_t)
++ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
')
optional_policy(`
@@ -21191,24 +21202,22 @@ index a7bfaf0..d16e5e8 100644
- mta_manage_mail_home_rw_content(dovecot_t)
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
-+ kerberos_keytab_template(dovecot_t, dovecot_t)
-+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
++ gnome_manage_data(dovecot_t)
')
optional_policy(`
- postgresql_stream_connect(dovecot_t)
-+ gnome_manage_data(dovecot_t)
++ postfix_manage_private_sockets(dovecot_t)
++ postfix_search_spool(dovecot_t)
')
optional_policy(`
-@@ -204,6 +191,11 @@ optional_policy(`
+- postfix_manage_private_sockets(dovecot_t)
+- postfix_search_spool(dovecot_t)
++ postgresql_stream_connect(dovecot_t)
')
optional_policy(`
-+ postgresql_stream_connect(dovecot_t)
-+')
-+
-+optional_policy(`
+ # Handle sieve scripts
sendmail_domtrans(dovecot_t)
')
@@ -31523,17 +31532,16 @@ index 3465a9a..353c4ce 100644
sysnet_dns_name_resolve(kpropd_t)
diff --git a/kerneloops.if b/kerneloops.if
-index 714448f..656a998 100644
+index 714448f..fa0c994 100644
--- a/kerneloops.if
+++ b/kerneloops.if
-@@ -101,13 +101,17 @@ interface(`kerneloops_manage_tmp_files',`
+@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',`
#
interface(`kerneloops_admin',`
gen_require(`
- type kerneloops_t, kerneloops_initrc_exec_t;
- type kerneloops_tmp_t;
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
-+ type kerneloops_initrc_exec_t;
')
- allow $1 kerneloops_t:process { ptrace signal_perms };
@@ -32005,7 +32013,7 @@ index e736c45..4b1e1e4 100644
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
diff --git a/ksmtuned.if b/ksmtuned.if
-index c530214..a3984cb 100644
+index c530214..eadf7e0 100644
--- a/ksmtuned.if
+++ b/ksmtuned.if
@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
@@ -32038,13 +32046,14 @@ index c530214..a3984cb 100644
########################################
## <summary>
## All of the rules required to
-@@ -57,21 +80,25 @@ interface(`ksmtuned_initrc_domtrans',`
+@@ -57,21 +80,26 @@ interface(`ksmtuned_initrc_domtrans',`
#
interface(`ksmtuned_admin',`
gen_require(`
- type ksmtuned_t, ksmtuned_var_run_t;
- type ksmtuned_initrc_exec_t, ksmtuned_log_t;
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
++ type ksmtuned_log_t;
')
- ksmtuned_initrc_domtrans($1)
@@ -74532,7 +74541,7 @@ index d14b6bf..da5d41d 100644
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
diff --git a/sendmail.if b/sendmail.if
-index 88e753f..e25aecc 100644
+index 88e753f..133d993 100644
--- a/sendmail.if
+++ b/sendmail.if
@@ -1,4 +1,4 @@
@@ -74714,73 +74723,79 @@ index 88e753f..e25aecc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -299,18 +281,13 @@ interface(`sendmail_domtrans_unconfined',`
- ')
+@@ -285,58 +267,27 @@ interface(`sendmail_manage_tmp_files',`
- mta_sendmail_domtrans($1, unconfined_sendmail_t)
+ ########################################
+ ## <summary>
+-## Execute sendmail in the unconfined sendmail domain.
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`sendmail_domtrans_unconfined',`
+- gen_require(`
+- type unconfined_sendmail_t;
+- ')
+-
+- mta_sendmail_domtrans($1, unconfined_sendmail_t)
-
- allow unconfined_sendmail_t $1:fd use;
- allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms;
- allow unconfined_sendmail_t $1:process sigchld;
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## Execute sendmail in the unconfined
-## sendmail domain, and allow the
-## specified role the unconfined
-## sendmail domain.
-+## Execute sendmail in the unconfined sendmail domain, and
-+## allow the specified role the unconfined sendmail domain,
-+## and use the caller's terminal.
++## Set the attributes of sendmail pid files.
## </summary>
## <param name="domain">
## <summary>
-@@ -326,17 +303,36 @@ interface(`sendmail_domtrans_unconfined',`
+-## Domain allowed to transition.
+-## </summary>
+-## </param>
+-## <param name="role">
+-## <summary>
+-## Role allowed access.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
#
- interface(`sendmail_run_unconfined',`
+-interface(`sendmail_run_unconfined',`
++interface(`sendmail_setattr_pid_files',`
gen_require(`
- attribute_role sendmail_unconfined_roles;
-+ type unconfined_sendmail_t;
++ type sendmail_var_run_t;
')
- sendmail_domtrans_unconfined($1)
+- sendmail_domtrans_unconfined($1)
- roleattribute $2 sendmail_unconfined_roles;
-+ role $2 types unconfined_sendmail_t;
++ allow $1 sendmail_var_run_t:file setattr_file_perms;
++ files_search_pids($1)
')
########################################
## <summary>
-## All of the rules required to
-## administrate an sendmail environment.
-+## Set the attributes of sendmail pid files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`sendmail_setattr_pid_files',`
-+ gen_require(`
-+ type sendmail_var_run_t;
-+ ')
-+
-+ allow $1 sendmail_var_run_t:file setattr_file_perms;
-+ files_search_pids($1)
-+')
-+
-+########################################
-+## <summary>
+## All of the rules required to administrate
+## an sendmail environment
## </summary>
## <param name="domain">
## <summary>
-@@ -354,12 +350,20 @@ interface(`sendmail_admin',`
+@@ -353,13 +304,17 @@ interface(`sendmail_run_unconfined',`
+ interface(`sendmail_admin',`
gen_require(`
type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
- type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+- type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++ type sendmail_tmp_t, sendmail_var_run_t;
+ type mail_spool_t;
')
@@ -74790,18 +74805,14 @@ index 88e753f..e25aecc 100644
+ ps_process_pattern($1, sendmail_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 sendmail_t:process ptrace;
-+ allow $1 unconfined_sendmail_t:process ptrace;
+ ')
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
-+ allow $1 unconfined_sendmail_t:process signal_perms;
-+ ps_process_pattern($1, unconfined_sendmail_t)
-+
+ sendmail_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 sendmail_initrc_exec_t system_r;
-@@ -372,6 +376,6 @@ interface(`sendmail_admin',`
+@@ -372,6 +327,6 @@ interface(`sendmail_admin',`
files_list_pids($1)
admin_pattern($1, sendmail_var_run_t)
@@ -84899,7 +84910,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..a202ead 100644
+index 9dec06c..cd873d3 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -86042,7 +86053,7 @@ index 9dec06c..a202ead 100644
- type virt_log_t;
+ type virtd_t, virtd_initrc_exec_t;
+ attribute virt_domain;
-+ type virt_lxc_t;
++ type virtd_lxc_t;
+ type virtd_unit_file_t;
')
@@ -86052,11 +86063,11 @@ index 9dec06c..a202ead 100644
+ ps_process_pattern($1, virtd_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 virtd_t:process ptrace;
-+ allow $1 virt_lxc_t:process ptrace;
++ allow $1 virtd_lxc_t:process ptrace;
+ ')
+
-+ allow $1 virt_lxc_t:process signal_perms;
-+ ps_process_pattern($1, virt_lxc_t)
++ allow $1 virtd_lxc_t:process signal_perms;
++ ps_process_pattern($1, virtd_lxc_t)
+
+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ domain_system_change_exemption($1)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2d64401..754b6aa 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -528,6 +528,7 @@ SELinux Reference policy mls base module.
%changelog
* Thu Apr 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-34
- Allow certmonger to dbus communicate with realmd
+- Make realmd working
* Thu Apr 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-33
- Fix mozilla specification of homedir content
More information about the scm-commits
mailing list