[selinux-policy/f14/master] * Tue Aug 3 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-9 - Apply Miroslav munin patch - Turn back on a
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 4 17:10:36 UTC 2010
commit 7cec34895727f9fc10dadedb3df2695d5f710e26
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Aug 4 13:10:04 2010 -0400
* Tue Aug 3 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-9
- Apply Miroslav munin patch
- Turn back on allow_execmem and allow_execmod booleans
policy-F14.patch | 163 +++++++++++++++++++++++++++++++++++++++--------------
1 files changed, 120 insertions(+), 43 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 8b34b61..31e5fb2 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -5115,7 +5115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.8.8/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.te 2010-08-04 10:07:33.000000000 -0400
@@ -0,0 +1,299 @@
+policy_module(nsplugin, 1.0.0)
+
@@ -5146,7 +5146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+type nsplugin_rw_t;
+files_poly_member(nsplugin_rw_t)
-+userdom_user_home_content(nsplugin_rw_t)
++files_type(nsplugin_rw_t)
+
+type nsplugin_tmp_t;
+files_tmp_file(nsplugin_tmp_t)
@@ -6898,8 +6898,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te
--- nsaserefpolicy/policy/modules/apps/telepathy.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-07-30 14:06:53.000000000 -0400
-@@ -0,0 +1,309 @@
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-04 11:57:36.000000000 -0400
+@@ -0,0 +1,310 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -6952,6 +6952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
++userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
+
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
@@ -7831,8 +7832,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-30 14:06:53.000000000 -0400
-@@ -497,6 +497,24 @@
++++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-08-04 12:08:01.000000000 -0400
+@@ -461,6 +461,24 @@
+
+ ########################################
+ ## <summary>
++## Allow relablefrom for generic character device files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_relabelfrom_generic_chr_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ allow $1 device_t:chr_file relabelfrom;
++')
++
++########################################
++## <summary>
+ ## Dontaudit getattr for generic character device files.
+ ## </summary>
+ ## <param name="domain">
+@@ -497,6 +515,24 @@
########################################
## <summary>
@@ -7857,7 +7883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -606,6 +624,24 @@
+@@ -606,6 +642,24 @@
########################################
## <summary>
@@ -7882,7 +7908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1015,6 +1051,42 @@
+@@ -1015,6 +1069,42 @@
########################################
## <summary>
@@ -7925,7 +7951,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -3540,6 +3612,24 @@
+@@ -1277,6 +1367,24 @@
+
+ ########################################
+ ## <summary>
++## Relableto the autofs device node.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_relabelto_autofs_dev',`
++ gen_require(`
++ type autofs_device_t;
++ ')
++
++ allow $1 autofs_device_t:chr_file relabelto;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the attributes of
+ ## the autofs device node.
+ ## </summary>
+@@ -3540,6 +3648,24 @@
########################################
## <summary>
@@ -7950,7 +8001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3851,6 +3941,24 @@
+@@ -3851,6 +3977,24 @@
########################################
## <summary>
@@ -7975,7 +8026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4161,11 +4269,10 @@
+@@ -4161,11 +4305,10 @@
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -22866,7 +22917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.if serefpolicy-3.8.8/policy/modules/services/rhgb.if
--- nsaserefpolicy/policy/modules/services/rhgb.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/rhgb.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/rhgb.if 2010-08-03 15:21:15.000000000 -0400
@@ -22,7 +22,7 @@
## </summary>
## <param name="domain">
@@ -22933,7 +22984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
/usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.8.8/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/ricci.if 2010-08-03 15:22:25.000000000 -0400
@@ -18,6 +18,24 @@
domtrans_pattern($1, ricci_exec_t, ricci_t)
')
@@ -22959,7 +23010,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
########################################
## <summary>
## Execute a domain transition to run ricci_modcluster.
-@@ -165,3 +183,48 @@
+@@ -96,6 +114,24 @@
+
+ ########################################
+ ## <summary>
++## Read and write to ricci_modcluserd temporary file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ricci_rw_modclusterd_tmpfs_files',`
++ gen_require(`
++ type ricci_modcluserd_tmpfs_t;
++ ')
++
++ allow $1 ricci_modcluserd_tmpfs_t:file rw_file_perms;
++')
++
++########################################
++## <summary>
+ ## Execute a domain transition to run ricci_modlog.
+ ## </summary>
+ ## <param name="domain">
+@@ -165,3 +201,48 @@
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
')
@@ -27009,7 +27085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-03 14:33:38.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-04 11:05:05.000000000 -0400
@@ -35,6 +35,13 @@
## <desc>
@@ -27407,7 +27483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
-+logging_log_filetrans(xdm_t, xdm_log_t, file)
++logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
+
manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
@@ -29208,7 +29284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-08-04 12:04:07.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -29320,7 +29396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,65 @@
+@@ -185,15 +216,66 @@
sysadm_shell_domtrans(init_t)
')
@@ -29342,7 +29418,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ dev_rw_autofs(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_read_generic_chr_files(init_t)
-+
++ dev_relabelfrom_generic_chr_files(init_t)
++ dev_relabelto_autofs_dev(init_t)
+ files_mounton_all_mountpoints(init_t)
+ files_manage_all_pids_dirs(init_t)
+
@@ -29386,7 +29463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
-@@ -211,7 +292,7 @@
+@@ -211,7 +293,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29395,7 +29472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +321,7 @@
+@@ -240,6 +322,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29403,7 +29480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +339,22 @@
+@@ -257,11 +340,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29426,7 +29503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +390,13 @@
+@@ -297,11 +391,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29440,7 +29517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +415,10 @@
+@@ -320,8 +416,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29452,7 +29529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,6 +434,8 @@
+@@ -337,6 +435,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29461,7 +29538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +449,8 @@
+@@ -350,6 +450,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29470,7 +29547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -362,6 +463,7 @@
+@@ -362,6 +464,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29478,7 +29555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -393,13 +495,14 @@
+@@ -393,13 +496,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29494,7 +29571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +575,7 @@
+@@ -472,7 +576,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29503,7 +29580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -518,6 +621,19 @@
+@@ -518,6 +622,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -29523,7 +29600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -525,10 +641,17 @@
+@@ -525,10 +642,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29541,7 +29618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -543,6 +666,35 @@
+@@ -543,6 +667,35 @@
')
')
@@ -29577,7 +29654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +707,8 @@
+@@ -555,6 +708,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29586,7 +29663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -571,6 +725,7 @@
+@@ -571,6 +726,7 @@
optional_policy(`
cgroup_stream_connect(initrc_t)
@@ -29594,7 +29671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -583,6 +738,11 @@
+@@ -583,6 +739,11 @@
')
optional_policy(`
@@ -29606,7 +29683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -599,6 +759,7 @@
+@@ -599,6 +760,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29614,7 +29691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -700,7 +861,12 @@
+@@ -700,7 +862,12 @@
')
optional_policy(`
@@ -29627,7 +29704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -723,6 +889,10 @@
+@@ -723,6 +890,10 @@
')
optional_policy(`
@@ -29638,7 +29715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -765,8 +935,6 @@
+@@ -765,8 +936,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29647,7 +29724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -779,10 +947,12 @@
+@@ -779,10 +948,12 @@
squid_manage_logs(initrc_t)
')
@@ -29660,7 +29737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +974,19 @@
+@@ -804,11 +975,19 @@
')
optional_policy(`
@@ -29681,7 +29758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +996,25 @@
+@@ -818,6 +997,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29707,7 +29784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -843,3 +1040,55 @@
+@@ -843,3 +1041,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')
More information about the scm-commits
mailing list