[selinux-policy/f13/master] - Allow ipsec-mgmt to dbus chat with unconfined - Fixes for boinc policy
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Aug 11 14:05:43 UTC 2010
commit 1ca4e36870e28b9b4e106d2faabf90a2cf660297
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Aug 11 16:05:34 2010 +0200
- Allow ipsec-mgmt to dbus chat with unconfined
- Fixes for boinc policy
policy-F13.patch | 161 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 6 ++-
2 files changed, 109 insertions(+), 58 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 8d86409..519ed94 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -11606,7 +11606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-06-16 12:29:00.917864530 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2010-08-11 15:20:33.403085139 +0200
@@ -28,17 +28,29 @@
corecmd_exec_shell(sysadm_t)
@@ -11743,17 +11743,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -205,6 +236,9 @@
+@@ -205,6 +236,13 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
+ ipsec_run_setkey(sysadm_t, sysadm_r)
+ ipsec_run_racoon(sysadm_t, sysadm_r)
+ ipsec_stream_connect_racoon(sysadm_t)
++')
++
++optional_policy(`
++ ipsec_mgmt_dbus_chat(sysadm_t)
')
optional_policy(`
-@@ -212,12 +246,22 @@
+@@ -212,12 +250,22 @@
')
optional_policy(`
@@ -11776,7 +11780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +271,11 @@
+@@ -227,9 +275,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -11788,7 +11792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -252,8 +298,10 @@
+@@ -252,8 +302,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -11799,7 +11803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +309,7 @@
+@@ -261,6 +313,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -11807,7 +11811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -308,8 +357,14 @@
+@@ -308,8 +361,14 @@
')
optional_policy(`
@@ -11822,7 +11826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +374,11 @@
+@@ -319,9 +378,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -11834,7 +11838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +388,11 @@
+@@ -331,9 +392,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -11846,7 +11850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -358,8 +417,14 @@
+@@ -358,8 +421,14 @@
')
optional_policy(`
@@ -11861,7 +11865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -382,9 +447,11 @@
+@@ -382,9 +451,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -11873,7 +11877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +460,21 @@
+@@ -393,17 +464,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -11895,7 +11899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +488,11 @@
+@@ -417,9 +492,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -11907,7 +11911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +500,15 @@
+@@ -427,9 +504,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -11923,7 +11927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +519,30 @@
+@@ -440,13 +523,30 @@
')
optional_policy(`
@@ -12641,8 +12645,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-08-10 16:44:03.298084894 +0200
-@@ -0,0 +1,444 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-08-11 11:43:12.141085035 +0200
+@@ -0,0 +1,448 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -12910,6 +12914,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
+ ')
++
++ optional_policy(`
++ ipsec_mgmt_dbus_chat(unconfined_usertype)
++ ')
+
+ optional_policy(`
+ kerneloops_dbus_chat(unconfined_usertype)
@@ -14841,7 +14849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-08-10 17:36:26.308085089 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-08-11 13:56:26.586085235 +0200
@@ -19,11 +19,13 @@
# Declarations
#
@@ -15130,7 +15138,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -514,6 +627,9 @@
+@@ -500,8 +613,11 @@
+ # are dontaudited here.
+ tunable_policy(`httpd_tty_comm',`
+ userdom_use_user_terminals(httpd_t)
++ userdom_use_user_terminals(httpd_suexec_t)
++
+ ',`
+ userdom_dontaudit_use_user_terminals(httpd_t)
++ userdom_dontaudit_use_user_terminals(httpd_suexec_t)
+ ')
+
+ optional_policy(`
+@@ -514,6 +630,9 @@
optional_policy(`
cobbler_search_lib(httpd_t)
@@ -15140,7 +15160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +644,7 @@
+@@ -528,7 +647,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -15149,7 +15169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +653,12 @@
+@@ -537,8 +656,12 @@
')
optional_policy(`
@@ -15163,7 +15183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -557,6 +677,7 @@
+@@ -557,6 +680,7 @@
optional_policy(`
# Allow httpd to work with mysql
@@ -15171,7 +15191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +688,7 @@
+@@ -567,6 +691,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -15179,7 +15199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +699,23 @@
+@@ -577,12 +702,23 @@
')
optional_policy(`
@@ -15203,7 +15223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +724,11 @@
+@@ -591,6 +727,11 @@
')
optional_policy(`
@@ -15215,7 +15235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -618,6 +756,10 @@
+@@ -618,6 +759,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -15226,7 +15246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +841,18 @@
+@@ -699,17 +844,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -15248,16 +15268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -724,6 +867,8 @@
- miscfiles_read_localization(httpd_suexec_t)
- miscfiles_read_public_files(httpd_suexec_t)
-
-+userdom_dontaudit_use_user_terminals(httpd_suexec_t)
-+
- tunable_policy(`httpd_can_network_connect',`
- allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
- allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -740,10 +885,21 @@
+@@ -740,10 +886,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -15280,7 +15291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +925,12 @@
+@@ -769,6 +926,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -15293,7 +15304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +954,13 @@
+@@ -792,9 +955,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -15307,7 +15318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +969,22 @@
+@@ -803,6 +970,22 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -15330,7 +15341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1012,16 @@
+@@ -830,6 +1013,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -15347,7 +15358,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1034,7 @@
+@@ -842,6 +1035,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -15355,7 +15366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1084,33 @@
+@@ -891,11 +1085,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -15898,8 +15909,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-07-28 14:59:48.453071939 +0200
-@@ -0,0 +1,148 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-11 11:26:59.359084985 +0200
+@@ -0,0 +1,150 @@
+
+policy_module(boinc,1.0.0)
+
@@ -16020,6 +16031,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
++allow boinc_project_t self:fifo_file rw_fifo_file_perms;
++
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
@@ -18815,7 +18828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.19/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-07-19 16:37:40.119151948 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cups.te 2010-08-11 14:30:44.731085160 +0200
@@ -16,6 +16,7 @@
type cupsd_t;
type cupsd_exec_t;
@@ -19044,7 +19057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
kernel_read_system_state(cups_pdf_t)
files_read_etc_files(cups_pdf_t)
-@@ -554,15 +598,21 @@
+@@ -554,15 +598,22 @@
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -19054,6 +19067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+userdom_user_home_dir_filetrans_pattern(cups_pdf_t, { file dir })
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
++userdom_dontaudit_search_admin_dir(cups_pdf_t)
lpd_manage_spool(cups_pdf_t)
@@ -19066,7 +19080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_manage_nfs_dirs(cups_pdf_t)
fs_manage_nfs_files(cups_pdf_t)
')
-@@ -601,6 +651,9 @@
+@@ -601,6 +652,9 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -19076,7 +19090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-@@ -627,6 +680,7 @@
+@@ -627,6 +681,7 @@
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
@@ -19084,7 +19098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -647,6 +701,8 @@
+@@ -647,6 +702,8 @@
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -33950,7 +33964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-10 16:24:14.554085406 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-08-11 15:18:48.297085092 +0200
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -34306,7 +34320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+fs_read_noxattr_fs_files(xdm_t)
+fs_dontaudit_list_fusefs(xdm_t)
+fs_manage_cgroup_dirs(xdm_t)
-+fs_rw_cgroup_files(xdm_t)
++fs_manage_cgroup_files(xdm_t)
+
+manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
+
@@ -35309,7 +35323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.19/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/hotplug.te 2010-06-16 22:36:40.831110052 +0200
++++ serefpolicy-3.7.19/policy/modules/system/hotplug.te 2010-08-11 15:18:19.642089570 +0200
@@ -24,7 +24,7 @@
#
@@ -35319,6 +35333,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit hotplug_t self:capability { dac_override dac_read_search };
allow hotplug_t self:process { setpgid getsession getattr signal_perms };
+@@ -47,7 +47,7 @@
+ kernel_setpgid(hotplug_t)
+ kernel_read_system_state(hotplug_t)
+ kernel_read_kernel_sysctls(hotplug_t)
+-kernel_read_net_sysctls(hotplug_t)
++kernel_rw_net_sysctls(hotplug_t)
+
+ files_read_kernel_modules(hotplug_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.19/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/init.fc 2010-05-28 09:42:00.214610824 +0200
@@ -36120,7 +36143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.19/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2010-07-01 15:59:17.968602268 +0200
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2010-08-11 11:42:38.707085427 +0200
@@ -18,6 +18,24 @@
domtrans_pattern($1, ipsec_exec_t, ipsec_t)
')
@@ -36146,7 +36169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
########################################
## <summary>
## Connect to IPSEC using a unix domain stream socket.
-@@ -273,3 +291,57 @@
+@@ -273,3 +291,78 @@
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -36204,6 +36227,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+
+ allow $1 ipsec_mgmt_t:process signull;
+')
++
++#######################################
++## <summary>
++## Send and receive messages from
++## ipsec-mgmt over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ipsec_mgmt_dbus_chat',`
++ gen_require(`
++ type ipsec_mgmt_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 ipsec_mgmt_t:dbus send_msg;
++ allow ipsec_mgmt_t $1:dbus send_msg;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-08-10 17:44:19.793085351 +0200
@@ -36535,9 +36579,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.7.19/policy/modules/system/kdump.te
--- nsaserefpolicy/policy/modules/system/kdump.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/kdump.te 2010-08-04 15:02:29.137102846 +0200
-@@ -30,6 +30,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/kdump.te 2010-08-11 11:35:47.007335356 +0200
+@@ -28,8 +28,10 @@
+ files_read_etc_runtime_files(kdump_t)
+ files_read_kernel_img(kdump_t)
++kernel_read_debugfs(kdump_t)
kernel_read_system_state(kdump_t)
kernel_read_core_if(kdump_t)
+kernel_request_load_module(kdump_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index bf0b38f..a5f8bbf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 45%{?dist}
+Release: 46%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Wed Aug 11 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-46
+- Allow ipsec-mgmt to dbus chat with unconfined
+- Fixes for boinc policy
+
* Tue Aug 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-45
- Fixes for cgroup policy
- Fixes for ncftool policy
More information about the scm-commits
mailing list