[selinux-policy/f13/master] - Fixes for shorewall policy - Allow sssd chown capability - Fix label for /usr/bin/mutter - Label d
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Aug 18 13:34:49 UTC 2010
commit 33a2948279ec5a320b5ab1cefe72197b398e8a84
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Aug 18 15:34:26 2010 +0200
- Fixes for shorewall policy
- Allow sssd chown capability
- Fix label for /usr/bin/mutter
- Label dead.letter as mail_home_t
- Allow pcscd to read hardware state information
- Fixes for ulogd policy
policy-F13.patch | 359 ++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 10 ++-
2 files changed, 282 insertions(+), 87 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 8e727ed..56a73e6 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2075,53 +2075,83 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sectool
mount_exec(sectoolm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.19/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-06-28 18:47:53.194150718 +0200
-@@ -37,44 +37,6 @@
- read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.if 2010-08-17 10:56:22.490085133 +0200
+@@ -18,47 +18,27 @@
+ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
')
-#######################################
--## <summary>
--## Read shorewall PID files.
--## </summary>
--## <param name="domain">
++#####################################
+ ## <summary>
+-## Read shorewall etc configuration files.
++## Execute a domain transition to run shorewall.
+ ## </summary>
+ ## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
--interface(`shorewall_read_pid_files',`
+-interface(`shorewall_read_config',`
- gen_require(`
-- type shorewall_var_run_t;
+- type shorewall_etc_t;
- ')
-
-- files_search_pids($1)
-- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+- files_search_etc($1)
+- read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
-')
-
-#######################################
--## <summary>
--## Read and write shorewall PID files.
--## </summary>
+ ## <summary>
+-## Read shorewall PID files.
++## Domain allowed to transition.
+ ## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
--## </param>
--#
--interface(`shorewall_rw_pid_files',`
+ ## </param>
+ #
+-interface(`shorewall_read_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
--
++interface(`shorewall_domtrans_lib',`
++ gen_require(`
++ type shorewall_t, shorewall_var_lib_t;
++ ')
+
+- files_search_pids($1)
+- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
++ domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
+ ')
+
+ #######################################
+ ## <summary>
+-## Read and write shorewall PID files.
++## Read shorewall etc configuration files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -66,13 +46,13 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`shorewall_rw_pid_files',`
++interface(`shorewall_read_config',`
+ gen_require(`
+- type shorewall_var_run_t;
++ type shorewall_etc_t;
+ ')
+
- files_search_pids($1)
- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
--')
--
++ files_search_etc($1)
++ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
+ ')
+
######################################
- ## <summary>
- ## Read shorewall /var/lib files.
-@@ -134,9 +96,9 @@
+@@ -134,9 +114,9 @@
#
interface(`shorewall_admin',`
gen_require(`
@@ -2133,7 +2163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
')
allow $1 shorewall_t:process { ptrace signal_perms };
-@@ -153,9 +115,6 @@
+@@ -153,9 +133,6 @@
files_search_locks($1)
admin_pattern($1, shorewall_lock_t)
@@ -2145,8 +2175,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.19/policy/modules/admin/shorewall.te
--- nsaserefpolicy/policy/modules/admin/shorewall.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-06-14 20:23:23.332218554 +0200
-@@ -81,13 +81,18 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shorewall.te 2010-08-17 10:55:12.906334026 +0200
+@@ -59,6 +59,9 @@
+ manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+ files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
++allow shorewall_t shorewall_var_lib_t:file entrypoint;
++
++allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
+
+ kernel_read_kernel_sysctls(shorewall_t)
+ kernel_read_network_state(shorewall_t)
+@@ -81,13 +84,22 @@
init_rw_utmp(shorewall_t)
@@ -2161,6 +2201,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
+userdom_dontaudit_list_admin_dir(shorewall_t)
+
+optional_policy(`
++ brctl_domtrans(shorewall_t)
++')
++
++optional_policy(`
+ hostname_exec(shorewall_t)
+')
@@ -2982,8 +3026,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.19/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/execmem.fc 2010-07-27 14:20:21.491823198 +0200
-@@ -0,0 +1,48 @@
++++ serefpolicy-3.7.19/policy/modules/apps/execmem.fc 2010-08-17 15:04:07.036334389 +0200
+@@ -0,0 +1,47 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2991,7 +3035,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/mutter -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -6860,8 +6903,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-04 15:18:13.603335743 +0200
-@@ -0,0 +1,391 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-17 15:43:17.915085143 +0200
+@@ -0,0 +1,393 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -7042,6 +7085,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+
++storage_dontaudit_rw_fuse(sandbox_x_domain)
++
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
+auth_use_nsswitch(sandbox_x_domain)
@@ -8113,6 +8158,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
+optional_policy(`
+ xserver_stream_connect(consolehelper_domain)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.7.19/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/vmware.fc 2010-08-18 13:26:32.541085116 +0200
+@@ -66,5 +66,6 @@
+ /var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+ /var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
+
++/var/run/vmnet.* gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.19/policy/modules/apps/vmware.if
--- nsaserefpolicy/policy/modules/apps/vmware.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/apps/vmware.if 2010-05-28 09:42:00.013611081 +0200
@@ -17196,7 +17251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-08-13 08:13:25.074085043 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-08-18 14:20:22.831085034 +0200
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -17273,7 +17328,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
#
# clamscam local policy
-@@ -246,6 +270,14 @@
+@@ -231,6 +255,7 @@
+ corenet_tcp_connect_clamd_port(clamscan_t)
+
+ kernel_read_kernel_sysctls(clamscan_t)
++kernel_read_system_state(clamscan_t)
+
+ files_read_etc_files(clamscan_t)
+ files_read_etc_runtime_files(clamscan_t)
+@@ -246,6 +271,14 @@
mta_send_mail(clamscan_t)
@@ -20170,7 +20233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-08-13 08:23:49.401085115 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-08-17 15:14:20.563085303 +0200
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -20299,13 +20362,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -234,18 +254,27 @@
+@@ -234,18 +254,28 @@
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+allow dovecot_deliver_t dovecot_t:process signull;
+
allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
++allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
@@ -20327,7 +20391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,15 +292,24 @@
+@@ -263,15 +293,24 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -22742,8 +22806,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.19/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.fc 2010-05-28 09:42:00.125610532 +0200
-@@ -13,6 +13,8 @@
++++ serefpolicy-3.7.19/policy/modules/services/mta.fc 2010-08-17 15:06:26.581085303 +0200
+@@ -1,4 +1,5 @@
+-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
++HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+
+ /bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+@@ -13,6 +14,8 @@
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -22754,7 +22825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.19/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-08-02 09:11:21.173641481 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mta.if 2010-08-17 15:07:58.255085184 +0200
@@ -144,6 +144,30 @@
')
')
@@ -22786,7 +22857,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
## <summary>
## Role access for mta
-@@ -220,6 +244,25 @@
+@@ -176,6 +200,26 @@
+ allow mta_user_agent $2:fifo_file { read write };
+ ')
+
++######################################
++## <summary>
++## ALlow domain to read mail content in the homedir
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_read_home',`
++ gen_require(`
++ type mail_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ userdom_search_admin_dir($1)
++ read_files_pattern($1, mail_home_t, mail_home_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Make the specified domain usable for a mail server.
+@@ -220,6 +264,25 @@
application_executable_file($1)
')
@@ -22812,7 +22910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -335,6 +378,7 @@
+@@ -335,6 +398,7 @@
# apache should set close-on-exec
apache_dontaudit_rw_stream_sockets($1)
apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -22820,7 +22918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
')
-@@ -356,11 +400,35 @@
+@@ -356,11 +420,35 @@
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
@@ -22856,7 +22954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -390,12 +458,15 @@
+@@ -390,12 +478,15 @@
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -22876,7 +22974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -454,7 +525,8 @@
+@@ -454,7 +545,8 @@
type etc_mail_t;
')
@@ -22886,7 +22984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
-@@ -678,7 +750,7 @@
+@@ -678,7 +770,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@@ -22895,7 +22993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -765,6 +837,25 @@
+@@ -765,6 +857,25 @@
#######################################
## <summary>
@@ -22923,16 +23021,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.19/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-08-02 10:29:35.492641359 +0200
-@@ -23,6 +23,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/mta.te 2010-08-17 15:09:15.400085159 +0200
+@@ -21,8 +21,8 @@
+ type etc_mail_t;
+ files_config_file(etc_mail_t)
- type mail_forward_t;
- files_type(mail_forward_t)
-+userdom_user_home_content(mail_forward_t)
+-type mail_forward_t;
+-files_type(mail_forward_t)
++type mail_home_t alias mail_forward_t;
++userdom_user_home_content(mail_home_t)
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -63,9 +64,12 @@
+@@ -57,15 +57,18 @@
+
+ read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+
+-allow system_mail_t mail_forward_t:file read_file_perms;
++allow system_mail_t mail_home_t:file read_file_perms;
+
+ allow system_mail_t mta_exec_type:file entrypoint;
can_exec(system_mail_t, mta_exec_type)
@@ -22948,7 +23056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
-@@ -75,10 +79,15 @@
+@@ -75,10 +78,15 @@
selinux_getattr_fs(system_mail_t)
@@ -22964,7 +23072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -89,6 +98,7 @@
+@@ -89,6 +97,7 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -22972,7 +23080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -100,6 +110,11 @@
+@@ -100,6 +109,11 @@
')
optional_policy(`
@@ -22984,7 +23092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -107,6 +122,9 @@
+@@ -107,6 +121,9 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -22994,7 +23102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -120,12 +138,13 @@
+@@ -120,12 +137,13 @@
')
optional_policy(`
@@ -23010,7 +23118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -142,6 +161,10 @@
+@@ -142,6 +160,10 @@
')
optional_policy(`
@@ -23021,7 +23129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -156,15 +179,15 @@
+@@ -156,15 +178,15 @@
domain_use_interactive_fds(system_mail_t)
# postfix needs this for newaliases
@@ -23042,7 +23150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
')
-@@ -185,6 +208,10 @@
+@@ -185,6 +207,10 @@
')
optional_policy(`
@@ -23053,14 +23161,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -216,6 +243,7 @@
+@@ -216,7 +242,8 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+userdom_search_admin_dir(mailserver_delivery)
- read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
++read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+
+@@ -245,6 +272,10 @@
+ mailman_read_data_symlinks(mailserver_delivery)
+ ')
+
++optional_policy(`
++ uucp_domtrans_uux(mailserver_delivery)
++')
++
+ ########################################
+ #
+ # User send mail local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.19/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/munin.fc 2010-05-28 09:42:00.127610888 +0200
@@ -25587,6 +25708,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
tunable_policy(`openvpn_enable_homedirs',`
userdom_read_user_home_content_files(openvpn_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.7.19/policy/modules/services/pcscd.te
+--- nsaserefpolicy/policy/modules/services/pcscd.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/pcscd.te 2010-08-17 15:11:28.402085340 +0200
+@@ -42,6 +42,7 @@
+ corenet_tcp_sendrecv_all_ports(pcscd_t)
+ corenet_tcp_connect_http_port(pcscd_t)
+
++dev_read_sysfs(pcscd_t)
+ dev_rw_generic_usb_dev(pcscd_t)
+ dev_rw_smartcard(pcscd_t)
+ dev_rw_usbfs(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.19/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/pegasus.te 2010-05-28 09:42:00.147610884 +0200
@@ -32509,16 +32641,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Relabel and access ptys created by sshd
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.19/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2010-07-19 17:18:16.871150898 +0200
-@@ -32,6 +32,7 @@
- allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
++++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2010-08-18 13:10:17.920085544 +0200
+@@ -29,9 +29,12 @@
+ #
+ # sssd local policy
+ #
+-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
++
++allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
++
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -50,6 +51,7 @@
+@@ -50,6 +53,7 @@
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
kernel_read_system_state(sssd_t)
@@ -32526,7 +32664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
corecmd_exec_bin(sssd_t)
-@@ -81,6 +83,8 @@
+@@ -81,6 +85,8 @@
miscfiles_read_localization(sssd_t)
@@ -32612,7 +32750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
+iscsi_manage_semaphores(tgtd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.19/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/tor.te 2010-05-28 09:42:00.196611254 +0200
++++ serefpolicy-3.7.19/policy/modules/services/tor.te 2010-08-18 13:49:47.647335258 +0200
@@ -45,6 +45,7 @@
allow tor_t self:capability { setgid setuid sys_tty_config };
allow tor_t self:fifo_file rw_fifo_file_perms;
@@ -32621,7 +32759,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
allow tor_t self:tcp_socket create_stream_socket_perms;
-@@ -101,6 +102,8 @@
+@@ -82,6 +83,7 @@
+ corenet_tcp_sendrecv_all_ports(tor_t)
+ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
+ corenet_tcp_bind_generic_node(tor_t)
++corenet_udp_bind_dns_port(tor_t)
+ corenet_tcp_bind_tor_port(tor_t)
+ corenet_sendrecv_tor_server_packets(tor_t)
+ # TOR will need to connect to various ports
+@@ -101,6 +103,8 @@
auth_use_nsswitch(tor_t)
@@ -32684,6 +32830,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
+ daemontools_sigchld_run(ucspitcp_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.7.19/policy/modules/services/ulogd.te
+--- nsaserefpolicy/policy/modules/services/ulogd.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ulogd.te 2010-08-18 13:20:36.768085114 +0200
+@@ -32,6 +32,7 @@
+
+ allow ulogd_t self:capability net_admin;
+ allow ulogd_t self:netlink_nflog_socket create_socket_perms;
++allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # config files
+ read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+@@ -44,6 +45,16 @@
+ manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+
++files_read_etc_files(ulogd_t)
++files_read_usr_files(ulogd_t)
+ files_search_etc(ulogd_t)
+
+ miscfiles_read_localization(ulogd_t)
++
++optional_policy(`
++ mysql_stream_connect(ulogd_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(ulogd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc
--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc 2010-05-28 09:42:00.198610771 +0200
@@ -32800,9 +32974,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-05-28 09:42:00.200610708 +0200
-@@ -14,16 +14,16 @@
++++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-08-18 14:33:42.065085583 +0200
+@@ -12,18 +12,19 @@
+ /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+ /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
++/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
@@ -35723,7 +35900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-08-10 16:39:52.087085427 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-08-17 10:58:03.628085191 +0200
@@ -1,5 +1,5 @@
-policy_module(init, 1.14.2)
@@ -36119,7 +36296,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -774,10 +904,12 @@
+@@ -770,14 +900,21 @@
+ ')
+
+ optional_policy(`
++ # shorewall-init script run /var/lib/shorewall/firewall
++ shorewall_domtrans_lib(initrc_t)
++')
++
++optional_policy(`
+ squid_read_config(initrc_t)
squid_manage_logs(initrc_t)
')
@@ -36132,7 +36318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +922,7 @@
+@@ -790,6 +927,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -36140,7 +36326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -798,11 +931,19 @@
+@@ -798,11 +936,19 @@
')
optional_policy(`
@@ -36161,7 +36347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +953,25 @@
+@@ -812,6 +958,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -36187,7 +36373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +997,35 @@
+@@ -837,3 +1002,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -36695,7 +36881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
dev_read_sysfs(kdump_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-13 08:03:21.834085291 +0200
++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-17 11:05:48.905085267 +0200
@@ -127,17 +127,16 @@
/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -36896,7 +37082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
++/usr/lib(64)?/sane/libsane-smfp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/local/lexmark/lxk08/lib(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -37199,7 +37385,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-06-15 17:07:51.140615800 +0200
++++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-08-18 13:16:17.741085184 +0200
@@ -61,6 +61,7 @@
type syslogd_t;
type syslogd_exec_t;
@@ -37217,19 +37403,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
-@@ -235,7 +238,11 @@
+@@ -235,7 +238,12 @@
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
+mls_file_read_all_levels(audisp_t)
mls_file_write_all_levels(audisp_t)
++mls_socket_write_all_levels(audisp_t)
+mls_dbus_send_all_levels(audisp_t)
+
+auth_use_nsswitch(audisp_t)
logging_send_syslog_msg(audisp_t)
-@@ -245,6 +252,10 @@
+@@ -245,6 +253,10 @@
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -37240,7 +37427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -252,6 +263,9 @@
+@@ -252,6 +264,9 @@
# Audit remote logger local policy
#
@@ -37250,7 +37437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow audisp_remote_t self:tcp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(audisp_remote_t)
-@@ -266,6 +280,15 @@
+@@ -266,6 +281,15 @@
files_read_etc_files(audisp_remote_t)
@@ -37266,7 +37453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(audisp_remote_t)
miscfiles_read_localization(audisp_remote_t)
-@@ -372,8 +395,10 @@
+@@ -372,8 +396,10 @@
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)
@@ -37279,7 +37466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-@@ -491,6 +516,10 @@
+@@ -491,6 +517,10 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f9a9a40..80aab73 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 47%{?dist}
+Release: 48%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,14 @@ exit 0
%endif
%changelog
+* Wed Aug 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-48
+- Fixes for shorewall policy
+- Allow sssd chown capability
+- Fix label for /usr/bin/mutter
+- Label dead.letter as mail_home_t
+- Allow pcscd to read hardware state information
+- Fixes for ulogd policy
+
* Fri Aug 13 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-47
- Fixes for boinc-project policy
- Allow swat to read nmbd pid file
More information about the scm-commits
mailing list