[selinux-policy] - Merge with upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Aug 27 14:02:06 UTC 2010
commit 59475c25246ce6072caf0f375f94a7bdbefa1ba4
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Aug 27 08:58:04 2010 -0400
- Merge with upstream
policy-F14.patch | 124 ++++++++++++++++++++++++++++++------------------------
1 files changed, 69 insertions(+), 55 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 437c188..5df9114 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -7091,7 +7091,7 @@ index 3b2da10..7eed11d 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index cac0c64..9223f7d 100644
+index cac0c64..d0aaa1c 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -461,6 +461,24 @@ interface(`dev_getattr_generic_chr_files',`
@@ -7287,7 +7287,32 @@ index cac0c64..9223f7d 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3851,6 +3995,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3682,6 +3826,24 @@ interface(`dev_rw_sysfs',`
+
+ ########################################
+ ## <summary>
++## Allow caller to modify hardware state information.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_manage_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ manage_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
+ ## Read from pseudo random number generator devices (e.g., /dev/urandom).
+ ## </summary>
+ ## <desc>
+@@ -3851,6 +4013,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -7312,7 +7337,7 @@ index cac0c64..9223f7d 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4161,11 +4323,10 @@ interface(`dev_write_video_dev',`
+@@ -4161,11 +4341,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -14184,7 +14209,7 @@ index 1cf6c4e..90c60df 100644
-/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
-/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 293e08d..a57fe37 100644
+index 293e08d..1bdfe84 100644
--- a/policy/modules/services/cobbler.if
+++ b/policy/modules/services/cobbler.if
@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
@@ -14260,7 +14285,7 @@ index 293e08d..a57fe37 100644
files_search_var_lib($1)
')
-@@ -137,12 +140,51 @@ interface(`cobbler_manage_lib_files',`
+@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
type cobbler_var_lib_t;
')
@@ -14272,24 +14297,6 @@ index 293e08d..a57fe37 100644
########################################
## <summary>
-+## dontaudit read and write Cobbler log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`cobbler_dontaudit_rw_log',`
-+ gen_require(`
-+ type cobbler_var_log_t;
-+ ')
-+
-+ dontaudit $1 cobbler_var_log_t:file rw_inherited_files_perms;
-+')
-+
-+########################################
-+## <summary>
+## Do not audit attempts to read and write
+## Cobbler log files (leaked fd).
+## </summary>
@@ -14312,7 +14319,7 @@ index 293e08d..a57fe37 100644
## All of the rules required to administrate
## an cobblerd environment
## </summary>
-@@ -162,6 +204,9 @@ interface(`cobblerd_admin',`
+@@ -162,6 +186,9 @@ interface(`cobblerd_admin',`
gen_require(`
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
type cobbler_etc_t, cobblerd_initrc_exec_t;
@@ -14322,7 +14329,7 @@ index 293e08d..a57fe37 100644
')
allow $1 cobblerd_t:process { ptrace signal_perms getattr };
-@@ -176,10 +221,18 @@ interface(`cobblerd_admin',`
+@@ -176,10 +203,18 @@ interface(`cobblerd_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
@@ -28994,7 +29001,7 @@ index f6aafe7..7da8294 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index bd45076..cd266c0 100644
+index bd45076..a1b6d56 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -29108,7 +29115,7 @@ index bd45076..cd266c0 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,73 @@ tunable_policy(`init_upstart',`
+@@ -185,15 +216,80 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -29116,7 +29123,7 @@ index bd45076..cd266c0 100644
+modutils_domtrans_insmod(init_t)
+
+tunable_policy(`init_systemd',`
-+ allow init_t self:unix_dgram_socket create_socket_perms;
++ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29135,6 +29142,7 @@ index bd45076..cd266c0 100644
+ dev_read_generic_chr_files(init_t)
+ dev_relabelfrom_generic_chr_files(init_t)
+ dev_relabel_autofs_dev(init_t)
++ dev_manage_sysfs_dirs(init_t)
+
+ files_mounton_all_mountpoints(init_t)
+ files_manage_all_pids_dirs(init_t)
@@ -29145,16 +29153,22 @@ index bd45076..cd266c0 100644
+ fs_list_auto_mountpoints(init_t)
+ fs_read_cgroup_files(init_t)
+ fs_write_cgroup_files(init_t)
++ fs_search_cgroup_dirs(daemon)
+
+ selinux_compute_create_context(init_t)
+ selinux_validate_context(init_t)
+ selinux_unmount_fs(init_t)
+
++ storage_getattr_removable_dev(init_t)
++
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
+
-+ storage_getattr_removable_dev(init_t)
++ optional_policy(`
++ plymouthd_stream_connect(init_t)
++ plymouthd_exec_plymouth(init_t)
++ ')
+')
+
optional_policy(`
@@ -29182,7 +29196,7 @@ index bd45076..cd266c0 100644
nscd_socket_use(init_t)
')
-@@ -202,6 +291,10 @@ optional_policy(`
+@@ -202,6 +298,10 @@ optional_policy(`
')
optional_policy(`
@@ -29193,7 +29207,7 @@ index bd45076..cd266c0 100644
unconfined_domain(init_t)
')
-@@ -211,7 +304,7 @@ optional_policy(`
+@@ -211,7 +311,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29202,7 +29216,7 @@ index bd45076..cd266c0 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -240,6 +333,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -240,6 +340,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -29210,7 +29224,7 @@ index bd45076..cd266c0 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +351,22 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -257,11 +358,22 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -29233,7 +29247,7 @@ index bd45076..cd266c0 100644
corecmd_exec_all_executables(initrc_t)
-@@ -297,11 +402,13 @@ dev_manage_generic_files(initrc_t)
+@@ -297,11 +409,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29247,7 +29261,7 @@ index bd45076..cd266c0 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -320,8 +427,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -320,8 +434,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29259,7 +29273,7 @@ index bd45076..cd266c0 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -337,8 +446,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -337,8 +453,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29273,7 +29287,7 @@ index bd45076..cd266c0 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -348,6 +461,8 @@ fs_mount_all_fs(initrc_t)
+@@ -348,6 +468,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29282,7 +29296,7 @@ index bd45076..cd266c0 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -360,6 +475,7 @@ mls_process_read_up(initrc_t)
+@@ -360,6 +482,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29290,7 +29304,7 @@ index bd45076..cd266c0 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,13 +507,14 @@ logging_read_audit_config(initrc_t)
+@@ -391,13 +514,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -29306,7 +29320,7 @@ index bd45076..cd266c0 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -470,7 +587,7 @@ ifdef(`distro_redhat',`
+@@ -470,7 +594,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29315,7 +29329,7 @@ index bd45076..cd266c0 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -516,6 +633,19 @@ ifdef(`distro_redhat',`
+@@ -516,6 +640,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -29335,7 +29349,7 @@ index bd45076..cd266c0 100644
')
optional_policy(`
-@@ -523,10 +653,17 @@ ifdef(`distro_redhat',`
+@@ -523,10 +660,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29353,7 +29367,7 @@ index bd45076..cd266c0 100644
')
optional_policy(`
-@@ -541,6 +678,35 @@ ifdef(`distro_suse',`
+@@ -541,6 +685,35 @@ ifdef(`distro_suse',`
')
')
@@ -29389,7 +29403,7 @@ index bd45076..cd266c0 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -553,6 +719,8 @@ optional_policy(`
+@@ -553,6 +726,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29398,7 +29412,7 @@ index bd45076..cd266c0 100644
')
optional_policy(`
-@@ -569,6 +737,7 @@ optional_policy(`
+@@ -569,6 +744,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -29406,7 +29420,7 @@ index bd45076..cd266c0 100644
')
optional_policy(`
-@@ -581,6 +750,11 @@ optional_policy(`
+@@ -581,6 +757,11 @@ optional_policy(`
')
optional_policy(`
@@ -29418,7 +29432,7 @@ index bd45076..cd266c0 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -597,6 +771,7 @@ optional_policy(`
+@@ -597,6 +778,7 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29426,7 +29440,7 @@ index bd45076..cd266c0 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -698,7 +873,12 @@ optional_policy(`
+@@ -698,7 +880,12 @@ optional_policy(`
')
optional_policy(`
@@ -29439,7 +29453,7 @@ index bd45076..cd266c0 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -721,6 +901,10 @@ optional_policy(`
+@@ -721,6 +908,10 @@ optional_policy(`
')
optional_policy(`
@@ -29450,7 +29464,7 @@ index bd45076..cd266c0 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -742,6 +926,10 @@ optional_policy(`
+@@ -742,6 +933,10 @@ optional_policy(`
')
optional_policy(`
@@ -29461,7 +29475,7 @@ index bd45076..cd266c0 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -763,8 +951,6 @@ optional_policy(`
+@@ -763,8 +958,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29470,7 +29484,7 @@ index bd45076..cd266c0 100644
')
optional_policy(`
-@@ -773,14 +959,21 @@ optional_policy(`
+@@ -773,14 +966,21 @@ optional_policy(`
')
optional_policy(`
@@ -29492,7 +29506,7 @@ index bd45076..cd266c0 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -802,11 +995,19 @@ optional_policy(`
+@@ -802,11 +1002,19 @@ optional_policy(`
')
optional_policy(`
@@ -29513,7 +29527,7 @@ index bd45076..cd266c0 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -816,6 +1017,25 @@ optional_policy(`
+@@ -816,6 +1024,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29539,7 +29553,7 @@ index bd45076..cd266c0 100644
')
optional_policy(`
-@@ -841,3 +1061,55 @@ optional_policy(`
+@@ -841,3 +1068,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
More information about the scm-commits
mailing list