[selinux-policy/f13/master] - Fixes for clamscan

Miroslav Grepl mgrepl at fedoraproject.org
Thu Dec 9 12:29:34 UTC 2010 

commit 672846c5d97de2f5392869a0603ce192c2745ac9
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Thu Dec 9 13:29:04 2010 +0000

    - Fixes for clamscan

 policy-F13.patch    |   67 +++++++++++++++++++++++++++++++++++---------------
 selinux-policy.spec |    5 +++-
 2 files changed, 51 insertions(+), 21 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 646da3f..26760ce 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -8897,7 +8897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-10-08 10:50:45.012651252 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-12-09 13:03:34.785041435 +0100
 @@ -9,8 +9,11 @@
  /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -9019,7 +9019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ')
  
  ifdef(`distro_suse', `
-@@ -331,3 +360,21 @@
+@@ -331,3 +360,24 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -9041,6 +9041,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +/usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 +
 +/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  gen_context(system_u:object_r:bin_t,s0)
++
++/usr/local/Brother/(.*/)?inf/brprintconf.*  --  gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/(.*/)?inf/setup.*        --  gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.19/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if	2010-10-08 11:10:25.398900803 +0200
@@ -17171,8 +17174,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
 --- nsaserefpolicy/policy/modules/services/boinc.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-10-01 15:32:59.836599814 +0200
-@@ -0,0 +1,178 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-12-09 12:27:20.801041392 +0100
+@@ -0,0 +1,179 @@
 +
 +policy_module(boinc,1.0.0)
 +
@@ -17298,7 +17301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 +allow boinc_t boinc_project_t:process sigkill;
 +
-+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
 +allow boinc_project_t self:process { execmem execstack };
 +
 +allow boinc_project_t self:fifo_file rw_fifo_file_perms;
@@ -17341,6 +17344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +dev_rw_xserver_misc(boinc_project_t)
 +
 +files_read_etc_files(boinc_project_t)
++files_read_etc_runtime_files(boinc_project_t)
 +files_read_usr_files(boinc_project_t)
 +
 +auth_use_nsswitch(boinc_project_t)
@@ -18494,7 +18498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/clamav.te	2010-10-01 15:28:43.904599247 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.te	2010-12-09 12:46:16.374042098 +0100
 @@ -1,6 +1,13 @@
  
  policy_module(clamav, 1.7.1)
@@ -18581,7 +18585,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  ########################################
  #
  # clamscam local policy
-@@ -231,6 +261,7 @@
+@@ -228,9 +258,11 @@
+ corenet_tcp_sendrecv_generic_node(clamscan_t)
+ corenet_tcp_sendrecv_all_ports(clamscan_t)
+ corenet_tcp_sendrecv_clamd_port(clamscan_t)
++corenet_tcp_bind_generic_node(clamscan_t)
  corenet_tcp_connect_clamd_port(clamscan_t)
  
  kernel_read_kernel_sysctls(clamscan_t)
@@ -18589,10 +18597,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
-@@ -246,6 +277,14 @@
+@@ -245,6 +277,17 @@
+ clamav_stream_connect(clamscan_t)
  
  mta_send_mail(clamscan_t)
- 
++mta_read_queue(clamscan_t)
++
++sysnet_read_config(clamscan_t)
++
 +tunable_policy(`clamd_use_jit',`
 +	allow clamd_t self:process execmem;
 +	allow clamscan_t self:process execmem;
@@ -18600,10 +18612,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 +	dontaudit clamd_t self:process execmem;
 +	dontaudit clamscan_t self:process execmem;
 +') 
-+
+ 
  optional_policy(`
  	amavis_read_spool_files(clamscan_t)
- ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.19/policy/modules/services/clogd.fc
 --- nsaserefpolicy/policy/modules/services/clogd.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.7.19/policy/modules/services/clogd.fc	2010-05-28 09:42:00.079610731 +0200
@@ -41960,7 +41971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.19/policy/modules/system/lvm.fc
 --- nsaserefpolicy/policy/modules/system/lvm.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.fc	2010-05-28 09:42:00.504610725 +0200
++++ serefpolicy-3.7.19/policy/modules/system/lvm.fc	2010-12-07 14:22:23.642042343 +0100
 @@ -28,10 +28,12 @@
  #
  /lib/lvm-10/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -41974,6 +41985,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
  /sbin/cryptsetup	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/dmraid		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -98,4 +100,6 @@
+ /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
+ /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
+ /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
+ /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if
 --- nsaserefpolicy/policy/modules/system/lvm.if	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/system/lvm.if	2010-09-02 13:55:45.873084762 +0200
@@ -42268,7 +42286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  ##	Read the configuration options used when
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/modutils.te	2010-11-11 16:53:00.882398885 +0100
++++ serefpolicy-3.7.19/policy/modules/system/modutils.te	2010-12-07 10:05:17.730292521 +0100
 @@ -19,8 +19,12 @@
  type insmod_exec_t;
  application_domain(insmod_t, insmod_exec_t)
@@ -42324,7 +42342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  can_exec(insmod_t, insmod_exec_t)
  
  kernel_load_module(insmod_t)
-@@ -126,6 +136,7 @@
+@@ -126,12 +136,15 @@
  kernel_mount_debugfs(insmod_t)
  kernel_mount_kvmfs(insmod_t)
  kernel_read_debugfs(insmod_t)
@@ -42332,7 +42350,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  # Rules for /proc/sys/kernel/tainted
  kernel_read_kernel_sysctls(insmod_t)
  kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +154,7 @@
+ kernel_read_hotplug_sysctls(insmod_t)
+ kernel_setsched(insmod_t)
+ 
++domain_signull_all_domains(insmod_t)
++
+ corecmd_exec_bin(insmod_t)
+ corecmd_exec_shell(insmod_t)
+ 
+@@ -143,6 +156,7 @@
  dev_read_sound(insmod_t)
  dev_write_sound(insmod_t)
  dev_rw_apm_bios(insmod_t)
@@ -42340,7 +42366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -159,13 +171,17 @@
+@@ -159,13 +173,17 @@
  # for locking: (cjp: ????)
  files_write_kernel_modules(insmod_t)
  
@@ -42358,7 +42384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
  logging_send_syslog_msg(insmod_t)
  logging_search_logs(insmod_t)
-@@ -174,8 +190,7 @@
+@@ -174,8 +192,7 @@
  
  seutil_read_file_contexts(insmod_t)
  
@@ -42368,7 +42394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  userdom_dontaudit_search_user_home_dirs(insmod_t)
  
  if( ! secure_mode_insmod ) {
-@@ -236,6 +251,10 @@
+@@ -236,6 +253,10 @@
  ')
  
  optional_policy(`
@@ -45323,7 +45349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if	2010-10-05 16:30:49.672651409 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if	2010-12-09 12:46:32.622291524 +0100
 @@ -30,8 +30,9 @@
  	')
  
@@ -46901,7 +46927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -3111,3 +3493,724 @@
+@@ -3111,3 +3493,725 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -47471,6 +47497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	')
 +
 +	userdom_search_user_home_dirs($1)
++	userdom_search_user_home_content($1)
 +	allow $1 home_cert_t:dir list_dir_perms;
 +	read_files_pattern($1, home_cert_t, home_cert_t)
 +	read_lnk_files_pattern($1, home_cert_t, home_cert_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a3ec752..b5178dd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 75%{?dist}
+Release: 76%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Dec 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-76
+- Fixes for clamscan
+
 * Wed Dec 6 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-75
 - nagios needs to to read the state information for software raid
 - Add addtional support for OpenCT from Dominic

More information about the scm-commits mailing list