[selinux-policy/f13/master] - Fixes for clamscan
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Dec 9 12:29:34 UTC 2010
commit 672846c5d97de2f5392869a0603ce192c2745ac9
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Dec 9 13:29:04 2010 +0000
- Fixes for clamscan
policy-F13.patch | 67 +++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 5 +++-
2 files changed, 51 insertions(+), 21 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 646da3f..26760ce 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -8897,7 +8897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-10-08 10:50:45.012651252 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-12-09 13:03:34.785041435 +0100
@@ -9,8 +9,11 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -9019,7 +9019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -331,3 +360,21 @@
+@@ -331,3 +360,24 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -9041,6 +9041,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/usr/local/Brother/(.*/)?inf/brprintconf.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/(.*/)?inf/setup.* -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.19/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if 2010-10-08 11:10:25.398900803 +0200
@@ -17171,8 +17174,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-10-01 15:32:59.836599814 +0200
-@@ -0,0 +1,178 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-12-09 12:27:20.801041392 +0100
+@@ -0,0 +1,179 @@
+
+policy_module(boinc,1.0.0)
+
@@ -17298,7 +17301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+
-+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
@@ -17341,6 +17344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+dev_rw_xserver_misc(boinc_project_t)
+
+files_read_etc_files(boinc_project_t)
++files_read_etc_runtime_files(boinc_project_t)
+files_read_usr_files(boinc_project_t)
+
+auth_use_nsswitch(boinc_project_t)
@@ -18494,7 +18498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-10-01 15:28:43.904599247 +0200
++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-12-09 12:46:16.374042098 +0100
@@ -1,6 +1,13 @@
policy_module(clamav, 1.7.1)
@@ -18581,7 +18585,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
#
# clamscam local policy
-@@ -231,6 +261,7 @@
+@@ -228,9 +258,11 @@
+ corenet_tcp_sendrecv_generic_node(clamscan_t)
+ corenet_tcp_sendrecv_all_ports(clamscan_t)
+ corenet_tcp_sendrecv_clamd_port(clamscan_t)
++corenet_tcp_bind_generic_node(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
@@ -18589,10 +18597,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -246,6 +277,14 @@
+@@ -245,6 +277,17 @@
+ clamav_stream_connect(clamscan_t)
mta_send_mail(clamscan_t)
-
++mta_read_queue(clamscan_t)
++
++sysnet_read_config(clamscan_t)
++
+tunable_policy(`clamd_use_jit',`
+ allow clamd_t self:process execmem;
+ allow clamscan_t self:process execmem;
@@ -18600,10 +18612,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
+ dontaudit clamd_t self:process execmem;
+ dontaudit clamscan_t self:process execmem;
+')
-+
+
optional_policy(`
amavis_read_spool_files(clamscan_t)
- ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.19/policy/modules/services/clogd.fc
--- nsaserefpolicy/policy/modules/services/clogd.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.7.19/policy/modules/services/clogd.fc 2010-05-28 09:42:00.079610731 +0200
@@ -41960,7 +41971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.19/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-05-28 09:42:00.504610725 +0200
++++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-12-07 14:22:23.642042343 +0100
@@ -28,10 +28,12 @@
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -41974,6 +41985,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -98,4 +100,6 @@
+ /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
+ /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+ /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
+ /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-09-02 13:55:45.873084762 +0200
@@ -42268,7 +42286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
## Read the configuration options used when
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-11-11 16:53:00.882398885 +0100
++++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-12-07 10:05:17.730292521 +0100
@@ -19,8 +19,12 @@
type insmod_exec_t;
application_domain(insmod_t, insmod_exec_t)
@@ -42324,7 +42342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t)
-@@ -126,6 +136,7 @@
+@@ -126,12 +136,15 @@
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -42332,7 +42350,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +154,7 @@
+ kernel_read_hotplug_sysctls(insmod_t)
+ kernel_setsched(insmod_t)
+
++domain_signull_all_domains(insmod_t)
++
+ corecmd_exec_bin(insmod_t)
+ corecmd_exec_shell(insmod_t)
+
+@@ -143,6 +156,7 @@
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -42340,7 +42366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -159,13 +171,17 @@
+@@ -159,13 +173,17 @@
# for locking: (cjp: ????)
files_write_kernel_modules(insmod_t)
@@ -42358,7 +42384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -174,8 +190,7 @@
+@@ -174,8 +192,7 @@
seutil_read_file_contexts(insmod_t)
@@ -42368,7 +42394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -236,6 +251,10 @@
+@@ -236,6 +253,10 @@
')
optional_policy(`
@@ -45323,7 +45349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-10-05 16:30:49.672651409 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-12-09 12:46:32.622291524 +0100
@@ -30,8 +30,9 @@
')
@@ -46901,7 +46927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3493,724 @@
+@@ -3111,3 +3493,725 @@
allow $1 userdomain:dbus send_msg;
')
@@ -47471,6 +47497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ userdom_search_user_home_dirs($1)
++ userdom_search_user_home_content($1)
+ allow $1 home_cert_t:dir list_dir_perms;
+ read_files_pattern($1, home_cert_t, home_cert_t)
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a3ec752..b5178dd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 75%{?dist}
+Release: 76%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ exit 0
%endif
%changelog
+* Thu Dec 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-76
+- Fixes for clamscan
+
* Wed Dec 6 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-75
- nagios needs to to read the state information for software raid
- Add addtional support for OpenCT from Dominic
More information about the scm-commits
mailing list