[selinux-policy/f14/master] - Allow boinc-project to read mtab - Fixes for clamscan
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Dec 10 13:02:17 UTC 2010
commit 16e7e921e543e401c3e5b853cbbfa111eb72e4f7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Dec 10 14:01:37 2010 +0000
- Allow boinc-project to read mtab
- Fixes for clamscan
policy-F14.patch | 57 ++++++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 6 ++++-
2 files changed, 50 insertions(+), 13 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 8413778..1b557d6 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -7416,7 +7416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
dbus_session_bus_client($1_wm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc 2010-11-05 14:02:26.511650387 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc 2010-12-09 12:33:23.341041447 +0100
@@ -9,8 +9,11 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7532,7 +7532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -340,3 +367,25 @@
+@@ -340,3 +367,28 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -7558,6 +7558,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+
+/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
++/usr/local/Brother/(.*/)?inf/brprintconf.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/(.*/)?inf/setup.* -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.9.7/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.if 2010-11-05 14:02:26.513653539 +0100
@@ -15657,8 +15660,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.9.7/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/boinc.te 2010-11-05 14:02:26.599900184 +0100
-@@ -0,0 +1,167 @@
++++ serefpolicy-3.9.7/policy/modules/services/boinc.te 2010-12-09 12:28:05.201308230 +0100
+@@ -0,0 +1,169 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -15779,7 +15782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
+
-+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
@@ -15819,6 +15822,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+dev_rw_xserver_misc(boinc_project_t)
+
+files_read_etc_files(boinc_project_t)
++files_read_etc_runtime_files(boinc_project_t)
++files_read_usr_files(boinc_project_t)
+
+miscfiles_read_fonts(boinc_project_t)
+miscfiles_read_localization(boinc_project_t)
@@ -16494,7 +16499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.9.7/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/cgroup.te 2010-12-01 11:28:48.699041492 +0100
++++ serefpolicy-3.9.7/policy/modules/services/cgroup.te 2010-12-07 14:57:18.915041300 +0100
@@ -16,14 +16,17 @@
type cgred_initrc_exec_t;
init_script_file(cgred_initrc_exec_t)
@@ -16533,7 +16538,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
-@@ -79,6 +82,9 @@
+@@ -67,6 +70,7 @@
+ fs_manage_cgroup_files(cgconfig_t)
+ fs_mount_cgroup(cgconfig_t)
+ fs_mounton_cgroup(cgconfig_t)
++fs_unmount_cgroup(cgconfig_t)
+
+ ########################################
+ #
+@@ -79,6 +83,9 @@
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -16746,7 +16759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.9.7/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/clamav.te 2010-11-05 14:02:26.611899958 +0100
++++ serefpolicy-3.9.7/policy/modules/services/clamav.te 2010-12-09 12:45:31.253041229 +0100
@@ -1,9 +1,9 @@
policy_module(clamav, 1.8.1)
@@ -16851,7 +16864,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
########################################
#
# clamscam local policy
-@@ -251,6 +266,7 @@
+@@ -248,9 +263,11 @@
+ corenet_tcp_sendrecv_generic_node(clamscan_t)
+ corenet_tcp_sendrecv_all_ports(clamscan_t)
+ corenet_tcp_sendrecv_clamd_port(clamscan_t)
++corenet_tcp_bind_generic_node(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t)
@@ -16859,6 +16876,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
+@@ -265,6 +282,9 @@
+ clamav_stream_connect(clamscan_t)
+
+ mta_send_mail(clamscan_t)
++mta_read_queue(clamscan_t)
++
++sysnet_read_config(clamscan_t)
+
+ optional_policy(`
+ amavis_read_spool_files(clamscan_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.9.7/policy/modules/services/clogd.if
--- nsaserefpolicy/policy/modules/services/clogd.if 2010-10-12 22:42:47.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/clogd.if 2010-11-05 14:02:26.612900102 +0100
@@ -42739,7 +42766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.9.7/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/lvm.fc 2010-11-05 14:02:26.936899930 +0100
++++ serefpolicy-3.9.7/policy/modules/system/lvm.fc 2010-12-07 13:48:49.058043850 +0100
@@ -28,10 +28,12 @@
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -42753,6 +42780,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -99,3 +101,4 @@
+ /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
+ /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
+ /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.9.7/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/system/lvm.if 2010-11-05 14:02:26.936899930 +0100
@@ -46233,7 +46265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.debug(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.9.7/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2010-11-05 14:02:26.963900049 +0100
++++ serefpolicy-3.9.7/policy/modules/system/userdomain.if 2010-12-09 12:46:35.007042321 +0100
@@ -30,8 +30,9 @@
')
@@ -47809,7 +47841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3135,3 +3481,854 @@
+@@ -3135,3 +3481,855 @@
allow $1 userdomain:dbus send_msg;
')
@@ -48381,6 +48413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ userdom_search_user_home_dirs($1)
++ userdom_search_user_home_content($1)
+ allow $1 home_cert_t:dir list_dir_perms;
+ read_files_pattern($1, home_cert_t, home_cert_t)
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 51bffb3..1c9cd90 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 15%{?dist}
+Release: 16%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Fri Dec 10 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-16
+- Allow boinc-project to read mtab
+- Fixes for clamscan
+
* Mon Dec 6 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-15
- Allow mount fowner capability
- Fix the label for wicd log
More information about the scm-commits
mailing list