rpms/selinux-policy/F-12 policy-20100106.patch,1.3,1.4
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 11 13:10:26 UTC 2010
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27915
Modified Files:
policy-20100106.patch
Log Message:
- Fixes for iscsid
policy-20100106.patch:
apps/sandbox.if | 46 ++++++++++++++++++++++++++++++++++++++++------
apps/sandbox.te | 29 +++++++++++++++++------------
kernel/devices.fc | 2 ++
kernel/devices.if | 18 ++++++++++++++++++
kernel/devices.te | 6 ++++++
services/abrt.te | 1 +
services/apache.if | 3 +++
services/apcupsd.te | 2 +-
services/cups.te | 1 +
services/dovecot.te | 6 ++++++
services/fail2ban.if | 18 ++++++++++++++++++
services/nagios.fc | 40 ++++++++++++++++++++++++++++++++++++++--
services/nagios.te | 3 +++
services/postfix.te | 5 ++++-
services/samba.te | 5 +++++
services/sendmail.te | 2 ++
services/snmp.te | 2 +-
services/spamassassin.if | 18 ++++++++++++++++++
services/sssd.if | 19 +++++++++++++++++++
services/virt.te | 4 +++-
services/xserver.fc | 4 ++++
services/xserver.te | 2 ++
system/iscsi.fc | 2 ++
system/iscsi.te | 4 ++++
system/libraries.fc | 6 ++++++
system/miscfiles.if | 19 +++++++++++++++++++
system/unconfined.if | 2 ++
system/userdomain.fc | 1 +
system/userdomain.if | 18 ++++++++++++++++++
system/xen.te | 6 ++++++
30 files changed, 270 insertions(+), 24 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- policy-20100106.patch 11 Jan 2010 11:43:43 -0000 1.3
+++ policy-20100106.patch 11 Jan 2010 13:10:26 -0000 1.4
@@ -1,3 +1,180 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
+--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-11 13:38:03.000000000 +0100
+@@ -45,9 +45,10 @@
+ allow sandbox_x_domain $1:process { sigchld signal };
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+- dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
++ dontaudit sandbox_x_domain $1:fifo_file { read write };
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
++ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
+
+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
+@@ -103,9 +104,10 @@
+ #
+ template(`sandbox_x_domain_template',`
+ gen_require(`
+- type xserver_exec_t;
++ type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t;
+ attribute sandbox_domain, sandbox_x_domain;
++ attribute sandbox_file_type;
+ ')
+
+ type $1_t, sandbox_x_domain;
+@@ -163,10 +165,6 @@
+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+-
+- optional_policy(`
+- xserver_common_app($1_t)
+- ')
+ ')
+
+ ########################################
+@@ -187,3 +185,39 @@
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+ ')
++
++########################################
++## <summary>
++## allow domain to delete sandbox files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`sandbox_delete_files',`
++ gen_require(`
++ attribute sandbox_file_type;
++ ')
++
++ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
++')
++
++########################################
++## <summary>
++## allow domain to delete sandbox files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`sandbox_delete_dirs',`
++ gen_require(`
++ attribute sandbox_file_type;
++ ')
++
++ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
+--- nsaserefpolicy/policy/modules/apps/sandbox.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2010-01-11 13:38:03.000000000 +0100
+@@ -10,14 +10,15 @@
+ #
+
+ sandbox_domain_template(sandbox)
++sandbox_x_domain_template(sandbox_min)
+ sandbox_x_domain_template(sandbox_x)
+ sandbox_x_domain_template(sandbox_web)
+ sandbox_x_domain_template(sandbox_net)
+
+ type sandbox_xserver_t;
+ domain_type(sandbox_xserver_t)
+-xserver_common_app(sandbox_xserver_t)
+ permissive sandbox_xserver_t;
++xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
+
+ type sandbox_xserver_tmpfs_t;
+ files_tmpfs_file(sandbox_xserver_tmpfs_t)
+@@ -92,10 +93,6 @@
+ ')
+ ')
+
+-optional_policy(`
+- xserver_common_app(sandbox_xserver_t)
+-')
+-
+ ########################################
+ #
+ # sandbox local policy
+@@ -104,7 +101,7 @@
+ ## internal communication is often done using fifo and unix sockets.
+ allow sandbox_domain self:fifo_file manage_file_perms;
+ allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
+-allow sandbox_domain self:unix_dgram_socket create_socket_perms;
++allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
+
+ gen_require(`
+ type usr_t, lib_t, locale_t;
+@@ -161,7 +158,7 @@
+
+ auth_dontaudit_read_login_records(sandbox_x_domain)
+ auth_dontaudit_write_login_records(sandbox_x_domain)
+-#auth_use_nsswitch(sandbox_x_domain)
++auth_use_nsswitch(sandbox_x_domain)
+ auth_search_pam_console_data(sandbox_x_domain)
+
+ init_read_utmp(sandbox_x_domain)
+@@ -179,12 +176,20 @@
+ miscfiles_read_fonts(sandbox_x_domain)
+
+ optional_policy(`
++ cups_stream_connect(sandbox_x_domain)
++ cups_read_rw_config(sandbox_x_domain)
++')
++
++optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+ ')
+
+ optional_policy(`
+- cups_stream_connect(sandbox_x_domain)
+- cups_read_rw_config(sandbox_x_domain)
++ nscd_dontaudit_search_pid(sandbox_x_domain)
++')
++
++optional_policy(`
++ sssd_dontaudit_search_lib(sandbox_x_domain)
+ ')
+
+ userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+@@ -207,7 +212,7 @@
+
+ corenet_tcp_connect_ipp_port(sandbox_x_client_t)
+
+-#auth_use_nsswitch(sandbox_x_client_t)
++auth_use_nsswitch(sandbox_x_client_t)
+
+ dbus_system_bus_client(sandbox_x_client_t)
+ dbus_read_config(sandbox_x_client_t)
+@@ -267,7 +272,7 @@
+ corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
+ corenet_tcp_connect_speech_port(sandbox_web_client_t)
+
+-#auth_use_nsswitch(sandbox_web_client_t)
++auth_use_nsswitch(sandbox_web_client_t)
+
+ dbus_system_bus_client(sandbox_web_client_t)
+ dbus_read_config(sandbox_web_client_t)
+@@ -310,7 +315,7 @@
+ corenet_tcp_connect_all_ports(sandbox_net_client_t)
+ corenet_sendrecv_all_client_packets(sandbox_net_client_t)
+
+-#auth_use_nsswitch(sandbox_net_client_t)
++auth_use_nsswitch(sandbox_net_client_t)
+
+ dbus_system_bus_client(sandbox_net_client_t)
+ dbus_read_config(sandbox_net_client_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-01-09 20:39:30.000000000 +0100
@@ -162,8 +339,8 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-11 12:00:51.000000000 +0100
-@@ -27,26 +27,59 @@
++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-11 12:37:36.000000000 +0100
+@@ -27,26 +27,62 @@
# check disk plugins
/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
@@ -225,14 +402,16 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
++# unconfined plugins
++/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-11 11:32:18.000000000 +0100
-@@ -118,6 +118,10 @@
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-11 12:27:10.000000000 +0100
+@@ -118,6 +118,9 @@
corenet_udp_sendrecv_all_ports(nagios_t)
corenet_tcp_connect_all_ports(nagios_t)
-+# neede by rpcinfo
+corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
+
@@ -349,9 +528,47 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
+--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-11 13:46:50.000000000 +0100
+@@ -95,6 +95,25 @@
+ files_search_var_lib($1)
+ ')
+
++#######################################
++## <summary>
++## Dontaudit search sssd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sssd_dontaudit_search_lib',`
++ gen_require(`
++ type sssd_var_lib_t;
++ ')
++
++ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
+ ########################################
+ ## <summary>
+ ## Read sssd lib files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-06 16:09:14.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2010-01-11 13:32:35.000000000 +0100
+@@ -226,7 +226,7 @@
+ sysnet_domtrans_ifconfig(virtd_t)
+ sysnet_read_config(virtd_t)
+
+-userdom_dontaudit_list_admin_dir(virtd_t)
++userdom_list_admin_dir(virtd_t)
+ userdom_getattr_all_users(virtd_t)
+ userdom_list_user_home_content(virtd_t)
+ userdom_read_all_users_state(virtd_t)
@@ -430,6 +430,8 @@
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -507,6 +724,34 @@ diff -b -B --ignore-all-space --exclude-
HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
HOME_DIR/\.gvfs(/.*)? <<none>>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-01-11 13:53:41.000000000 +0100
+@@ -3631,6 +3631,24 @@
+
+ ########################################
+ ## <summary>
++## Allow domain to list /root
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_list_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ allow $1 admin_home_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Allow Search /root
+ ## </summary>
+ ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-09 20:35:37.000000000 +0100
More information about the scm-commits
mailing list