[selinux-policy] -
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Nov 2 21:07:33 UTC 2010
commit 9896599663cd081f11861521483a51ae072cbbe5
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Nov 2 17:07:21 2010 -0400
-
policy-F14.patch | 223 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 5 +-
2 files changed, 156 insertions(+), 72 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 6454d83..dc286a9 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -34897,14 +34897,16 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..be4b00f 100644
+index 2124b6a..6546d6e 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
-@@ -1,3 +1,4 @@
-+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
- HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+@@ -1,4 +1,5 @@
+-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+
@@ -13,17 +14,19 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -35196,10 +35198,10 @@ index 7c5d8d8..dbdc0e0 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..62e349a 100644
+index 3eca020..500f8e9 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -5,57 +5,66 @@ policy_module(virt, 1.4.0)
+@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
# Declarations
#
@@ -35287,7 +35289,12 @@ index 3eca020..62e349a 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -65,20 +74,25 @@ files_type(virt_etc_rw_t)
+ type virt_etc_rw_t;
+ files_type(virt_etc_rw_t)
+
++type virt_home_t;
++userdom_user_home_content(virt_home_t)
++
# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
@@ -35314,7 +35321,7 @@ index 3eca020..62e349a 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +103,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +106,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -35326,7 +35333,7 @@ index 3eca020..62e349a 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -104,15 +123,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +126,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -35343,7 +35350,15 @@ index 3eca020..62e349a 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -147,11 +163,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -133,6 +152,7 @@ dev_list_sysfs(svirt_t)
+ userdom_search_user_home_content(svirt_t)
+ userdom_read_user_home_content_symlinks(svirt_t)
+ userdom_read_all_users_state(svirt_t)
++append_files_pattern(svirt_t, virt_home_t, virt_home_t)
+
+ tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(svirt_t)
+@@ -147,11 +167,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -35359,7 +35374,7 @@ index 3eca020..62e349a 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +180,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +184,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -35382,7 +35397,7 @@ index 3eca020..62e349a 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,22 +205,28 @@ optional_policy(`
+@@ -174,22 +209,28 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -35415,7 +35430,7 @@ index 3eca020..62e349a 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +237,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +241,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -35432,7 +35447,7 @@ index 3eca020..62e349a 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +263,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +267,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -35440,7 +35455,7 @@ index 3eca020..62e349a 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -243,18 +287,27 @@ dev_read_rand(virtd_t)
+@@ -243,18 +291,27 @@ dev_read_rand(virtd_t)
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -35469,7 +35484,7 @@ index 3eca020..62e349a 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +315,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +319,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -35488,14 +35503,14 @@ index 3eca020..62e349a 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +350,26 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +354,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -35510,12 +35525,16 @@ index 3eca020..62e349a 100644
userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
++manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
++manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
++userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+
+consoletype_exec(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +440,8 @@ optional_policy(`
+@@ -365,6 +448,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -35524,7 +35543,7 @@ index 3eca020..62e349a 100644
')
optional_policy(`
-@@ -396,12 +473,25 @@ optional_policy(`
+@@ -396,12 +481,25 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -35551,7 +35570,7 @@ index 3eca020..62e349a 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +512,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +520,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -35559,7 +35578,7 @@ index 3eca020..62e349a 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +520,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +528,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -35572,7 +35591,7 @@ index 3eca020..62e349a 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +533,11 @@ files_search_all(virt_domain)
+@@ -440,6 +541,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -35584,7 +35603,7 @@ index 3eca020..62e349a 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +555,117 @@ optional_policy(`
+@@ -457,8 +563,117 @@ optional_policy(`
')
optional_policy(`
@@ -36110,7 +36129,7 @@ index 6f1e3c7..6a160b2 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..0ad10f7 100644
+index da2601a..19018ae 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -36584,7 +36603,7 @@ index da2601a..0ad10f7 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1141,24 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1141,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -36596,6 +36615,24 @@ index da2601a..0ad10f7 100644
+## </summary>
+## </param>
+#
++interface(`xserver_relabel_xdm_tmp_dirs',`
++ gen_require(`
++ type xdm_tmp_t;
++ ')
++
++ allow initrc_t initrc_tmp_t:dir relabel_dir_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete xdm temporary dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`xserver_manage_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
@@ -36609,7 +36646,7 @@ index da2601a..0ad10f7 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1173,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1191,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -36618,7 +36655,7 @@ index da2601a..0ad10f7 100644
')
########################################
-@@ -1070,8 +1191,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1209,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -36630,7 +36667,7 @@ index da2601a..0ad10f7 100644
')
########################################
-@@ -1185,6 +1308,7 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1326,7 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -36638,7 +36675,7 @@ index da2601a..0ad10f7 100644
')
########################################
-@@ -1210,7 +1334,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1352,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -36647,7 +36684,7 @@ index da2601a..0ad10f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1344,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1362,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -36672,7 +36709,7 @@ index da2601a..0ad10f7 100644
')
########################################
-@@ -1243,10 +1377,355 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1395,355 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -39676,7 +39713,7 @@ index df3fa64..73dc579 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..fc65044 100644
+index 8a105fd..08817a8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -39906,7 +39943,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
-@@ -199,10 +321,23 @@ optional_policy(`
+@@ -199,10 +321,25 @@ optional_policy(`
')
optional_policy(`
@@ -39923,14 +39960,16 @@ index 8a105fd..fc65044 100644
+')
+
+optional_policy(`
++ xserver_relabel_xdm_tmp_dirs(init_t)
+ xserver_manage_xdm_tmp_dirs(init_t)
++ xserver_setattr_xdm_tmp_dirs(initrc_t)
+')
+
+optional_policy(`
unconfined_domain(init_t)
')
-@@ -212,7 +347,7 @@ optional_policy(`
+@@ -212,7 +349,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -39939,7 +39978,7 @@ index 8a105fd..fc65044 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,6 +376,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +378,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -39947,7 +39986,14 @@ index 8a105fd..fc65044 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +394,23 @@ kernel_change_ring_buffer_level(initrc_t)
+ manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+ manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+ files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
++allow initrc_t initrc_tmp_t:dir relabelfrom;
+
+ init_write_initctl(initrc_t)
+
+@@ -258,11 +397,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -39971,7 +40017,7 @@ index 8a105fd..fc65044 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +439,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +442,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -39979,7 +40025,7 @@ index 8a105fd..fc65044 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +447,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +450,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -39995,7 +40041,7 @@ index 8a105fd..fc65044 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +472,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +475,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -40007,7 +40053,7 @@ index 8a105fd..fc65044 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +491,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +494,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -40021,7 +40067,7 @@ index 8a105fd..fc65044 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +506,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +509,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -40030,7 +40076,7 @@ index 8a105fd..fc65044 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +520,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +523,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -40038,7 +40084,7 @@ index 8a105fd..fc65044 100644
selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +538,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +541,7 @@ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@@ -40046,7 +40092,7 @@ index 8a105fd..fc65044 100644
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
-@@ -394,13 +553,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +556,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -40062,7 +40108,7 @@ index 8a105fd..fc65044 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +633,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +636,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -40071,7 +40117,7 @@ index 8a105fd..fc65044 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +679,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +682,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -40091,7 +40137,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
-@@ -526,10 +699,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +702,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -40109,7 +40155,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
-@@ -544,6 +724,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +727,35 @@ ifdef(`distro_suse',`
')
')
@@ -40145,7 +40191,7 @@ index 8a105fd..fc65044 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +765,8 @@ optional_policy(`
+@@ -556,6 +768,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -40154,7 +40200,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
-@@ -572,6 +783,7 @@ optional_policy(`
+@@ -572,6 +786,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -40162,7 +40208,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
-@@ -584,6 +796,11 @@ optional_policy(`
+@@ -584,6 +799,11 @@ optional_policy(`
')
optional_policy(`
@@ -40174,7 +40220,7 @@ index 8a105fd..fc65044 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +817,9 @@ optional_policy(`
+@@ -600,9 +820,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -40184,7 +40230,11 @@ index 8a105fd..fc65044 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +921,13 @@ optional_policy(`
++ consolekit_manage_log(initrc_t)
+ ')
+
+ optional_policy(`
+@@ -701,7 +925,13 @@ optional_policy(`
')
optional_policy(`
@@ -40198,7 +40248,7 @@ index 8a105fd..fc65044 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +950,10 @@ optional_policy(`
+@@ -724,6 +954,10 @@ optional_policy(`
')
optional_policy(`
@@ -40209,7 +40259,7 @@ index 8a105fd..fc65044 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +975,10 @@ optional_policy(`
+@@ -745,6 +979,10 @@ optional_policy(`
')
optional_policy(`
@@ -40220,7 +40270,7 @@ index 8a105fd..fc65044 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +1000,6 @@ optional_policy(`
+@@ -766,8 +1004,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -40229,7 +40279,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
-@@ -776,14 +1008,21 @@ optional_policy(`
+@@ -776,14 +1012,21 @@ optional_policy(`
')
optional_policy(`
@@ -40251,7 +40301,7 @@ index 8a105fd..fc65044 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1044,19 @@ optional_policy(`
+@@ -805,11 +1048,19 @@ optional_policy(`
')
optional_policy(`
@@ -40272,7 +40322,7 @@ index 8a105fd..fc65044 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1066,25 @@ optional_policy(`
+@@ -819,6 +1070,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -40298,7 +40348,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
-@@ -844,3 +1110,59 @@ optional_policy(`
+@@ -844,3 +1114,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -44162,7 +44212,7 @@ index 0291685..44fe366 100644
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..65971f9 100644
+index 025348a..cea695c 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -44183,7 +44233,22 @@ index 025348a..65971f9 100644
')
########################################
-@@ -231,3 +231,36 @@ interface(`udev_manage_pid_files',`
+@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',`
+ interface(`udev_read_db',`
+ gen_require(`
+ type udev_tbl_t;
++ type device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 udev_tbl_t:dir list_dir_perms;
+ read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
++ allow $1 device_t:file read_file_perms;
+ ')
+
+ ########################################
+@@ -231,3 +233,36 @@ interface(`udev_manage_pid_files',`
files_search_var_lib($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
@@ -44221,7 +44286,7 @@ index 025348a..65971f9 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..f24ab6b 100644
+index a054cf5..4fc2837 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -44242,7 +44307,15 @@ index a054cf5..f24ab6b 100644
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -111,15 +113,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -87,6 +89,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+ kernel_dgram_send(udev_t)
+ kernel_signal(udev_t)
+ kernel_search_debugfs(udev_t)
++kernel_stream_connect(udev_t)
+
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+ kernel_rw_net_sysctls(udev_t)
+@@ -111,15 +114,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -44264,7 +44337,15 @@ index a054cf5..f24ab6b 100644
mcs_ptrace_all(udev_t)
-@@ -186,6 +193,7 @@ ifdef(`distro_redhat',`
+@@ -143,6 +151,7 @@ auth_use_nsswitch(udev_t)
+ init_read_utmp(udev_t)
+ init_dontaudit_write_utmp(udev_t)
+ init_getattr_initctl(udev_t)
++init_stream_connect(udev_t)
+
+ logging_search_logs(udev_t)
+ logging_send_syslog_msg(udev_t)
+@@ -186,6 +195,7 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -44272,7 +44353,7 @@ index a054cf5..f24ab6b 100644
term_search_ptys(udev_t)
-@@ -216,11 +224,16 @@ optional_policy(`
+@@ -216,11 +226,16 @@ optional_policy(`
')
optional_policy(`
@@ -44289,7 +44370,7 @@ index a054cf5..f24ab6b 100644
')
optional_policy(`
-@@ -233,6 +246,10 @@ optional_policy(`
+@@ -233,6 +248,10 @@ optional_policy(`
')
optional_policy(`
@@ -44300,7 +44381,7 @@ index a054cf5..f24ab6b 100644
lvm_domtrans(udev_t)
')
-@@ -259,6 +276,10 @@ optional_policy(`
+@@ -259,6 +278,10 @@ optional_policy(`
')
optional_policy(`
@@ -44311,7 +44392,7 @@ index a054cf5..f24ab6b 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +294,11 @@ optional_policy(`
+@@ -273,6 +296,11 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 161036b..e88472d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ exit 0
%endif
%changelog
+* Tue Nov 2 2010 Dan Walsh <dwalsh at redhat.com> 3.9.7-9
+-
+
* Mon Nov 1 2010 Dan Walsh <dwalsh at redhat.com> 3.9.7-8
- Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs
More information about the scm-commits
mailing list