[selinux-policy] - fixes to allow /var/run and /var/lock as tmpfs - Allow chrome sandbox to connect to web ports - Al
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Nov 30 11:39:48 UTC 2010
commit 954ef8ad923c9c3a7c9e74a5f56ca48e0c589fd1
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Nov 30 11:39:40 2010 +0000
- fixes to allow /var/run and /var/lock as tmpfs
- Allow chrome sandbox to connect to web ports
- Allow dovecot to listem on lmtp and sieve ports
- Allov ddclient to search sysctl_net_t
- Transition back to original domain if you execute the shell
policy-F15.patch | 241 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 9 ++-
2 files changed, 185 insertions(+), 65 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 63c3a4c..f229f8c 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1985,10 +1985,10 @@ index 0000000..5ef90cd
+
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..41a9493
+index 0000000..8dd672a
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,106 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -2035,6 +2035,19 @@ index 0000000..41a9493
+
+corecmd_exec_bin(chrome_sandbox_t)
+
++corenet_all_recvfrom_unlabeled(chrome_sandbox_t)
++corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_flash_port(chrome_sandbox_t)
++corenet_tcp_connect_streaming_port(chrome_sandbox_t)
++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
++corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
++corenet_tcp_connect_squid_port(chrome_sandbox_t)
++corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
++corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
++corenet_tcp_connect_ipp_port(chrome_sandbox_t)
++corenet_tcp_connect_speech_port(chrome_sandbox_t)
++
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
+dev_read_urand(chrome_sandbox_t)
@@ -2055,7 +2068,7 @@ index 0000000..41a9493
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
+
-+sysnet_dontaudit_read_config(chrome_sandbox_t)
++sysnet_dns_name_resolve(chrome_sandbox_t)
+
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
@@ -18968,7 +18981,7 @@ index e182bf4..f80e725 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..72fe7a8 100644
+index 0d5711c..3874025 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -19002,7 +19015,7 @@ index 0d5711c..72fe7a8 100644
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-@@ -88,14 +87,15 @@ template(`dbus_role_template',`
+@@ -88,14 +87,16 @@ template(`dbus_role_template',`
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
@@ -19014,6 +19027,7 @@ index 0d5711c..72fe7a8 100644
# cjp: this seems very broken
- corecmd_bin_domtrans($1_dbusd_t, $3)
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
++ corecmd_shell_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -19021,7 +19035,7 @@ index 0d5711c..72fe7a8 100644
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
-@@ -116,7 +116,7 @@ template(`dbus_role_template',`
+@@ -116,7 +117,7 @@ template(`dbus_role_template',`
dev_read_urand($1_dbusd_t)
@@ -19030,7 +19044,7 @@ index 0d5711c..72fe7a8 100644
domain_read_all_domains_state($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
-@@ -149,17 +149,25 @@ template(`dbus_role_template',`
+@@ -149,17 +150,25 @@ template(`dbus_role_template',`
term_use_all_terms($1_dbusd_t)
@@ -19058,7 +19072,7 @@ index 0d5711c..72fe7a8 100644
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
-@@ -181,10 +189,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -19071,7 +19085,7 @@ index 0d5711c..72fe7a8 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -431,14 +441,28 @@ interface(`dbus_system_domain',`
+@@ -431,14 +442,28 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -19101,7 +19115,7 @@ index 0d5711c..72fe7a8 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +521,22 @@ interface(`dbus_unconfined',`
+@@ -497,3 +522,22 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -19207,7 +19221,7 @@ index 0a1a61b..da508f4 100644
allow $1 ddclient_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
-index 24ba98a..41559cf 100644
+index 24ba98a..b8d064a 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
@@ -19239,7 +19253,15 @@ index 24ba98a..41559cf 100644
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
-@@ -74,6 +82,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+@@ -62,6 +70,7 @@ kernel_read_software_raid_state(ddclient_t)
+ kernel_getattr_core_if(ddclient_t)
+ kernel_getattr_message_if(ddclient_t)
+ kernel_read_kernel_sysctls(ddclient_t)
++kernel_search_network_sysctl(ddclient_t)
+
+ corecmd_exec_shell(ddclient_t)
+ corecmd_exec_bin(ddclient_t)
+@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
@@ -19248,7 +19270,7 @@ index 24ba98a..41559cf 100644
corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
-@@ -89,6 +99,8 @@ files_read_usr_files(ddclient_t)
+@@ -89,6 +100,8 @@ files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
@@ -19445,7 +19467,7 @@ index f706b99..c1ba3f2 100644
')
+
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..3aaa784 100644
+index f231f17..14921ca 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -19473,7 +19495,7 @@ index f231f17..3aaa784 100644
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
-@@ -178,25 +182,37 @@ optional_policy(`
+@@ -178,25 +182,41 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -19503,6 +19525,10 @@ index f231f17..3aaa784 100644
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
++manage_files_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
++manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
++files_pid_filetrans(devicekit_power_t, devicekit_var_run_t, dir)
++
+kernel_read_fs_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
@@ -19512,7 +19538,7 @@ index f231f17..3aaa784 100644
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
-@@ -212,12 +228,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,12 +232,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -19529,7 +19555,7 @@ index f231f17..3aaa784 100644
term_use_all_terms(devicekit_power_t)
-@@ -225,8 +245,11 @@ auth_use_nsswitch(devicekit_power_t)
+@@ -225,8 +249,11 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
@@ -19541,7 +19567,7 @@ index f231f17..3aaa784 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -261,6 +284,10 @@ optional_policy(`
+@@ -261,6 +288,10 @@ optional_policy(`
')
optional_policy(`
@@ -19552,7 +19578,7 @@ index f231f17..3aaa784 100644
hal_domtrans_mac(devicekit_power_t)
hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
-@@ -269,6 +296,10 @@ optional_policy(`
+@@ -269,6 +300,10 @@ optional_policy(`
')
optional_policy(`
@@ -19563,7 +19589,7 @@ index f231f17..3aaa784 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +307,21 @@ optional_policy(`
+@@ -276,9 +311,21 @@ optional_policy(`
')
optional_policy(`
@@ -20327,10 +20353,21 @@ index 9bd812b..c808b31 100644
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..1f6f6f3 100644
+index fdaeeba..c516b94 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
-@@ -96,10 +96,18 @@ optional_policy(`
+@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+ manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
+ logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
+
++manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+-files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file)
++files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+
+ kernel_read_kernel_sysctls(dnsmasq_t)
+ kernel_read_system_state(dnsmasq_t)
+@@ -96,10 +97,18 @@ optional_policy(`
')
optional_policy(`
@@ -20349,6 +20386,12 @@ index fdaeeba..1f6f6f3 100644
seutil_sigchld_newrole(dnsmasq_t)
')
+@@ -114,4 +123,5 @@ optional_policy(`
+ optional_policy(`
+ virt_manage_lib_files(dnsmasq_t)
+ virt_read_pid_files(dnsmasq_t)
++ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
+ ')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index bfc880b..9a1dcba 100644
--- a/policy/modules/services/dovecot.fc
@@ -20431,7 +20474,7 @@ index e1d7dc5..ee51a19 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..e74c9fe 100644
+index cbe14e4..da1c6bf 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -20485,7 +20528,16 @@ index cbe14e4..e74c9fe 100644
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -159,6 +164,11 @@ optional_policy(`
+@@ -110,6 +115,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+ corenet_tcp_bind_generic_node(dovecot_t)
+ corenet_tcp_bind_mail_port(dovecot_t)
+ corenet_tcp_bind_pop_port(dovecot_t)
++corenet_tcp_bind_lmtp_port(dovecot_t)
++corenet_tcp_bind_sieve_port(dovecot_t)
+ corenet_tcp_connect_all_ports(dovecot_t)
+ corenet_tcp_connect_postgresql_port(dovecot_t)
+ corenet_sendrecv_pop_server_packets(dovecot_t)
+@@ -159,6 +166,11 @@ optional_policy(`
')
optional_policy(`
@@ -20497,7 +20549,7 @@ index cbe14e4..e74c9fe 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -179,7 +189,7 @@ optional_policy(`
+@@ -179,7 +191,7 @@ optional_policy(`
# dovecot auth local policy
#
@@ -20506,7 +20558,7 @@ index cbe14e4..e74c9fe 100644
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-@@ -189,6 +199,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -189,6 +201,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -20515,7 +20567,7 @@ index cbe14e4..e74c9fe 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -242,6 +254,7 @@ optional_policy(`
+@@ -242,6 +256,7 @@ optional_policy(`
')
optional_policy(`
@@ -20523,7 +20575,7 @@ index cbe14e4..e74c9fe 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +266,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+@@ -253,19 +268,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
@@ -20559,7 +20611,7 @@ index cbe14e4..e74c9fe 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +329,5 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,4 +331,5 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -27493,10 +27545,10 @@ index 0000000..6403c17
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..6b69f38
+index 0000000..6716b5e
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,214 @@
+@@ -0,0 +1,219 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -27620,6 +27672,11 @@ index 0000000..6b69f38
+ sasl_connect(piranha_web_t)
+')
+
++optional_policy(`
++ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
++ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
++')
++
+######################################
+#
+# piranha-lvs local policy
@@ -35874,7 +35931,7 @@ index 2124b6a..6546d6e 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..dbdc0e0 100644
+index 7c5d8d8..2ac9e34 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -14,13 +14,14 @@
@@ -36005,7 +36062,44 @@ index 7c5d8d8..dbdc0e0 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -308,6 +316,24 @@ interface(`virt_read_lib_files',`
+@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
+
+ ########################################
+ ## <summary>
++## Create objects in the pid directory
++## with a private type with a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file">
++## <summary>
++## Type to which the created node will be transitioned.
++## </summary>
++## </param>
++## <param name="class">
++## <summary>
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++## </summary>
++## </param>
++#
++interface(`virt_pid_filetrans',`
++ gen_require(`
++ type virt_vaar_run_t;
++ ')
++
++ filetrans_pattern($1, virt_var_run_t, $2, $3)
++')
++
++########################################
++## <summary>
+ ## Search virt lib directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -36030,7 +36124,7 @@ index 7c5d8d8..dbdc0e0 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +378,9 @@ interface(`virt_read_log',`
+@@ -352,9 +408,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -36042,7 +36136,7 @@ index 7c5d8d8..dbdc0e0 100644
## </param>
#
interface(`virt_append_log',`
-@@ -424,6 +450,24 @@ interface(`virt_read_images',`
+@@ -424,6 +480,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -36067,7 +36161,7 @@ index 7c5d8d8..dbdc0e0 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +477,15 @@ interface(`virt_read_images',`
+@@ -433,15 +507,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -36088,7 +36182,7 @@ index 7c5d8d8..dbdc0e0 100644
')
########################################
-@@ -516,3 +560,51 @@ interface(`virt_admin',`
+@@ -516,3 +590,51 @@ interface(`virt_admin',`
virt_manage_log($1)
')
@@ -40736,7 +40830,7 @@ index df3fa64..36da732 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..2981ece 100644
+index 8a105fd..334ddd0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -40932,7 +41026,7 @@ index 8a105fd..2981ece 100644
+
+ # Permissions for systemd-tmpfiles, needs its own policy.
+ files_relabel_all_lock_dirs(init_t)
-+ files_relabel_all_pid_files(init_t)
++ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_manage_all_pids(init_t)
+ files_manage_all_locks(init_t)
@@ -42748,7 +42842,7 @@ index 58bc27f..b4f0663 100644
+ allow $1 clvmd_tmpfs_t:file rw_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 86ef2da..7f649d5 100644
+index 86ef2da..f1fe005 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -42792,7 +42886,18 @@ index 86ef2da..7f649d5 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -210,12 +223,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
+@@ -190,8 +203,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+ can_exec(lvm_t, lvm_exec_t)
+
+ # Creating lock files
++manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+ manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+-files_lock_filetrans(lvm_t, lvm_lock_t, file)
++files_lock_filetrans(lvm_t, lvm_lock_t, { file dir })
+
+ manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+ manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
+@@ -210,12 +224,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
@@ -42808,7 +42913,7 @@ index 86ef2da..7f649d5 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -242,6 +258,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -242,6 +259,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -42816,7 +42921,7 @@ index 86ef2da..7f649d5 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -251,8 +268,9 @@ files_read_etc_files(lvm_t)
+@@ -251,8 +269,9 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -42827,7 +42932,7 @@ index 86ef2da..7f649d5 100644
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -262,6 +280,7 @@ fs_rw_anon_inodefs_files(lvm_t)
+@@ -262,6 +281,7 @@ fs_rw_anon_inodefs_files(lvm_t)
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
@@ -42835,7 +42940,7 @@ index 86ef2da..7f649d5 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -309,6 +328,11 @@ ifdef(`distro_redhat',`
+@@ -309,6 +329,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -42847,7 +42952,7 @@ index 86ef2da..7f649d5 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -329,6 +353,10 @@ optional_policy(`
+@@ -329,6 +354,10 @@ optional_policy(`
')
optional_policy(`
@@ -43298,7 +43403,7 @@ index 8b5c196..b195f9d 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6fe8471..be5821a 100644
+index 6fe8471..139e2c9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -43348,7 +43453,7 @@ index 6fe8471..be5821a 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,8 +68,23 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,59 +68,96 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -43365,14 +43470,14 @@ index 6fe8471..be5821a 100644
kernel_read_system_state(mount_t)
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
+-kernel_dontaudit_getattr_core_if(mount_t)
+kernel_manage_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
- kernel_dontaudit_getattr_core_if(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
-@@ -55,46 +92,68 @@ kernel_dontaudit_write_proc_dirs(mount_t)
+
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -43381,7 +43486,6 @@ index 6fe8471..be5821a 100644
dev_list_all_dev_nodes(mount_t)
+dev_read_usbfs(mount_t)
+dev_read_rand(mount_t)
-+dev_read_sysfs(mount_t)
dev_read_sysfs(mount_t)
dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
@@ -43422,6 +43526,7 @@ index 6fe8471..be5821a 100644
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
++files_write_all_dirs(mount_t)
files_dontaudit_write_root_dirs(mount_t)
-fs_getattr_xattr_fs(mount_t)
@@ -43446,7 +43551,14 @@ index 6fe8471..be5821a 100644
+fs_manage_cgroup_files(mount_t)
fs_dontaudit_write_tmpfs_dirs(mount_t)
- mls_file_read_all_levels(mount_t)
+-mls_file_read_all_levels(mount_t)
+-mls_file_write_all_levels(mount_t)
++mls_file_read_to_clearance(mount_t)
++mls_file_write_to_clearance(mount_t)
++mls_process_write_to_clearance(mount_t)
+
+ selinux_get_enforce_mode(mount_t)
+
@@ -106,6 +165,7 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
@@ -48808,19 +48920,20 @@ index 22ca011..df6b5de 100644
#
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index f7380b3..cabc009 100644
+index f7380b3..51867f6 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
-@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
+@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+-
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
-
#
-@@ -105,7 +105,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
+ # Datagram socket classes.
+@@ -105,7 +104,7 @@ define(`mount_fs_perms', `{ mount remount unmount getattr }')
#
# Permissions for using sockets.
#
@@ -48829,7 +48942,7 @@ index f7380b3..cabc009 100644
#
# Permissions for creating and using sockets.
-@@ -199,12 +199,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+@@ -199,12 +198,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -48846,7 +48959,7 @@ index f7380b3..cabc009 100644
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
-@@ -225,7 +227,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+@@ -225,7 +226,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
@@ -48855,7 +48968,7 @@ index f7380b3..cabc009 100644
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
-@@ -238,7 +240,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
+@@ -238,7 +239,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
@@ -48865,7 +48978,7 @@ index f7380b3..cabc009 100644
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -254,7 +257,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
+@@ -254,7 +256,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
define(`setattr_sock_file_perms',`{ setattr }')
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
@@ -48875,7 +48988,7 @@ index f7380b3..cabc009 100644
define(`create_sock_file_perms',`{ getattr create open }')
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
-@@ -271,7 +275,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
+@@ -271,7 +274,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
@@ -48885,7 +48998,7 @@ index f7380b3..cabc009 100644
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
-@@ -288,7 +293,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
+@@ -288,7 +292,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
@@ -48895,7 +49008,7 @@ index f7380b3..cabc009 100644
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
-@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+@@ -305,7 +310,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
#
# Use (read and write) terminals
#
@@ -48905,7 +49018,7 @@ index f7380b3..cabc009 100644
#
# Sockets
-@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
+@@ -317,3 +323,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b039c72..bfac031 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.10
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
%endif
%changelog
+* Tue Nov 30 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.10-3
+- fixes to allow /var/run and /var/lock as tmpfs
+- Allow chrome sandbox to connect to web ports
+- Allow dovecot to listem on lmtp and sieve ports
+- Allov ddclient to search sysctl_net_t
+- Transition back to original domain if you execute the shell
+
* Thu Nov 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.10-2
- Remove duplicate declaration
More information about the scm-commits
mailing list