[selinux-policy/f13/master] - Allow smartd to read usr files - Allow devicekit-power transition to dhcpc - Add label for /etc/ti
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 5 15:34:10 UTC 2010
commit e78b123ec2421cfa801be44ad4ad58478d1ec9d2
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 5 17:34:04 2010 +0200
- Allow smartd to read usr files
- Allow devicekit-power transition to dhcpc
- Add label for /etc/timezone
- Remove transition from unconfined_t to iptables_t
policy-F13.patch | 298 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 8 ++-
2 files changed, 201 insertions(+), 105 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index a164e61..9590022 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2543,7 +2543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.fc
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.19/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/sudo.if 2010-09-13 15:56:30.021085395 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/sudo.if 2010-10-05 16:40:27.236667890 +0200
@@ -32,6 +32,7 @@
gen_require(`
@@ -2562,7 +2562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
##############################
#
# Local Policy
-@@ -73,12 +77,16 @@
+@@ -73,17 +77,23 @@
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
@@ -2580,7 +2580,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
-@@ -134,7 +142,11 @@
+ kernel_link_key($1_sudo_t)
+
++ application_signal($1_sudo_t)
++
+ corecmd_read_bin_symlinks($1_sudo_t)
+ corecmd_exec_all_executables($1_sudo_t)
+
+@@ -134,7 +144,11 @@
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
@@ -7132,9 +7139,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-09-01 12:20:15.387083633 +0200
-@@ -0,0 +1,402 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-10-05 16:12:11.355651521 +0200
+@@ -0,0 +1,403 @@
+policy_module(sandbox,1.0.0)
++
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
@@ -7493,7 +7501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+optional_policy(`
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
-+ nsplugin_manage_rw(sandbox_web_type)
++# nsplugin_manage_rw(sandbox_web_type)
+')
+
+optional_policy(`
@@ -12626,8 +12634,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if
--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if 2010-09-09 11:07:14.850085218 +0200
-@@ -0,0 +1,687 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.if 2010-10-05 17:05:35.898651111 +0200
+@@ -0,0 +1,706 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
@@ -12975,6 +12983,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ dontaudit $1 unconfined_t:fifo_file rw_file_perms;
+')
+
++#######################################
++## <summary>
++## Do not audit attempts to read and write
++## unconfined domain netlink_route_socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`unconfined_dontaudit_netlink_route_socket',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ dontaudit $1 unconfined_t:netlink_route_socket { read write };
++')
++
+########################################
+## <summary>
+## Do not audit attempts to read and write
@@ -13317,8 +13344,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-09-23 13:17:47.400386803 +0200
-@@ -0,0 +1,457 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-10-05 16:53:14.162651746 +0200
+@@ -0,0 +1,453 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -13485,10 +13512,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
+ ')
+
+ optional_policy(`
-+ iptables_run(unconfined_usertype, unconfined_r)
-+ ')
-+
-+ optional_policy(`
+ networkmanager_dbus_chat(unconfined_usertype)
+ ')
+
@@ -15576,7 +15599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-09-09 13:07:21.400085528 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-10-05 16:57:44.624651594 +0200
@@ -19,11 +19,13 @@
# Declarations
#
@@ -16002,7 +16025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-+ smokeping_getattr_lib_files(httpd_t)
++ smokeping_read_lib_files(httpd_t)
+')
+
+optional_policy(`
@@ -18706,14 +18729,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.19/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/consolekit.if 2010-05-28 09:42:00.085610890 +0200
-@@ -55,5 +55,44 @@
++++ serefpolicy-3.7.19/policy/modules/services/consolekit.if 2010-10-05 16:31:31.267651526 +0200
+@@ -55,5 +55,62 @@
')
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
+ logging_search_logs($1)
+')
+
++#######################################
++## <summary>
++## Dontaudit attempts to read consolekit log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`consolekit_dontaudit_read_log',`
++ gen_require(`
++ type consolekit_log_t;
++ ')
++
++ dontaudit $1 consolekit_log_t:file read_file_perms;
++')
++
+########################################
+## <summary>
+## Manage consolekit log files.
@@ -18730,8 +18771,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ ')
+
+ manage_files_pattern($1, consolekit_log_t, consolekit_log_t)
-+ files_search_pids($1)
-+')
+ files_search_pids($1)
+ ')
+
+########################################
+## <summary>
@@ -18748,9 +18789,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+ type consolekit_var_run_t;
+ ')
+
- files_search_pids($1)
++ files_search_pids($1)
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
- ')
++')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.19/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-04-13 20:44:37.000000000 +0200
@@ -20635,7 +20676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
admin_pattern($1, devicekit_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.19/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-10-01 15:15:06.194599521 +0200
++++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-10-05 16:46:24.302651295 +0200
@@ -42,6 +42,8 @@
files_read_etc_files(devicekit_t)
@@ -20816,7 +20857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
-@@ -167,12 +227,17 @@
+@@ -167,12 +227,18 @@
files_read_etc_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
@@ -20830,11 +20871,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
+sysnet_read_config(devicekit_power_t)
+sysnet_domtrans_ifconfig(devicekit_power_t)
++sysnet_domtrans_dhcpc(devicekit_power_t)
+
userdom_read_all_users_state(devicekit_power_t)
optional_policy(`
-@@ -180,6 +245,10 @@
+@@ -180,6 +246,10 @@
')
optional_policy(`
@@ -20845,7 +20887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -190,6 +259,7 @@
+@@ -190,6 +260,7 @@
optional_policy(`
networkmanager_dbus_chat(devicekit_power_t)
@@ -20853,7 +20895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
')
optional_policy(`
-@@ -203,17 +273,23 @@
+@@ -203,17 +274,23 @@
optional_policy(`
hal_domtrans_mac(devicekit_power_t)
@@ -32554,7 +32596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-09-23 13:18:50.383386842 +0200
++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-10-05 16:48:57.914651451 +0200
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -32606,6 +32648,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
+@@ -255,7 +264,7 @@
+ manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
+ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
+-allow smbd_t samba_share_t:filesystem getattr;
++allow smbd_t samba_share_t:filesystem { getattr quotaget };
+
+ manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
@@ -275,6 +284,8 @@
allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
@@ -32615,7 +32666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
-@@ -306,8 +317,11 @@
+@@ -306,16 +317,21 @@
dev_read_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
@@ -32627,7 +32678,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
fs_get_xattr_fs_quotas(smbd_t)
fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
-@@ -316,6 +330,7 @@
++fs_get_all_fs_quotas(smbd_t)
+ fs_list_inotifyfs(smbd_t)
+
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
@@ -32635,7 +32688,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -325,6 +340,9 @@
+@@ -325,6 +341,9 @@
files_read_etc_runtime_files(smbd_t)
files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
@@ -32645,7 +32698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -337,10 +355,13 @@
+@@ -337,10 +356,13 @@
miscfiles_read_public_files(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -32660,7 +32713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -352,19 +373,19 @@
+@@ -352,19 +374,19 @@
')
tunable_policy(`samba_domain_controller',`
@@ -32686,7 +32739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
# Support Samba sharing of NFS mount points
-@@ -376,6 +397,15 @@
+@@ -376,6 +398,15 @@
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -32702,7 +32755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -391,6 +421,11 @@
+@@ -391,6 +422,11 @@
')
optional_policy(`
@@ -32714,7 +32767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
rpc_search_nfs_state_data(smbd_t)
')
-@@ -405,13 +440,15 @@
+@@ -405,13 +441,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -32731,7 +32784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -420,8 +457,8 @@
+@@ -420,8 +458,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -32741,7 +32794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
-@@ -518,13 +555,13 @@
+@@ -518,13 +556,13 @@
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -32759,7 +32812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -536,6 +573,8 @@
+@@ -536,6 +574,8 @@
miscfiles_read_localization(smbcontrol_t)
@@ -32768,7 +32821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbmount Local policy
-@@ -618,7 +657,7 @@
+@@ -618,7 +658,7 @@
# SWAT Local policy
#
@@ -32777,7 +32830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +665,25 @@
+@@ -626,23 +666,25 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
@@ -32811,7 +32864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-@@ -657,11 +698,14 @@
+@@ -657,11 +699,14 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -32827,7 +32880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
kernel_read_network_state(swat_t)
-@@ -700,6 +744,8 @@
+@@ -700,6 +745,8 @@
miscfiles_read_localization(swat_t)
@@ -32836,7 +32889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +759,23 @@
+@@ -713,12 +760,23 @@
kerberos_use(swat_t)
')
@@ -32861,7 +32914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -763,6 +820,7 @@
+@@ -763,6 +821,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
@@ -32869,7 +32922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corecmd_exec_bin(winbind_t)
-@@ -779,6 +837,9 @@
+@@ -779,6 +838,9 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -32879,7 +32932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-@@ -788,7 +849,7 @@
+@@ -788,7 +850,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -32888,7 +32941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(winbind_t)
-@@ -866,6 +927,18 @@
+@@ -866,6 +928,18 @@
#
optional_policy(`
@@ -32907,7 +32960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +949,12 @@
+@@ -876,9 +950,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -33497,8 +33550,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.19/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-05-28 09:42:00.186610872 +0200
-@@ -83,6 +83,8 @@
++++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-10-05 16:29:21.802651275 +0200
+@@ -73,6 +73,7 @@
+ files_read_etc_runtime_files(fsdaemon_t)
+ # for config
+ files_read_etc_files(fsdaemon_t)
++files_read_usr_files(fsdaemon_t)
+
+ fs_getattr_all_fs(fsdaemon_t)
+ fs_search_auto_mountpoints(fsdaemon_t)
+@@ -83,6 +84,8 @@
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
@@ -33509,7 +33570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.19/policy/modules/services/smokeping.te
--- nsaserefpolicy/policy/modules/services/smokeping.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/smokeping.te 2010-05-28 09:42:00.187610526 +0200
++++ serefpolicy-3.7.19/policy/modules/services/smokeping.te 2010-10-05 16:58:22.852651336 +0200
@@ -24,6 +24,7 @@
# smokeping local policy
#
@@ -33526,6 +33587,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
logging_send_syslog_msg(smokeping_t)
+@@ -65,6 +67,7 @@
+ allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
+
+ manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
++ manage_dirs_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
+
+ getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.19/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2010-04-13 20:44:36.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/snmp.if 2010-09-16 16:46:09.199637062 +0200
@@ -40246,8 +40315,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.19/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-06-28 14:07:11.666276142 +0200
-@@ -76,12 +76,18 @@
++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-10-05 16:46:33.947667684 +0200
+@@ -10,6 +10,7 @@
+ #
+ /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
+ /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+ ifdef(`distro_redhat',`
+@@ -76,12 +77,18 @@
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
@@ -42401,7 +42478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-07-21 09:34:24.436135014 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2010-10-05 17:05:56.764651628 +0200
@@ -1,11 +1,18 @@
-policy_module(sysnetwork, 1.10.3)
@@ -42530,7 +42607,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -360,3 +396,9 @@
+@@ -348,6 +384,7 @@
+
+ optional_policy(`
+ unconfined_dontaudit_rw_pipes(ifconfig_t)
++ unconfined_dontaudit_netlink_route_socket(ifconfig_t)
+ ')
+
+ optional_policy(`
+@@ -360,3 +397,9 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -43412,7 +43497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-09-16 15:44:29.987386896 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-10-05 16:30:49.672651409 +0200
@@ -30,8 +30,9 @@
')
@@ -44302,7 +44387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
loadkeys_run($1_t,$1_r)
')
')
-@@ -871,45 +1007,83 @@
+@@ -871,45 +1007,89 @@
#
auth_role($1_r, $1_t)
@@ -44311,6 +44396,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- dev_read_sound($1_t)
- dev_write_sound($1_t)
++ auth_dontaudit_read_login_records($1_usertype)
++
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@@ -44351,6 +44438,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
++ ')
++
++ optional_policy(`
++ consolekit_dontaudit_read_log($1_usertype)
')
optional_policy(`
@@ -44401,7 +44492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -944,7 +1118,7 @@
+@@ -944,7 +1124,7 @@
#
# Inherit rules for ordinary users.
@@ -44410,7 +44501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_common_user_template($1)
##############################
-@@ -953,54 +1127,77 @@
+@@ -953,54 +1133,77 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -44426,8 +44517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
-
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-+ storage_rw_fuse($1_t)
-
+-
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
@@ -44438,7 +44528,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- storage_raw_read_removable_device($1_t)
- ')
- ')
--
++ storage_rw_fuse($1_t)
+
- tunable_policy(`user_dmesg',`
- kernel_read_ring_buffer($1_t)
- ',`
@@ -44475,20 +44566,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ gnomeclock_dbus_chat($1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ gpm_stream_connect($1_usertype)
++ gnomeclock_dbus_chat($1_t)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ gpm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ execmem_role_template($1, $1_r, $1_t)
+ ')
+
@@ -44518,7 +44609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
')
-@@ -1036,7 +1233,7 @@
+@@ -1036,7 +1239,7 @@
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -44527,7 +44618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
##############################
-@@ -1071,6 +1268,9 @@
+@@ -1071,6 +1274,9 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -44537,7 +44628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1085,6 +1285,7 @@
+@@ -1085,6 +1291,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -44545,7 +44636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1116,10 +1317,13 @@
+@@ -1116,10 +1323,13 @@
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -44559,7 +44650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1139,6 +1343,7 @@
+@@ -1139,6 +1349,7 @@
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -44567,7 +44658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1207,6 +1412,8 @@
+@@ -1207,6 +1418,8 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -44576,7 +44667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1234,6 +1441,7 @@
+@@ -1234,6 +1447,7 @@
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -44584,7 +44675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1272,11 +1480,15 @@
+@@ -1272,11 +1486,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -44600,7 +44691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,6 +1599,7 @@
+@@ -1387,6 +1605,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -44608,7 +44699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1433,6 +1646,14 @@
+@@ -1433,6 +1652,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -44623,7 +44714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1669,11 @@
+@@ -1448,9 +1675,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -44635,7 +44726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1730,42 @@
+@@ -1507,6 +1736,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -44678,7 +44769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1581,6 +1840,8 @@
+@@ -1581,6 +1846,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -44687,7 +44778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1595,10 +1856,12 @@
+@@ -1595,10 +1862,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -44702,7 +44793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1641,6 +1904,24 @@
+@@ -1641,6 +1910,24 @@
########################################
## <summary>
@@ -44727,7 +44818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1692,10 +1973,30 @@
+@@ -1692,10 +1979,30 @@
type user_home_dir_t, user_home_t;
')
@@ -44758,7 +44849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Do not audit attempts to read user home files.
-@@ -1708,11 +2009,14 @@
+@@ -1708,11 +2015,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -44776,7 +44867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1802,8 +2106,7 @@
+@@ -1802,8 +2112,7 @@
type user_home_dir_t, user_home_t;
')
@@ -44786,7 +44877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1815,25 +2118,18 @@
+@@ -1815,24 +2124,17 @@
## Domain allowed access.
## </summary>
## </param>
@@ -44804,19 +44895,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -1866,6 +2162,7 @@
+@@ -1866,6 +2168,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -44824,7 +44914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2399,25 @@
+@@ -2102,6 +2405,25 @@
########################################
## <summary>
@@ -44850,7 +44940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
## </summary>
-@@ -2218,6 +2534,25 @@
+@@ -2218,6 +2540,25 @@
########################################
## <summary>
@@ -44876,7 +44966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
## </summary>
-@@ -2427,13 +2762,14 @@
+@@ -2427,13 +2768,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -44892,7 +44982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
-@@ -2454,6 +2790,24 @@
+@@ -2454,6 +2796,24 @@
########################################
## <summary>
@@ -44917,7 +45007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2747,6 +3101,25 @@
+@@ -2747,6 +3107,25 @@
########################################
## <summary>
@@ -44943,7 +45033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2787,7 +3160,7 @@
+@@ -2787,7 +3166,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -44952,7 +45042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3176,13 @@
+@@ -2803,11 +3182,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -44968,7 +45058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3319,7 @@
+@@ -2944,7 +3325,7 @@
type user_tmp_t;
')
@@ -44977,7 +45067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3356,7 @@
+@@ -2981,6 +3362,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -44985,7 +45075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3487,724 @@
+@@ -3111,3 +3493,724 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f5758e8..7b14e27 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 63%{?dist}
+Release: 64%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Tue Oct 5 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-64
+- Allow smartd to read usr files
+- Allow devicekit-power transition to dhcpc
+- Add label for /etc/timezone
+- Remove transition from unconfined_t to iptables_t
+
* Fri Oct 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-63
- Allow devicekit-power domtrans to NetworkManager
- Allow passwd to use the console, all ttys and all ptys
More information about the scm-commits
mailing list