[selinux-policy: 1453/3172] patch from dan Thu, 18 May 2006 11:56:22 -0400
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:10:58 UTC 2010
commit 87eb5c84e7e491197eda48684c060de9a52a2927
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri May 19 14:02:24 2006 +0000
patch from dan Thu, 18 May 2006 11:56:22 -0400
refpolicy/policy/global_tunables | 8 ++++++++
refpolicy/policy/modules/admin/consoletype.te | 9 ++++++++-
refpolicy/policy/modules/admin/prelink.te | 3 ++-
refpolicy/policy/modules/kernel/mls.te | 4 +++-
refpolicy/policy/modules/kernel/terminal.if | 2 +-
refpolicy/policy/modules/kernel/terminal.te | 2 +-
refpolicy/policy/modules/services/amavis.fc | 1 +
refpolicy/policy/modules/services/amavis.te | 20 ++++++++++++++++++--
refpolicy/policy/modules/services/bind.te | 5 ++++-
refpolicy/policy/modules/services/bluetooth.te | 5 +++--
refpolicy/policy/modules/services/cups.te | 5 ++++-
refpolicy/policy/modules/services/hal.te | 3 ++-
refpolicy/policy/modules/services/pyzor.fc | 4 ++++
refpolicy/policy/modules/services/pyzor.te | 2 +-
refpolicy/policy/modules/services/rpc.te | 10 +++++++++-
refpolicy/policy/modules/services/xfs.if | 20 ++++++++++++++++++++
refpolicy/policy/modules/services/xfs.te | 11 ++++++++---
refpolicy/policy/modules/system/init.te | 3 ++-
refpolicy/policy/modules/system/selinuxutil.fc | 2 ++
refpolicy/policy/modules/system/selinuxutil.te | 22 +++++++++++++++++++---
refpolicy/policy/modules/system/setrans.te | 6 ++++--
refpolicy/policy/modules/system/sysnetwork.te | 6 +++++-
refpolicy/policy/modules/system/xen.fc | 1 +
refpolicy/policy/modules/system/xen.te | 15 +++++++++++----
24 files changed, 141 insertions(+), 28 deletions(-)
---
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 39a28ce..245a956 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -87,6 +87,14 @@ gen_tunable(allow_kerberos,false)
## <desc>
## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_nfsd_anon_write,false)
+
+## <desc>
+## <p>
## Allow rsync to modify public files
## used for public file transfer services.
## </p>
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 6e1250e..84a5306 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -1,5 +1,5 @@
-policy_module(consoletype,1.0.0)
+policy_module(consoletype,1.0.1)
########################################
#
@@ -107,3 +107,10 @@ optional_policy(`
optional_policy(`
userdom_use_unpriv_users_fds(consoletype_t)
')
+
+optional_policy(`
+ kernel_read_xen_state(consoletype_t)
+ kernel_write_xen_state(consoletype_t)
+ xen_append_log(consoletype_t)
+ xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+')
diff --git a/refpolicy/policy/modules/admin/prelink.te b/refpolicy/policy/modules/admin/prelink.te
index 3ec1132..f8bc84d 100644
--- a/refpolicy/policy/modules/admin/prelink.te
+++ b/refpolicy/policy/modules/admin/prelink.te
@@ -1,5 +1,5 @@
-policy_module(prelink,1.1.1)
+policy_module(prelink,1.1.2)
########################################
#
@@ -10,6 +10,7 @@ attribute prelink_object;
type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t,prelink_exec_t)
+domain_obj_id_change_exemption(prelink_t)
type prelink_cache_t;
files_type(prelink_cache_t)
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index f2ea7e1..819a2df 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
-policy_module(mls,1.3.0)
+policy_module(mls,1.3.1)
########################################
#
@@ -57,6 +57,7 @@ attribute mlsrangetrans;
#
type lvm_exec_t;
+type run_init_t;
type setrans_exec_t;
ifdef(`enable_mls',`
@@ -64,4 +65,5 @@ range_transition initrc_t auditd_exec_t s15:c0.c255;
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
range_transition initrc_t setrans_exec_t s15:c0.c255;
+range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
')
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index f21191a..04b2dc2 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -430,7 +430,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
- dontaudit $1 devpts_t:chr_file { getattr read write };
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
########################################
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index dde69ea..9fa8156 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -1,5 +1,5 @@
-policy_module(terminal,1.1.1)
+policy_module(terminal,1.1.2)
########################################
#
diff --git a/refpolicy/policy/modules/services/amavis.fc b/refpolicy/policy/modules/services/amavis.fc
index b9b789d..96f2fcd 100644
--- a/refpolicy/policy/modules/services/amavis.fc
+++ b/refpolicy/policy/modules/services/amavis.fc
@@ -8,4 +8,5 @@
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
/var/run/amavis(/.*)? gen_context(system_u:object_r:amavis_var_run_t,s0)
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:amavis_spool_t,s0)
/var/virusmails(/.*)? gen_context(system_u:object_r:amavis_quarantine_t,s0)
diff --git a/refpolicy/policy/modules/services/amavis.te b/refpolicy/policy/modules/services/amavis.te
index 34313e2..918fa7e 100644
--- a/refpolicy/policy/modules/services/amavis.te
+++ b/refpolicy/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
-policy_module(amavis,1.0.3)
+policy_module(amavis,1.0.4)
########################################
#
@@ -35,12 +35,15 @@ files_tmp_file(amavis_tmp_t)
type amavis_quarantine_t;
files_type(amavis_quarantine_t)
+type amavis_spool_t;
+files_type(amavis_spool_t)
+
########################################
#
# amavis local policy
#
-allow amavis_t self:capability { chown dac_override setgid setuid };
+allow amavis_t self:capability { kill chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process { signal sigchld signull };
allow amavis_t self:fifo_file rw_file_perms;
@@ -58,6 +61,11 @@ allow amavis_t amavis_quarantine_t:file create_file_perms;
allow amavis_t amavis_quarantine_t:sock_file create_file_perms;
allow amavis_t amavis_quarantine_t:dir create_dir_perms;
+# Spool Files
+allow amavis_t amavis_spool_t:dir manage_dir_perms;
+allow amavis_t amavis_spool_t:file manage_file_perms;
+files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
+
# tmp files
allow amavis_t amavis_tmp_t:file create_file_perms;
allow amavis_t amavis_tmp_t:dir { rw_dir_perms setattr };
@@ -82,8 +90,10 @@ allow amavis_t amavis_var_run_t:sock_file manage_file_perms;
allow amavis_t amavis_var_run_t:dir rw_dir_perms;
files_pid_filetrans(amavis_t,amavis_var_run_t, { file sock_file })
+kernel_read_kernel_sysctls(amavis_t)
# amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
kernel_dontaudit_list_proc(amavis_t)
+kernel_dontaudit_read_system_state(amavis_t)
# find perl
corecmd_exec_bin(amavis_t)
@@ -115,6 +125,7 @@ auth_dontaudit_read_shadow(amavis_t)
init_use_fds(amavis_t)
init_use_script_ptys(amavis_t)
+init_stream_connect_script(amavis_t)
libs_use_ld_so(amavis_t)
libs_use_shared_libs(amavis_t)
@@ -134,8 +145,13 @@ cron_rw_pipes(amavis_t)
mta_read_config(amavis_t)
+ifdef(`targeted_policy',`
+ term_dontaudit_use_generic_ptys(amavis_t)
+')
+
optional_policy(`
clamav_stream_connect(amavis_t)
+ clamav_domtrans_clamscan(amavis_t)
')
optional_policy(`
diff --git a/refpolicy/policy/modules/services/bind.te b/refpolicy/policy/modules/services/bind.te
index ba9721d..15cd2e7 100644
--- a/refpolicy/policy/modules/services/bind.te
+++ b/refpolicy/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,1.1.3)
+policy_module(bind,1.1.4)
########################################
#
@@ -123,6 +123,8 @@ term_dontaudit_use_console(named_t)
corecmd_search_sbin(named_t)
+dev_read_urand(named_t)
+
domain_use_interactive_fds(named_t)
files_read_etc_files(named_t)
@@ -137,6 +139,7 @@ libs_use_shared_libs(named_t)
logging_send_syslog_msg(named_t)
miscfiles_read_localization(named_t)
+miscfiles_read_certs(named_t)
sysnet_read_config(named_t)
diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te
index 2cac58b..1950541 100644
--- a/refpolicy/policy/modules/services/bluetooth.te
+++ b/refpolicy/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth,1.2.4)
+policy_module(bluetooth,1.2.5)
########################################
#
@@ -211,6 +211,7 @@ sysnet_read_config(bluetooth_helper_t)
ifdef(`targeted_policy',`
files_rw_generic_tmp_sockets(bluetooth_helper_t)
+ files_manage_generic_tmp_files(bluetooth_helper_t)
fs_rw_tmpfs_files(bluetooth_helper_t)
@@ -218,7 +219,7 @@ ifdef(`targeted_policy',`
unconfined_stream_connect(bluetooth_helper_t)
- userdom_read_all_users_home_content_files(bluetooth_helper_t)
+ userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
optional_policy(`
xserver_stream_connect_xdm(bluetooth_helper_t)
diff --git a/refpolicy/policy/modules/services/cups.te b/refpolicy/policy/modules/services/cups.te
index 7c3fbcb..37c3f43 100644
--- a/refpolicy/policy/modules/services/cups.te
+++ b/refpolicy/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.3.3)
+policy_module(cups,1.3.4)
########################################
#
@@ -672,6 +672,7 @@ allow cupsd_lpd_t self:process signal_perms;
allow cupsd_lpd_t self:fifo_file rw_file_perms;
allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
allow cupsd_lpd_t self:udp_socket create_socket_perms;
+allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
# for identd
# cjp: this should probably only be inetd_child rules?
@@ -731,6 +732,8 @@ miscfiles_read_localization(cupsd_lpd_t)
sysnet_read_config(cupsd_lpd_t)
+cups_stream_connect(cupsd_lpd_t)
+
optional_policy(`
inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
')
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index dc4af08..499e339 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.6)
+policy_module(hal,1.3.7)
########################################
#
@@ -93,6 +93,7 @@ files_read_usr_files(hald_t)
# hal is now execing pm-suspend
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
+files_read_kernel_img(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
diff --git a/refpolicy/policy/modules/services/pyzor.fc b/refpolicy/policy/modules/services/pyzor.fc
index 1b6d31e..71e71c8 100644
--- a/refpolicy/policy/modules/services/pyzor.fc
+++ b/refpolicy/policy/modules/services/pyzor.fc
@@ -5,3 +5,7 @@
/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
/var/log/pyzord.log -- gen_context(system_u:object_r:pyzord_log_t,s0)
+
+ifdef(`strict_policy',`
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/pyzor.te b/refpolicy/policy/modules/services/pyzor.te
index ab12af3..1bfd609 100644
--- a/refpolicy/policy/modules/services/pyzor.te
+++ b/refpolicy/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
-policy_module(pyzor,1.0.0)
+policy_module(pyzor,1.0.1)
########################################
#
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 9c03855..f8403b7 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.2.3)
+policy_module(rpc,1.2.4)
########################################
#
@@ -111,9 +111,17 @@ files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(rpcd_t)
+# Read access to public_content_t and public_content_rw_t
+miscfiles_read_public_files(nfsd_t)
+
portmap_tcp_connect(nfsd_t)
portmap_udp_chat(nfsd_t)
+# Write access to public_content_t and public_content_rw_t
+tunable_policy(`allow_nfsd_anon_write',`
+ miscfiles_manage_public_files(nfsd_t)
+')
+
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
diff --git a/refpolicy/policy/modules/services/xfs.if b/refpolicy/policy/modules/services/xfs.if
index 92ec773..d8bf4d1 100644
--- a/refpolicy/policy/modules/services/xfs.if
+++ b/refpolicy/policy/modules/services/xfs.if
@@ -41,3 +41,23 @@ interface(`xfs_stream_connect',`
allow $1 xfs_tmp_t:sock_file write;
allow $1 xfs_t:unix_stream_socket connectto;
')
+
+
+########################################
+## <summary>
+## Allow the specified domain to execute xfs
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xfs_exec',`
+ gen_require(`
+ type xfs_exec_t;
+ ')
+
+ can_exec($1,xfs_exec_t)
+')
diff --git a/refpolicy/policy/modules/services/xfs.te b/refpolicy/policy/modules/services/xfs.te
index 6c5eac8..b48189d 100644
--- a/refpolicy/policy/modules/services/xfs.te
+++ b/refpolicy/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
-policy_module(xfs,1.0.1)
+policy_module(xfs,1.0.2)
########################################
#
@@ -42,19 +42,22 @@ allow xfs_t xfs_tmp_t:unix_stream_socket name_bind;
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
+corecmd_list_bin(xfs_t)
+corecmd_list_sbin(xfs_t)
+
dev_read_sysfs(xfs_t)
fs_getattr_all_fs(xfs_t)
fs_search_auto_mountpoints(xfs_t)
-term_dontaudit_use_console(xfs_t)
-
domain_use_interactive_fds(xfs_t)
files_read_etc_files(xfs_t)
files_read_etc_runtime_files(xfs_t)
files_read_usr_files(xfs_t)
+term_dontaudit_use_console(xfs_t)
+
init_use_fds(xfs_t)
init_use_script_ptys(xfs_t)
@@ -69,6 +72,8 @@ miscfiles_read_fonts(xfs_t)
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
userdom_dontaudit_search_sysadm_home_dirs(xfs_t)
+xfs_exec(xfs_t)
+
ifdef(`distro_debian',`
# for /tmp/.font-unix/fs7100
init_script_tmp_filetrans(xfs_t,xfs_tmp_t,sock_file)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 761985c..6e8ac96 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.12)
+policy_module(init,1.3.13)
gen_require(`
class passwd rootok;
@@ -374,6 +374,7 @@ mls_file_write_down(initrc_t)
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
+mls_rangetrans_target(initrc_t)
modutils_read_module_config(initrc_t)
modutils_domtrans_insmod(initrc_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.fc b/refpolicy/policy/modules/system/selinuxutil.fc
index 34698ad..8cb4179 100644
--- a/refpolicy/policy/modules/system/selinuxutil.fc
+++ b/refpolicy/policy/modules/system/selinuxutil.fc
@@ -36,6 +36,8 @@
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
ifdef(`distro_debian', `
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index cd2d18a..63d0d75 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.2.6)
+policy_module(selinuxutil,1.2.7)
gen_require(`
bool secure_mode;
@@ -92,7 +92,11 @@ role system_r types restorecond_t;
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-type run_init_t;
+# real declaration moved to mls until
+# range transitions work in modules
+gen_require(`
+ type run_init_t;
+')
type run_init_exec_t;
domain_type(run_init_t)
domain_entry_file(run_init_t,run_init_exec_t)
@@ -447,7 +451,7 @@ libs_use_shared_libs(restorecond_t)
logging_send_syslog_msg(restorecond_t)
-miscfiles_read_localization(run_init_t)
+miscfiles_read_localization(restorecond_t)
#################################
#
@@ -461,6 +465,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
+mls_rangetrans_source(run_init_t)
+
ifdef(`direct_sysadm_daemon',`',`
ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
@@ -526,6 +532,8 @@ ifdef(`targeted_policy',`',`
#
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+allow semanage_t self:unix_dgram_socket create_socket_perms;
+allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
allow semanage_t policy_config_t:file { read write };
@@ -535,6 +543,8 @@ kernel_read_kernel_sysctls(semanage_t)
corecmd_exec_bin(semanage_t)
corecmd_exec_sbin(semanage_t)
+dev_read_urand(semanage_t)
+
files_read_etc_files(semanage_t)
files_read_usr_files(semanage_t)
files_list_pids(semanage_t)
@@ -544,6 +554,8 @@ mls_rangetrans_target(semanage_t)
mls_file_read_up(semanage_t)
selinux_get_enforce_mode(semanage_t)
+# for setsebool:
+selinux_set_boolean(semanage_t)
term_use_all_terms(semanage_t)
@@ -551,6 +563,8 @@ libs_use_ld_so(semanage_t)
libs_use_shared_libs(semanage_t)
libs_use_lib_files(semanage_t)
+logging_send_syslog_msg(semanage_t)
+
miscfiles_read_localization(semanage_t)
seutil_search_default_contexts(semanage_t)
@@ -565,6 +579,8 @@ seutil_manage_module_store(semanage_t)
seutil_get_semanage_trans_lock(semanage_t)
seutil_get_semanage_read_lock(semanage_t)
+userdom_search_sysadm_home_dirs(semanage_t)
+
ifdef(`targeted_policy',`
# Handle pp files created in homedir and /tmp
files_read_generic_tmp_files(semanage_t)
diff --git a/refpolicy/policy/modules/system/setrans.te b/refpolicy/policy/modules/system/setrans.te
index 3a7700f..4ef391e 100644
--- a/refpolicy/policy/modules/system/setrans.te
+++ b/refpolicy/policy/modules/system/setrans.te
@@ -1,5 +1,5 @@
-policy_module(setrans,1.0.0)
+policy_module(setrans,1.0.1)
########################################
#
@@ -23,7 +23,8 @@ mls_trusted_object(setrans_var_run_t)
# setrans local policy
#
-allow setrans_t self:process { setcap signal_perms };
+allow setrans_t self:capability sys_resource;
+allow setrans_t self:process { setrlimit setcap signal_perms };
allow setrans_t self:unix_stream_socket create_stream_socket_perms;
allow setrans_t self:unix_dgram_socket create_socket_perms;
allow setrans_t self:netlink_selinux_socket create_socket_perms;
@@ -57,6 +58,7 @@ selinux_compute_access_vector(setrans_t)
term_dontaudit_use_generic_ptys(setrans_t)
init_use_fds(setrans_t)
+init_dontaudit_use_script_ptys(setrans_t)
libs_use_ld_so(setrans_t)
libs_use_shared_libs(setrans_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index a988732..3391137 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
-policy_module(sysnetwork,1.1.4)
+policy_module(sysnetwork,1.1.5)
########################################
#
@@ -247,6 +247,8 @@ optional_policy(`
')
optional_policy(`
+ kernel_read_xen_state(dhcpc_t)
+ kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
')
@@ -349,6 +351,8 @@ optional_policy(`
')
optional_policy(`
+ kernel_read_xen_state(ifconfig_t)
+ kernel_write_xen_state(ifconfig_t)
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/refpolicy/policy/modules/system/xen.fc b/refpolicy/policy/modules/system/xen.fc
index e7cf147..8547b2e 100644
--- a/refpolicy/policy/modules/system/xen.fc
+++ b/refpolicy/policy/modules/system/xen.fc
@@ -12,6 +12,7 @@
/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
+/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te
index e4ca619..f8e183c 100644
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.0.3)
+policy_module(xen,1.0.4)
########################################
#
@@ -77,7 +77,7 @@ allow xend_t self:packet_socket create_socket_perms;
# pid file
allow xend_t xend_var_run_t:file manage_file_perms;
allow xend_t xend_var_run_t:sock_file manage_file_perms;
-allow xend_t xend_var_run_t:dir rw_dir_perms;
+allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
# log files
@@ -153,10 +153,12 @@ sysnet_dns_name_resolve(xend_t)
sysnet_delete_dhcpc_pid(xend_t)
sysnet_read_dhcpc_pid(xend_t)
-consoletype_exec(xend_t)
-
xen_stream_connect_xenstore(xend_t)
+optional_policy(`
+ consoletype_domtrans(xend_t)
+')
+
########################################
#
# Xen console local policy
@@ -180,6 +182,7 @@ kernel_read_xen_state(xenconsoled_t)
term_create_pty(xenconsoled_t,xen_devpts_t);
term_dontaudit_use_generic_ptys(xenconsoled_t)
+term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
@@ -198,6 +201,7 @@ xen_stream_connect_xenstore(xenconsoled_t)
allow xenstored_t self:capability { dac_override mknod ipc_lock };
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
# pid file
allow xenstored_t xenstored_var_run_t:file manage_file_perms;
@@ -220,12 +224,15 @@ dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
term_dontaudit_use_generic_ptys(xenstored_t)
+term_dontaudit_use_console(xenconsoled_t)
init_use_fds(xenstored_t)
libs_use_ld_so(xenstored_t)
libs_use_shared_libs(xenstored_t)
+logging_send_syslog_msg(xenstored_t)
+
miscfiles_read_localization(xenstored_t)
xen_append_log(xenstored_t)
More information about the scm-commits
mailing list