[selinux-policy: 2024/3172] trunk: 7 patches from dan, 1 from eamon.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:59:45 UTC 2010
commit 12c61f36f46852ee72e57e44e0d78ce993b03d9f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Oct 6 17:27:49 2008 +0000
trunk: 7 patches from dan, 1 from eamon.
policy/modules/admin/certwatch.te | 18 +++++++++++++++++-
policy/modules/admin/kismet.te | 7 ++++++-
policy/modules/admin/logrotate.te | 8 ++++----
policy/modules/admin/readahead.te | 4 ++--
policy/modules/admin/vpn.if | 1 +
policy/modules/admin/vpn.te | 8 ++++----
policy/modules/kernel/storage.fc | 1 +
policy/modules/kernel/storage.te | 2 +-
policy/modules/services/xserver.if | 6 ++++++
policy/modules/services/xserver.te | 2 +-
10 files changed, 43 insertions(+), 14 deletions(-)
---
diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
index 0becba1..74d3726 100644
--- a/policy/modules/admin/certwatch.te
+++ b/policy/modules/admin/certwatch.te
@@ -15,8 +15,17 @@ role system_r types certwatch_t;
#
# Local policy
#
+allow certwatch_t self:capability sys_nice;
+allow certwatch_t self:process { setsched getsched };
+
+dev_read_urand(certwatch_t)
files_read_etc_files(certwatch_t)
+files_read_usr_files(certwatch_t)
+files_read_usr_symlinks(certwatch_t)
+files_list_tmp(certwatch_t)
+
+fs_list_inotifyfs(certwatch_t)
libs_use_ld_so(certwatch_t)
libs_use_shared_libs(certwatch_t)
@@ -26,8 +35,15 @@ logging_send_syslog_msg(certwatch_t)
miscfiles_read_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
-apache_exec_modules(certwatch_t)
+optional_policy(`
+ apache_exec_modules(certwatch_t)
+')
optional_policy(`
cron_system_entry(certwatch_t, certwatch_exec_t)
')
+
+optional_policy(`
+ pcscd_stream_connect(certwatch_t)
+ pcscd_read_pub_files(certwatch_t)
+')
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index 92c9db8..f142503 100644
--- a/policy/modules/admin/kismet.te
+++ b/policy/modules/admin/kismet.te
@@ -1,5 +1,5 @@
-policy_module(kismet, 1.0.2)
+policy_module(kismet, 1.0.3)
########################################
#
@@ -26,7 +26,10 @@ logging_log_file(kismet_log_t)
#
allow kismet_t self:capability { net_admin net_raw setuid setgid };
+allow kismet_t self:fifo_file rw_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
+allow kismet_t self:unix_dgram_socket create_socket_perms;
+allow kismet_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
allow kismet_t kismet_log_t:dir setattr;
@@ -40,6 +43,8 @@ allow kismet_t kismet_var_run_t:file manage_file_perms;
allow kismet_t kismet_var_run_t:dir manage_dir_perms;
files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
+kernel_search_debugfs(kismet_t)
+
corecmd_exec_bin(kismet_t)
auth_use_nsswitch(kismet_t)
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 2e9ce3a..a357ed0 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
-policy_module(logrotate, 1.9.2)
+policy_module(logrotate, 1.9.3)
########################################
#
@@ -97,6 +97,7 @@ files_read_usr_files(logrotate_t)
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
+files_search_all(logrotate_t)
# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
@@ -167,7 +168,7 @@ optional_policy(`
')
optional_policy(`
- mailman_exec(logrotate_t)
+ mailman_domtrans(logrotate_t)
mailman_search_data(logrotate_t)
mailman_manage_log(logrotate_t)
')
@@ -189,6 +190,5 @@ optional_policy(`
')
optional_policy(`
- # cjp: why?
- squid_domtrans(logrotate_t)
+ squid_signal(logrotate_t)
')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index b0058d0..7dd85b0 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,5 +1,5 @@
-policy_module(readahead, 1.6.1)
+policy_module(readahead, 1.6.2)
########################################
#
@@ -22,7 +22,7 @@ files_pid_file(readahead_var_run_t)
# Local policy
#
-allow readahead_t self:capability { dac_override dac_read_search };
+allow readahead_t self:capability { fowner dac_override dac_read_search };
dontaudit readahead_t self:capability sys_tty_config;
allow readahead_t self:process signal_perms;
diff --git a/policy/modules/admin/vpn.if b/policy/modules/admin/vpn.if
index afe8f9a..05cfd4e 100644
--- a/policy/modules/admin/vpn.if
+++ b/policy/modules/admin/vpn.if
@@ -48,6 +48,7 @@ interface(`vpn_run',`
vpn_domtrans($1)
role $2 types vpnc_t;
allow vpnc_t $3:chr_file rw_term_perms;
+ sysnet_run_ifconfig(vpnc_t, $2, $3)
')
########################################
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index ae69c22..06d3ab2 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
-policy_module(vpn, 1.8.0)
+policy_module(vpn, 1.8.1)
########################################
#
@@ -22,9 +22,10 @@ files_pid_file(vpnc_var_run_t)
# Local policy
#
-allow vpnc_t self:capability { dac_override net_admin ipc_lock net_raw };
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
allow vpnc_t self:process getsched;
-allow vpnc_t self:fifo_file { getattr ioctl read write };
+allow vpnc_t self:fifo_file rw_fifo_file_perms;
+allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
allow vpnc_t self:tcp_socket create_stream_socket_perms;
allow vpnc_t self:udp_socket create_socket_perms;
allow vpnc_t self:rawip_socket create_socket_perms;
@@ -102,7 +103,6 @@ miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
-sysnet_domtrans_ifconfig(vpnc_t)
sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t)
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 3a63d3a..bba1939 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -27,6 +27,7 @@
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 75524d9..2b90409 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,5 +1,5 @@
-policy_module(storage, 1.6.1)
+policy_module(storage, 1.6.2)
########################################
#
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 18fa881..4f8acef 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -77,6 +77,9 @@ template(`xserver_common_domain_template',`
files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
+ ifdef(`enable_mls',`
+ range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh;
+ ')
manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
@@ -95,6 +98,9 @@ template(`xserver_common_domain_template',`
# Labeling rules for default windows and colormaps
type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
+ ifdef(`enable_mls',`
+ range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
+ ')
kernel_read_system_state($1_xserver_t)
kernel_read_device_sysctls($1_xserver_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f71f5c6..e132600 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver, 2.1.1)
+policy_module(xserver, 2.1.2)
########################################
#
More information about the scm-commits
mailing list