[selinux-policy: 2820/3172] Update f14

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:11:04 UTC 2010 

commit a947daf6df4fe2bd077e0c42d71d6578eaaa5464
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Thu Aug 26 10:27:35 2010 -0400

    Update f14

 policy/modules/admin/accountsd.fc    |    3 -
 policy/modules/admin/accountsd.if    |  173 --------------------------------
 policy/modules/apps/gnome.if         |  183 ++++++++++++----------------------
 policy/modules/apps/telepathy.te     |    4 +-
 policy/modules/kernel/files.if       |   19 ----
 policy/modules/kernel/terminal.if    |    2 +
 policy/modules/roles/dbadm.te        |   44 ++-------
 policy/modules/services/accountsd.te |    7 ++
 policy/modules/services/cron.te      |    1 +
 policy/modules/system/init.te        |    4 +-
 10 files changed, 85 insertions(+), 355 deletions(-)
---
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index c6a1872..852f36f 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -37,46 +37,26 @@ interface(`gnome_role',`
 
 ########################################
 ## <summary>
-##	Execute gconf programs in
-##	in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gnome_exec_gconf',`
-	gen_require(`
-		type gconfd_exec_t;
-	')
-
-	can_exec($1, gconfd_exec_t)
-')
-
-########################################
-## <summary>
-##	Read gconf config files.
+##	gconf connection template.
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
-##	Domain allowed access.
+##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-template(`gnome_read_gconf_config',`
+interface(`gnome_stream_connect_gconf',`
 	gen_require(`
-		type gconf_etc_t;
+		type gconfd_t, gconf_tmp_t;
 	')
 
-	allow $1 gconf_etc_t:dir list_dir_perms;
-	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
-	files_search_etc($1)
+	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
+	allow $1 gconfd_t:unix_stream_socket connectto;
 ')
 
-#######################################
+########################################
 ## <summary>
-##	Create, read, write, and delete gconf config files.
+##	Run gconfd in gconfd domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -84,70 +64,51 @@ template(`gnome_read_gconf_config',`
 ##	</summary>
 ## </param>
 #
-interface(`gnome_manage_gconf_config',`
+interface(`gnome_domtrans_gconfd',`
 	gen_require(`
-		type gconf_etc_t;
+		type gconfd_t, gconfd_exec_t;
 	')
 
-	manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
-	files_search_etc($1)
+	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
 ')
 
 ########################################
 ## <summary>
-##	gconf connection template.
+##	Dontaudit search gnome homedir content (.config)
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gnome_stream_connect_gconf',`
-	gen_require(`
-		type gconfd_t, gconf_tmp_t;
-	')
-
-	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-	allow $1 gconfd_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-##	Run gconfd in gconfd domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
+##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-interface(`gnome_domtrans_gconfd',`
+interface(`gnome_dontaudit_search_config',`
 	gen_require(`
-		type gconfd_t, gconfd_exec_t;
+		attribute gnome_home_type;
 	')
 
-	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+	dontaudit $1 gnome_home_type:dir search_dir_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read gnome homedir content (.config)
+##	manage gnome homedir content (.config)
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
-##	Domain allowed access.
+##	The type of the user domain.
 ##	</summary>
 ## </param>
 #
-template(`gnome_read_config',`
+interface(`gnome_manage_config',`
 	gen_require(`
 		attribute gnome_home_type;
 	')
 
-	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
-	read_files_pattern($1, gnome_home_type, gnome_home_type)
-	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+	allow $1 gnome_home_type:dir manage_dir_perms;
+	allow $1 gnome_home_type:file manage_file_perms;
+	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
+	userdom_search_user_home_dirs($1)
 ')
 
 ########################################
@@ -258,6 +219,45 @@ interface(`gnome_write_generic_cache_files',`
 
 ########################################
 ## <summary>
+##	read gnome homedir content (.config)
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`gnome_read_config',`
+	gen_require(`
+		attribute gnome_home_type;
+	')
+
+	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
+	read_files_pattern($1, gnome_home_type, gnome_home_type)
+	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
+')
+
+########################################
+## <summary>
+##	Set attributes of Gnome config dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_setattr_config_dirs',`
+	gen_require(`
+		type gnome_home_t;
+	')
+
+	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
 ##	Create objects in a Gnome gconf home directory
 ##	with an automatic type transition to
 ##	a specified private type.
@@ -525,62 +525,3 @@ interface(`gnome_dbus_chat_gconfdefault',`
 	allow $1 gconfdefaultsm_t:dbus send_msg;
 	allow gconfdefaultsm_t $1:dbus send_msg;
 ')
-
-########################################
-## <summary>
-##	Dontaudit search gnome homedir content (.config)
-## </summary>
-## <param name="user_domain">
-##	<summary>
-##	The type of the user domain.
-##	</summary>
-## </param>
-#
-interface(`gnome_dontaudit_search_config',`
-	gen_require(`
-		attribute gnome_home_type;
-	')
-
-	dontaudit $1 gnome_home_type:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-##	Set attributes of Gnome config dirs.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gnome_setattr_config_dirs',`
-	gen_require(`
-		type gnome_home_t;
-	')
-
-	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
-	files_search_home($1)
-')
-
-########################################
-## <summary>
-##	manage gnome homedir content (.config)
-## </summary>
-## <param name="user_domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`gnome_manage_config',`
-	gen_require(`
-		attribute gnome_home_type;
-	')
-
-	allow $1 gnome_home_type:dir manage_dir_perms;
-	allow $1 gnome_home_type:file manage_file_perms;
-	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
-	userdom_search_user_home_dirs($1)
-')
-
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index 48b59f9..59867f6 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -50,8 +50,8 @@ manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
-files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
-userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file})
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
 userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
 
 corenet_sendrecv_http_client_packets(telepathy_msn_t)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 4b49efa..ef14126 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5310,25 +5310,6 @@ interface(`files_getattr_generic_locks',`
 
 ########################################
 ## <summary>
-##	Delete generic lock files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_delete_generic_locks',`
-	gen_require(`
-		type var_t, var_lock_t;
-	')
-
-	allow $1 var_t:dir search_dir_perms;
-	delete_files_pattern($1, var_lock_t, var_lock_t)
-')
-
-########################################
-## <summary>
 ##	Create, read, write, and delete generic
 ##	lock files.
 ## </summary>
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 812078c..f9930a3 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1233,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
 #
 interface(`term_getattr_all_ttys',`
 	gen_require(`
+		type tty_device_t;
 		attribute ttynode;
 	')
 
 	dev_list_all_dev_nodes($1)
 	allow $1 ttynode:chr_file getattr;
+	allow $1 tty_device_t:chr_file getattr;
 ')
 
 ########################################
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 1875064..2ddeb70 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -5,56 +5,28 @@ policy_module(dbadm, 1.0.0)
 # Declarations
 #
 
-## <desc>
-## <p>
-## Allow dbadm to manage files in users home directories
-## </p>
-## </desc>
-gen_tunable(dbadm_manage_user_files, false)
-
-## <desc>
-## <p>
-## Allow dbadm to read files in users home directories
-## </p>
-## </desc>
-gen_tunable(dbadm_read_user_files, false)
-
 role dbadm_r;
 
-userdom_base_user_template(dbadm)
+userdom_unpriv_user_template(dbadm)
 
 ########################################
 #
 # database admin local policy
 #
 
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
-
-files_dontaudit_search_all_dirs(dbadm_t)
-files_delete_generic_locks(dbadm_t)
-files_list_var(dbadm_t)
-
-selinux_get_enforce_mode(dbadm_t)
-
-logging_send_syslog_msg(dbadm_t)
-
-userdom_dontaudit_search_user_home_dirs(dbadm_t)
-
-tunable_policy(`dbadm_manage_user_files',`
-	userdom_manage_user_home_content_files(dbadm_t)
-	userdom_read_user_tmp_files(dbadm_t)
-	userdom_write_user_tmp_files(dbadm_t)
+optional_policy(`
+	mysql_admin(dbadm_t, dbadm_r)
 ')
 
-tunable_policy(`dbadm_read_user_files',`
-	userdom_read_user_home_content_files(dbadm_t)
-	userdom_read_user_tmp_files(dbadm_t)
+optional_policy(`
+	postgresql_admin(dbadm_t, dbadm_r)
 ')
 
+# For starting up daemon processes
 optional_policy(`
-	mysql_admin(dbadm_t, dbadm_r)
+	su_role_template(dbadm, dbadm_r, dbadm_t)
 ')
 
 optional_policy(`
-	postgresql_admin(dbadm_t, dbadm_r)
+	sudo_role_template(dbadm, dbadm_r, dbadm_t)
 ')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
index 1632f10..2724c11 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
 type accountsd_t;
 type accountsd_exec_t;
 dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
 
 type accountsd_var_lib_t;
 files_type(accountsd_var_lib_t)
@@ -55,3 +57,8 @@ optional_policy(`
 optional_policy(`
 	policykit_dbus_chat(accountsd_t)
 ')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(accountsd_t)
+	xserver_manage_xdm_etc_files(accountsd_t)
+')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 691b539..939877a 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -678,6 +678,7 @@ list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow cronjob_t user_cron_spool_t:file create_lnk_perms;
 
 tunable_policy(`fcron_crond', `
 	allow crond_t user_cron_spool_t:file manage_file_perms;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bd9e35e..26a93da 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -446,7 +446,9 @@ files_mounton_default(initrc_t)
 files_manage_mnt_dirs(initrc_t)
 files_manage_mnt_files(initrc_t)
 
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs

More information about the scm-commits mailing list