[selinux-policy/f14/master] - Allow mdadm_t to read/write hugetlbfs
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Sep 1 14:13:02 UTC 2010
commit c57a085dd8c561df4ddf30c79a29c71f04003eec
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Sep 1 10:13:03 2010 -0400
- Allow mdadm_t to read/write hugetlbfs
policy-F14.patch | 133 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 5 ++-
2 files changed, 96 insertions(+), 42 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 64d2e9a..a02a159 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -544,7 +544,7 @@ index 72bc6d8..5421065 100644
')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
-index db780c2..2c438d9 100644
+index db780c2..fd55ce2 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -91,6 +91,10 @@ userdom_home_filetrans_user_home_dir(firstboot_t)
@@ -558,7 +558,18 @@ index db780c2..2c438d9 100644
dbus_system_bus_client(firstboot_t)
optional_policy(`
-@@ -121,6 +125,7 @@ optional_policy(`
+@@ -99,6 +103,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ iptables_domtrans(firstboot_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(firstboot_t)
+ ')
+
+@@ -121,6 +129,7 @@ optional_policy(`
')
optional_policy(`
@@ -7173,10 +7184,19 @@ index 2ecdde8..f118873 100644
network_port(zope, tcp,8021,s0)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 3b2da10..7eed11d 100644
+index 3b2da10..18f3f4c 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -176,13 +176,12 @@ ifdef(`distro_suse', `
+@@ -159,6 +159,8 @@ ifdef(`distro_suse', `
+
+ /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
++/dev/hugepages(/.*)? <<none>>
++/dev/mqueue(/.*)? <<none>>
+ /dev/pts(/.*)? <<none>>
+
+ /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -176,13 +178,12 @@ ifdef(`distro_suse', `
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
@@ -7192,7 +7212,7 @@ index 3b2da10..7eed11d 100644
ifdef(`distro_redhat',`
# originally from named.fc
-@@ -191,3 +190,8 @@ ifdef(`distro_redhat',`
+@@ -191,3 +192,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -8500,7 +8520,7 @@ index 07352a5..12e9ecf 100644
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index 9306de6..9a1e6a7 100644
+index 9306de6..41dfd80 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1,3 +1,4 @@
@@ -8508,7 +8528,7 @@ index 9306de6..9a1e6a7 100644
-/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
-+/sys/fs/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
++/sys/fs/cgroup(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index e3e17ba..3b34959 100644
--- a/policy/modules/kernel/filesystem.if
@@ -8746,7 +8766,7 @@ index e3e17ba..3b34959 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 56c3408..30bc860 100644
+index 56c3408..3f4cf3d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -8799,7 +8819,15 @@ index 56c3408..30bc860 100644
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
-@@ -247,6 +264,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -168,6 +185,7 @@ fs_type(tmpfs_t)
+ files_type(tmpfs_t)
+ files_mountpoint(tmpfs_t)
+ files_poly_parent(tmpfs_t)
++dev_associate(tmpfs_t)
+
+ # Use a transition SID based on the allocating task SID and the
+ # filesystem SID to label inodes in the following filesystem types,
+@@ -247,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -9167,6 +9195,18 @@ index 492bf76..f9930a3 100644
')
########################################
+diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
+index 646bbcf..a5deade 100644
+--- a/policy/modules/kernel/terminal.te
++++ b/policy/modules/kernel/terminal.te
+@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
+ fs_associate_tmpfs(devpts_t)
+ fs_type(devpts_t)
+ fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
++dev_associate(devpts_t)
+
+ #
+ # devtty_t is the type of /dev/tty.
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index 252913b..a1bbe8f 100644
--- a/policy/modules/roles/auditadm.te
@@ -10422,7 +10462,7 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..821d0dd
+index 0000000..177e89c
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,462 @@
@@ -10654,7 +10694,7 @@ index 0000000..821d0dd
+')
+
+optional_policy(`
-+ chrome_role(unconfined_r, unconfined_t)
++ chrome_role(unconfined_r, unconfined_usertype)
+')
+
+optional_policy(`
@@ -17401,7 +17441,7 @@ index 7cf6763..5b9771e 100644
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
-index 24c6253..188cd75 100644
+index 24c6253..e72b063 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
@@ -17431,7 +17471,7 @@ index 24c6253..188cd75 100644
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
-@@ -211,14 +215,19 @@ seutil_read_config(hald_t)
+@@ -211,13 +215,19 @@ seutil_read_config(hald_t)
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
@@ -17446,13 +17486,13 @@ index 24c6253..188cd75 100644
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
-
-+netutils_domtrans(hald_t)
++userdom_stream_connect(hald_t)
+
++netutils_domtrans(hald_t)
+
optional_policy(`
alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
-@@ -268,6 +277,10 @@ optional_policy(`
+@@ -268,6 +278,10 @@ optional_policy(`
')
optional_policy(`
@@ -17463,7 +17503,7 @@ index 24c6253..188cd75 100644
gpm_dontaudit_getattr_gpmctl(hald_t)
')
-@@ -318,6 +331,10 @@ optional_policy(`
+@@ -318,6 +332,10 @@ optional_policy(`
')
optional_policy(`
@@ -17474,7 +17514,7 @@ index 24c6253..188cd75 100644
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
-@@ -338,6 +355,10 @@ optional_policy(`
+@@ -338,6 +356,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
@@ -17485,7 +17525,7 @@ index 24c6253..188cd75 100644
########################################
#
# Hal acl local policy
-@@ -358,6 +379,7 @@ files_search_var_lib(hald_acl_t)
+@@ -358,6 +380,7 @@ files_search_var_lib(hald_acl_t)
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -17493,7 +17533,7 @@ index 24c6253..188cd75 100644
corecmd_exec_bin(hald_acl_t)
-@@ -470,6 +492,10 @@ files_read_usr_files(hald_keymap_t)
+@@ -470,6 +493,10 @@ files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -26807,7 +26847,7 @@ index 6f1e3c7..39c2bb3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..a1d911d 100644
+index da2601a..a5b3186 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -26947,7 +26987,7 @@ index da2601a..a1d911d 100644
')
#######################################
-@@ -476,6 +505,7 @@ template(`xserver_user_x_domain_template',`
+@@ -476,11 +505,16 @@ template(`xserver_user_x_domain_template',`
xserver_use_user_fonts($2)
xserver_read_xdm_tmp_files($2)
@@ -26955,7 +26995,16 @@ index da2601a..a1d911d 100644
# X object manager
xserver_object_types_template($1)
-@@ -545,6 +575,27 @@ interface(`xserver_domtrans_xauth',`
+ xserver_common_x_domain_template($1,$2)
+
++ tunable_policy(`user_direct_dri',`
++ dev_rw_dri($2)
++ ')
++
+ # Client write xserver shm
+ tunable_policy(`allow_write_xshm',`
+ allow $2 xserver_t:shm rw_shm_perms;
+@@ -545,6 +579,27 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -26983,7 +27032,7 @@ index da2601a..a1d911d 100644
')
########################################
-@@ -598,6 +649,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +653,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -26991,7 +27040,7 @@ index da2601a..a1d911d 100644
')
########################################
-@@ -725,10 +777,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -725,10 +781,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
interface(`xserver_stream_connect_xdm',`
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -27004,7 +27053,7 @@ index da2601a..a1d911d 100644
')
########################################
-@@ -805,7 +859,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +863,7 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -27013,7 +27062,7 @@ index da2601a..a1d911d 100644
')
########################################
-@@ -916,7 +970,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +974,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -27022,7 +27071,7 @@ index da2601a..a1d911d 100644
')
########################################
-@@ -963,6 +1017,44 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1021,44 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -27067,7 +27116,7 @@ index da2601a..a1d911d 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -1072,6 +1164,8 @@ interface(`xserver_domtrans',`
+@@ -1072,6 +1168,8 @@ interface(`xserver_domtrans',`
allow $1 xserver_t:process siginh;
domtrans_pattern($1, xserver_exec_t, xserver_t)
@@ -27076,7 +27125,7 @@ index da2601a..a1d911d 100644
')
########################################
-@@ -1224,9 +1318,20 @@ interface(`xserver_manage_core_devices',`
+@@ -1224,9 +1322,20 @@ interface(`xserver_manage_core_devices',`
class x_device all_x_device_perms;
class x_pointer all_x_pointer_perms;
class x_keyboard all_x_keyboard_perms;
@@ -27097,7 +27146,7 @@ index da2601a..a1d911d 100644
')
########################################
-@@ -1250,3 +1355,329 @@ interface(`xserver_unconfined',`
+@@ -1250,3 +1359,329 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -27428,7 +27477,7 @@ index da2601a..a1d911d 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8084740..60da940 100644
+index 8084740..4b4ddc3 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@@ -27845,7 +27894,7 @@ index 8084740..60da940 100644
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -390,11 +536,14 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -390,18 +536,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -27858,9 +27907,10 @@ index 8084740..60da940 100644
+dev_rwx_zero(xdm_t)
dev_read_rand(xdm_t)
- dev_read_sysfs(xdm_t)
+-dev_read_sysfs(xdm_t)
++dev_rw_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -402,6 +551,7 @@ dev_setattr_framebuffer_dev(xdm_t)
+ dev_setattr_framebuffer_dev(xdm_t)
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -29118,7 +29168,7 @@ index a97a096..dd65c15 100644
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..f7828f1 100644
+index a442acc..e8dd9c8 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -29129,16 +29179,17 @@ index a442acc..f7828f1 100644
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)
# mkreiserfs needs this
-@@ -117,6 +118,8 @@ fs_remount_xattr_fs(fsadm_t)
+@@ -117,6 +118,9 @@ fs_remount_xattr_fs(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
+fs_manage_nfs_files(fsadm_t)
+fs_manage_cifs_files(fsadm_t)
++fs_rw_hugetlbfs_files(fsadm_t)
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -147,12 +150,16 @@ modutils_read_module_deps(fsadm_t)
+@@ -147,12 +151,16 @@ modutils_read_module_deps(fsadm_t)
seutil_read_config(fsadm_t)
@@ -29156,7 +29207,7 @@ index a442acc..f7828f1 100644
')
optional_policy(`
-@@ -166,6 +173,14 @@ optional_policy(`
+@@ -166,6 +174,14 @@ optional_policy(`
')
optional_policy(`
@@ -29171,7 +29222,7 @@ index a442acc..f7828f1 100644
nis_use_ypbind(fsadm_t)
')
-@@ -175,6 +190,10 @@ optional_policy(`
+@@ -175,6 +191,10 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 00a2004..8e708af 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Wed Aug 31 2010 Dan Walsh <dwalsh at redhat.com> 3.9.1-3
+- Allow mdadm_t to read/write hugetlbfs
+
* Tue Aug 30 2010 Dan Walsh <dwalsh at redhat.com> 3.9.1-2
- Dominic Grift Cleanup
- Miroslav Grepl policy for jabberd
More information about the scm-commits
mailing list