[selinux-policy/f13/master] - Allow clmvd to create tmpfs files

Miroslav Grepl mgrepl at fedoraproject.org
Thu Sep 2 14:29:26 UTC 2010 

commit ffc913c51419352e7f25fe6deb890328746498fa
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Thu Sep 2 16:29:16 2010 +0200

    - Allow clmvd to create tmpfs files

 policy-F13.patch    |  138 ++++++++++++++++++++++++++++++++++++++++----------
 selinux-policy.spec |    5 ++-
 2 files changed, 114 insertions(+), 29 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 34dd0cc..1533331 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -10621,7 +10621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +/cgroup(/.*)?           gen_context(system_u:object_r:cgroup_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if	2010-08-10 16:52:17.722085152 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if	2010-09-02 13:53:43.031083801 +0200
 @@ -559,6 +559,24 @@
  
  ########################################
@@ -10660,11 +10660,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  	')
  
 -	allow $1 cifs_t:filesystem getattr;
-+	allow $1 cgroup_t:filesystem getattr;
- ')
- 
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
 -##      list dirs on cgroup
 -##      file systems.
 -## </summary>
@@ -10681,10 +10680,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 -        ')
 -
 -        list_dirs_pattern($1, cgroup_t, cgroup_t)
--')
--
--########################################
--## <summary>
++	allow $1 cgroup_t:filesystem getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
 -##	Do not audit attempts to read
 -##	dirs on a CIFS or SMB filesystem.
 +##	list dirs on cgroup
@@ -10938,7 +10938,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3870,6 +4018,24 @@
+@@ -3812,6 +3960,24 @@
+ 	rw_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Delete generic tmpfs files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`fs_delete_tmpfs_files',`
++    gen_require(`
++        type tmpfs_t;
++    ')
++
++	allow $1 tmpfs_t:file delete_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read tmpfs link files.
+@@ -3870,6 +4036,24 @@
  
  ########################################
  ## <summary>
@@ -10963,7 +10988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4432,6 +4598,44 @@
+@@ -4432,6 +4616,44 @@
  
  ########################################
  ## <summary>
@@ -11008,7 +11033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ##	Do not audit attempts to get the attributes
  ##	of all files with a filesystem type.
  ## </summary>
-@@ -4549,3 +4753,24 @@
+@@ -4549,3 +4771,24 @@
  	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
  	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
  ')
@@ -18329,8 +18354,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
 --- nsaserefpolicy/policy/modules/services/corosync.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te	2010-08-04 14:57:52.139335328 +0200
-@@ -0,0 +1,140 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te	2010-09-02 12:55:05.057085167 +0200
+@@ -0,0 +1,145 @@
 +
 +policy_module(corosync,1.0.0)
 +
@@ -18444,6 +18469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +
 +tunable_policy(`allow_corosync_rw_tmpfs',`
 +	fs_rw_tmpfs_files(corosync_t)
++	fs_delete_tmpfs_files(corosync_t)
 +')
 +
 +optional_policy(`
@@ -18455,6 +18481,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +')
 +
 +optional_policy(`
++	lvm_rw_clvmd_tmpfs_files(corosync_t)
++')
++
++optional_policy(`
 +	# to communication with RHCS
 +	rhcs_rw_cluster_shm(corosync_t)
 +	rhcs_rw_cluster_semaphores(corosync_t)
@@ -22397,7 +22427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if	2010-05-28 09:42:00.117610715 +0200
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if	2010-09-02 15:07:11.046335422 +0200
 @@ -74,7 +74,7 @@
  	')
  
@@ -30716,8 +30746,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.7.19/policy/modules/services/rlogin.te
 --- nsaserefpolicy/policy/modules/services/rlogin.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/rlogin.te	2010-05-28 09:42:00.174610693 +0200
-@@ -89,6 +89,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/rlogin.te	2010-09-02 15:07:41.711106623 +0200
+@@ -69,6 +69,7 @@
+ fs_getattr_xattr_fs(rlogind_t)
+ fs_search_auto_mountpoints(rlogind_t)
+ 
++auth_login_pgm_domain(rlogind_t)
+ auth_domtrans_chk_passwd(rlogind_t)
+ auth_rw_login_records(rlogind_t)
+ auth_use_nsswitch(rlogind_t)
+@@ -89,6 +90,7 @@
  userdom_setattr_user_ptys(rlogind_t)
  # cjp: this is egregious
  userdom_read_user_home_content_files(rlogind_t)
@@ -38165,7 +38203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
  /sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if
 --- nsaserefpolicy/policy/modules/system/lvm.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.if	2010-05-28 09:42:00.505610658 +0200
++++ serefpolicy-3.7.19/policy/modules/system/lvm.if	2010-09-02 13:55:45.873084762 +0200
 @@ -34,7 +34,7 @@
  		type lvm_exec_t;
  	')
@@ -38175,10 +38213,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
  	can_exec($1, lvm_exec_t)
  ')
  
+@@ -123,3 +123,22 @@
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
+ ')
++
++######################################
++## <summary>
++## Read and write to clvmd temporary file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lvm_rw_clvmd_tmpfs_files',`
++        gen_require(`
++                type clvmd_tmpfs_t;
++        ')
++
++        allow $1 clvmd_tmpfs_t:file rw_file_perms;
++        allow $1 clvmd_tmpfs_t:file unlink;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.19/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.te	2010-05-28 09:42:00.505610658 +0200
-@@ -142,6 +142,11 @@
++++ serefpolicy-3.7.19/policy/modules/system/lvm.te	2010-09-02 13:43:13.984335270 +0200
+@@ -13,6 +13,9 @@
+ type clvmd_initrc_exec_t;
+ init_script_file(clvmd_initrc_exec_t)
+ 
++type clvmd_tmpfs_t;
++files_tmpfs_file(clvmd_tmpfs_t)
++
+ type clvmd_var_run_t;
+ files_pid_file(clvmd_var_run_t)
+ 
+@@ -57,6 +60,10 @@
+ allow clvmd_t self:tcp_socket create_stream_socket_perms;
+ allow clvmd_t self:udp_socket create_socket_perms;
+ 
++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t)
++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
++
+ manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
+ files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
+ 
+@@ -142,6 +149,11 @@
  ')
  
  optional_policy(`
@@ -38190,7 +38272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  	ccs_stream_connect(clvmd_t)
  ')
  
-@@ -171,6 +176,7 @@
+@@ -171,6 +183,7 @@
  allow lvm_t self:process { sigchld sigkill sigstop signull signal };
  # LVM will complain a lot if it cannot set its priority.
  allow lvm_t self:process setsched;
@@ -38198,7 +38280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  allow lvm_t self:file rw_file_perms;
  allow lvm_t self:fifo_file manage_fifo_file_perms;
  allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -218,6 +224,7 @@
+@@ -218,6 +231,7 @@
  # it has no reason to need this
  kernel_dontaudit_getattr_core_if(lvm_t)
  kernel_use_fds(lvm_t)
@@ -38206,7 +38288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  kernel_search_debugfs(lvm_t)
  
  corecmd_exec_bin(lvm_t)
-@@ -244,6 +251,7 @@
+@@ -244,6 +258,7 @@
  dev_dontaudit_getattr_generic_blk_files(lvm_t)
  dev_dontaudit_getattr_generic_pipes(lvm_t)
  dev_create_generic_dirs(lvm_t)
@@ -38214,7 +38296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  
  domain_use_interactive_fds(lvm_t)
  domain_read_all_domains_state(lvm_t)
-@@ -253,8 +261,9 @@
+@@ -253,8 +268,9 @@
  files_read_etc_runtime_files(lvm_t)
  # for when /usr is not mounted:
  files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -38225,7 +38307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  fs_search_auto_mountpoints(lvm_t)
  fs_list_tmpfs(lvm_t)
  fs_read_tmpfs_symlinks(lvm_t)
-@@ -264,6 +273,7 @@
+@@ -264,6 +280,7 @@
  
  mls_file_read_all_levels(lvm_t)
  mls_file_write_to_clearance(lvm_t)
@@ -38233,7 +38315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  
  selinux_get_fs_mount(lvm_t)
  selinux_validate_context(lvm_t)
-@@ -311,6 +321,11 @@
+@@ -311,6 +328,11 @@
  ')
  
  optional_policy(`
@@ -38245,7 +38327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
  	bootloader_rw_tmp_files(lvm_t)
  ')
  
-@@ -331,6 +346,10 @@
+@@ -331,6 +353,10 @@
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7a93695..414de03 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 53%{?dist}
+Release: 54%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Sep 2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-54
+- Allow clmvd to create tmpfs files
+
 * Wed Sep 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-53
 - Fixes for jabberd policy
 - Fixes for sandbox policy

More information about the scm-commits mailing list