[selinux-policy/f13/master] - Allow clmvd to create tmpfs files
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Sep 2 14:29:26 UTC 2010
commit ffc913c51419352e7f25fe6deb890328746498fa
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Sep 2 16:29:16 2010 +0200
- Allow clmvd to create tmpfs files
policy-F13.patch | 138 ++++++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 5 ++-
2 files changed, 114 insertions(+), 29 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 34dd0cc..1533331 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -10621,7 +10621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-08-10 16:52:17.722085152 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-02 13:53:43.031083801 +0200
@@ -559,6 +559,24 @@
########################################
@@ -10660,11 +10660,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
')
- allow $1 cifs_t:filesystem getattr;
-+ allow $1 cgroup_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## list dirs on cgroup
-## file systems.
-## </summary>
@@ -10681,10 +10680,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
- ')
-
- list_dirs_pattern($1, cgroup_t, cgroup_t)
--')
--
--########################################
--## <summary>
++ allow $1 cgroup_t:filesystem getattr;
+ ')
+
+ ########################################
+ ## <summary>
-## Do not audit attempts to read
-## dirs on a CIFS or SMB filesystem.
+## list dirs on cgroup
@@ -10938,7 +10938,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## </summary>
## <param name="domain">
## <summary>
-@@ -3870,6 +4018,24 @@
+@@ -3812,6 +3960,24 @@
+ rw_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+
++#######################################
++## <summary>
++## Delete generic tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_delete_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ allow $1 tmpfs_t:file delete_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Read tmpfs link files.
+@@ -3870,6 +4036,24 @@
########################################
## <summary>
@@ -10963,7 +10988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4432,6 +4598,44 @@
+@@ -4432,6 +4616,44 @@
########################################
## <summary>
@@ -11008,7 +11033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Do not audit attempts to get the attributes
## of all files with a filesystem type.
## </summary>
-@@ -4549,3 +4753,24 @@
+@@ -4549,3 +4771,24 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
@@ -18329,8 +18354,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-08-04 14:57:52.139335328 +0200
-@@ -0,0 +1,140 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-09-02 12:55:05.057085167 +0200
+@@ -0,0 +1,145 @@
+
+policy_module(corosync,1.0.0)
+
@@ -18444,6 +18469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
+tunable_policy(`allow_corosync_rw_tmpfs',`
+ fs_rw_tmpfs_files(corosync_t)
++ fs_delete_tmpfs_files(corosync_t)
+')
+
+optional_policy(`
@@ -18455,6 +18481,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+')
+
+optional_policy(`
++ lvm_rw_clvmd_tmpfs_files(corosync_t)
++')
++
++optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_cluster_shm(corosync_t)
+ rhcs_rw_cluster_semaphores(corosync_t)
@@ -22397,7 +22427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-05-28 09:42:00.117610715 +0200
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-09-02 15:07:11.046335422 +0200
@@ -74,7 +74,7 @@
')
@@ -30716,8 +30746,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.7.19/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/rlogin.te 2010-05-28 09:42:00.174610693 +0200
-@@ -89,6 +89,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/rlogin.te 2010-09-02 15:07:41.711106623 +0200
+@@ -69,6 +69,7 @@
+ fs_getattr_xattr_fs(rlogind_t)
+ fs_search_auto_mountpoints(rlogind_t)
+
++auth_login_pgm_domain(rlogind_t)
+ auth_domtrans_chk_passwd(rlogind_t)
+ auth_rw_login_records(rlogind_t)
+ auth_use_nsswitch(rlogind_t)
+@@ -89,6 +90,7 @@
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -38165,7 +38203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if
--- nsaserefpolicy/policy/modules/system/lvm.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-05-28 09:42:00.505610658 +0200
++++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-09-02 13:55:45.873084762 +0200
@@ -34,7 +34,7 @@
type lvm_exec_t;
')
@@ -38175,10 +38213,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if
can_exec($1, lvm_exec_t)
')
+@@ -123,3 +123,22 @@
+ corecmd_search_bin($1)
+ domtrans_pattern($1, clvmd_exec_t, clvmd_t)
+ ')
++
++######################################
++## <summary>
++## Read and write to clvmd temporary file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lvm_rw_clvmd_tmpfs_files',`
++ gen_require(`
++ type clvmd_tmpfs_t;
++ ')
++
++ allow $1 clvmd_tmpfs_t:file rw_file_perms;
++ allow $1 clvmd_tmpfs_t:file unlink;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.19/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-05-28 09:42:00.505610658 +0200
-@@ -142,6 +142,11 @@
++++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-09-02 13:43:13.984335270 +0200
+@@ -13,6 +13,9 @@
+ type clvmd_initrc_exec_t;
+ init_script_file(clvmd_initrc_exec_t)
+
++type clvmd_tmpfs_t;
++files_tmpfs_file(clvmd_tmpfs_t)
++
+ type clvmd_var_run_t;
+ files_pid_file(clvmd_var_run_t)
+
+@@ -57,6 +60,10 @@
+ allow clvmd_t self:tcp_socket create_stream_socket_perms;
+ allow clvmd_t self:udp_socket create_socket_perms;
+
++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t)
++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
++
+ manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
+ files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
+
+@@ -142,6 +149,11 @@
')
optional_policy(`
@@ -38190,7 +38272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
ccs_stream_connect(clvmd_t)
')
-@@ -171,6 +176,7 @@
+@@ -171,6 +183,7 @@
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@@ -38198,7 +38280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -218,6 +224,7 @@
+@@ -218,6 +231,7 @@
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@@ -38206,7 +38288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -244,6 +251,7 @@
+@@ -244,6 +258,7 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -38214,7 +38296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -253,8 +261,9 @@
+@@ -253,8 +268,9 @@
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -38225,7 +38307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -264,6 +273,7 @@
+@@ -264,6 +280,7 @@
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
@@ -38233,7 +38315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -311,6 +321,11 @@
+@@ -311,6 +328,11 @@
')
optional_policy(`
@@ -38245,7 +38327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,6 +346,10 @@
+@@ -331,6 +353,10 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7a93695..414de03 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 53%{?dist}
+Release: 54%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Thu Sep 2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-54
+- Allow clmvd to create tmpfs files
+
* Wed Sep 1 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-53
- Fixes for jabberd policy
- Fixes for sandbox policy
More information about the scm-commits
mailing list