[selinux-policy/f14/master] - Merge upstream fix of mmap_zero - Allow mount to write files in debugfs_t - Allow corosync to comm
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Sep 2 17:42:46 UTC 2010
commit 0dc6f69830b91ad34f6dc157575a05c1dc01131a
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Sep 2 13:42:42 2010 -0400
- Merge upstream fix of mmap_zero
- Allow mount to write files in debugfs_t
- Allow corosync to communicate with clvmd via tmpfs
- Allow certmaster to read usr_t files
- Allow dbus system services to search cgroup_t
- Define rlogind_t as a login pgm
.gitignore | 1 +
policy-F14.patch | 307 ++++++++++++++++++++++++++++-----------------------
selinux-policy.spec | 13 ++-
sources | 2 +-
4 files changed, 184 insertions(+), 139 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 6574aaf..8632839 100644
--- a/.gitignore
+++ b/.gitignore
@@ -222,3 +222,4 @@ serefpolicy-3.8.8.tgz
serefpolicy*
/serefpolicy-3.9.0.tgz
/serefpolicy-3.9.1.tgz
+/serefpolicy-3.9.2.tgz
diff --git a/policy-F14.patch b/policy-F14.patch
index a02a159..c5cf0dc 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -149,7 +149,7 @@ index 0000000..e9c43b1
+.SH "SEE ALSO"
+selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/policy/global_tunables b/policy/global_tunables
-index 3316f6e..cf3a77b 100644
+index 3316f6e..56af226 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -61,15 +61,6 @@ gen_tunable(global_ssp,false)
@@ -168,7 +168,7 @@ index 3316f6e..cf3a77b 100644
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
-@@ -104,3 +95,18 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -104,3 +95,11 @@ gen_tunable(use_samba_home_dirs,false)
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
@@ -180,13 +180,6 @@ index 3316f6e..cf3a77b 100644
+## </desc>
+gen_tunable(allow_console_login,false)
+
-+## <desc>
-+## <p>
-+## Allow certain domains to map low memory in the kernel
-+## </p>
-+## </desc>
-+gen_tunable(mmap_low_allowed, false)
-+
diff --git a/policy/mcs b/policy/mcs
index af90ef2..fbd2c40 100644
--- a/policy/mcs
@@ -1782,22 +1775,6 @@ index c35d801..3045a19 100644
mta_manage_spool(useradd_t)
-diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
-index edfa54e..8215138 100644
---- a/policy/modules/admin/vbetool.te
-+++ b/policy/modules/admin/vbetool.te
-@@ -24,7 +24,10 @@ dev_rw_sysfs(vbetool_t)
- dev_rw_xserver_misc(vbetool_t)
- dev_rw_mtrr(vbetool_t)
-
--domain_mmap_low(vbetool_t)
-+domain_mmap_low_type(vbetool_t)
-+tunable_policy(`mmap_low_allowed',`
-+ allow vbetool_t self:memprotect mmap_zero;
-+')
-
- mls_file_read_all_levels(vbetool_t)
- mls_file_write_all_levels(vbetool_t)
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index a870982..6542902 100644
--- a/policy/modules/admin/vpn.te
@@ -6708,7 +6685,7 @@ index 9d24449..9782698 100644
/opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0)
/opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
-index c26662d..62e455a 100644
+index 0440b4c..e10101a 100644
--- a/policy/modules/apps/wine.if
+++ b/policy/modules/apps/wine.if
@@ -29,12 +29,16 @@
@@ -6746,26 +6723,27 @@ index c26662d..62e455a 100644
type wine_exec_t;
')
-@@ -101,9 +105,16 @@ template(`wine_role_template',`
+@@ -101,7 +105,7 @@ template(`wine_role_template',`
corecmd_bin_domtrans($1_wine_t, $1_t)
userdom_unpriv_usertype($1, $1_wine_t)
- userdom_manage_user_tmpfs_files($1_wine_t)
+ userdom_manage_tmpfs_role($2, $1_wine_t)
-- domain_mmap_low($1_wine_t)
-+ domain_mmap_low_type($1_wine_t)
-+ tunable_policy(`mmap_low_allowed',`
-+ allow $1_wine_t self:memprotect mmap_zero;
-+ ')
-+
+ domain_mmap_low($1_wine_t)
+
+@@ -109,6 +113,10 @@ template(`wine_role_template',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
+
+ tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit $1_wine_t self:memprotect mmap_zero;
+ ')
-
++
optional_policy(`
xserver_role($1_r, $1_wine_t)
-@@ -153,3 +164,22 @@ interface(`wine_run',`
+ ')
+@@ -157,3 +165,22 @@ interface(`wine_run',`
wine_domtrans($1)
role $2 types wine_t;
')
@@ -6789,11 +6767,11 @@ index c26662d..62e455a 100644
+ allow $1 wine_t:shm rw_shm_perms;
+')
diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
-index 8af45db..6fe38a1 100644
+index f9a123a..40cbebb 100644
--- a/policy/modules/apps/wine.te
+++ b/policy/modules/apps/wine.te
@@ -1,5 +1,13 @@
- policy_module(wine, 1.7.1)
+ policy_module(wine, 1.7.2)
+## <desc>
+## <p>
@@ -6806,22 +6784,17 @@ index 8af45db..6fe38a1 100644
########################################
#
# Declarations
-@@ -29,7 +37,13 @@ manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
- manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+@@ -37,6 +45,9 @@ manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
--domain_mmap_low(wine_t)
-+domain_mmap_low_type(wine_t)
-+tunable_policy(`mmap_low_allowed',`
-+ allow wine_t self:memprotect mmap_zero;
-+')
+ domain_mmap_low(wine_t)
+tunable_policy(`wine_mmap_zero_ignore',`
+ dontaudit wine_t self:memprotect mmap_zero;
+')
files_execmod_all_files(wine_t)
-@@ -40,7 +54,11 @@ optional_policy(`
+@@ -51,7 +62,11 @@ optional_policy(`
')
optional_policy(`
@@ -7502,7 +7475,7 @@ index eb9c360..20c2d34 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 41f36ed..3f2c4ad 100644
+index aad8c52..09d4b31 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -611,7 +611,7 @@ interface(`domain_read_all_domains_state',`
@@ -7523,22 +7496,7 @@ index 41f36ed..3f2c4ad 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1372,13 +1372,11 @@ interface(`domain_entry_file_spec_domtrans',`
- ## </summary>
- ## </param>
- #
--interface(`domain_mmap_low',`
-+interface(`domain_mmap_low_type',`
- gen_require(`
- attribute mmap_low_domain_type;
- ')
-
-- allow $1 self:memprotect mmap_zero;
--
- typeattribute $1 mmap_low_domain_type;
- ')
-
-@@ -1445,3 +1443,22 @@ interface(`domain_unconfined',`
+@@ -1473,3 +1473,22 @@ interface(`domain_unconfined',`
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
')
@@ -7562,10 +7520,10 @@ index 41f36ed..3f2c4ad 100644
+ dontaudit $1 domain:socket_class_set { read write };
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index aa02659..b9c5804 100644
+index 099f57f..ae62211 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
-@@ -4,6 +4,21 @@ policy_module(domain, 1.8.0)
+@@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
#
# Declarations
#
@@ -7585,9 +7543,9 @@ index aa02659..b9c5804 100644
+#
+gen_tunable(domain_kernel_load_modules, false)
- # Mark process types as domains
- attribute domain;
-@@ -79,14 +94,17 @@ allow domain self:dir list_dir_perms;
+ ## <desc>
+ ## <p>
+@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms;
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
kernel_read_proc_symlinks(domain)
@@ -7606,7 +7564,7 @@ index aa02659..b9c5804 100644
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -96,6 +114,13 @@ term_use_controlling_term(domain)
+@@ -104,6 +122,13 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
@@ -7620,7 +7578,7 @@ index aa02659..b9c5804 100644
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
-@@ -105,8 +130,13 @@ tunable_policy(`global_ssp',`
+@@ -113,8 +138,13 @@ tunable_policy(`global_ssp',`
')
optional_policy(`
@@ -7634,7 +7592,7 @@ index aa02659..b9c5804 100644
')
optional_policy(`
-@@ -117,6 +147,8 @@ optional_policy(`
+@@ -125,6 +155,8 @@ optional_policy(`
optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)
xserver_dontaudit_rw_xdm_pipes(domain)
@@ -7643,7 +7601,7 @@ index aa02659..b9c5804 100644
')
########################################
-@@ -135,6 +167,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -143,6 +175,8 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -7652,7 +7610,7 @@ index aa02659..b9c5804 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -152,3 +186,77 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +194,77 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -8836,10 +8794,10 @@ index 56c3408..3f4cf3d 100644
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index ed7667a..d676187 100644
+index ed7667a..46e9859 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
-@@ -698,6 +698,26 @@ interface(`kernel_read_debugfs',`
+@@ -698,6 +698,46 @@ interface(`kernel_read_debugfs',`
########################################
## <summary>
@@ -8863,10 +8821,30 @@ index ed7667a..d676187 100644
+
+########################################
+## <summary>
++## Manage information from the debugging filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_manage_debugfs',`
++ gen_require(`
++ type debugfs_t;
++ ')
++
++ manage_files_pattern($1, debugfs_t, debugfs_t)
++ read_lnk_files_pattern($1, debugfs_t, debugfs_t)
++ list_dirs_pattern($1, debugfs_t, debugfs_t)
++')
++
++########################################
++## <summary>
## Mount a kernel VM filesystem.
## </summary>
## <param name="domain">
-@@ -1977,7 +1997,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -1977,7 +2017,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -8875,7 +8853,7 @@ index ed7667a..d676187 100644
')
########################################
-@@ -2845,6 +2865,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2845,6 +2885,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -8900,7 +8878,7 @@ index ed7667a..d676187 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2860,3 +2898,23 @@ interface(`kernel_unconfined',`
+@@ -2860,3 +2918,23 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
@@ -13904,6 +13882,18 @@ index 27fe7ca..221ea9e 100644
#######################################
## <summary>
## read certmaster logs.
+diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
+index 1573914..6e32117 100644
+--- a/policy/modules/services/certmaster.te
++++ b/policy/modules/services/certmaster.te
+@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
+ corenet_tcp_bind_certmaster_port(certmaster_t)
+
+ files_search_etc(certmaster_t)
++files_read_usr_files(certmaster_t)
+ files_list_var(certmaster_t)
+ files_search_var_lib(certmaster_t)
+
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
index a3728d4..7a6e5ba 100644
--- a/policy/modules/services/certmonger.if
@@ -14866,7 +14856,7 @@ index 3a6d7eb..2098ee9 100644
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 7d2cf85..317b025 100644
+index 7d2cf85..9d97456 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -5,6 +5,13 @@ policy_module(corosync, 1.0.0)
@@ -14922,7 +14912,7 @@ index 7d2cf85..317b025 100644
auth_use_nsswitch(corosync_t)
-@@ -83,19 +95,26 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +95,30 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -14940,11 +14930,14 @@ index 7d2cf85..317b025 100644
optional_policy(`
- # to communication with RHCS
- rhcs_rw_dlm_controld_semaphores(corosync_t)
--
-- rhcs_rw_fenced_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
+- rhcs_rw_fenced_semaphores(corosync_t)
++optional_policy(`
++ lvm_rw_clvmd_tmpfs_files(corosync_t)
++')
+
- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+ # to communication with RHCS
@@ -15735,7 +15728,7 @@ index 2a0f1c1..ab82c3c 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..a93e5ca 100644
+index 39e901a..4ab36ba 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
@@ -15802,7 +15795,12 @@ index 39e901a..a93e5ca 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -434,10 +445,21 @@ interface(`dbus_system_domain',`
+@@ -431,13 +442,26 @@ interface(`dbus_system_domain',`
+
+ domtrans_pattern(system_dbusd_t, $2, $1)
+
++ fs_search_cgroup_dirs($1)
++
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
@@ -23512,7 +23510,7 @@ index 2785337..c3c2775 100644
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..a142c36 100644
+index 779fa44..29a5d0d 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -43,7 +43,6 @@ can_exec(rlogind_t, rlogind_exec_t)
@@ -23523,7 +23521,15 @@ index 779fa44..a142c36 100644
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -88,6 +87,9 @@ seutil_read_config(rlogind_t)
+@@ -71,6 +70,7 @@ fs_search_auto_mountpoints(rlogind_t)
+ auth_domtrans_chk_passwd(rlogind_t)
+ auth_rw_login_records(rlogind_t)
+ auth_use_nsswitch(rlogind_t)
++auth_login_pgm_domain(rlogind_t)
+
+ files_read_etc_files(rlogind_t)
+ files_read_etc_runtime_files(rlogind_t)
+@@ -88,6 +88,9 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -27477,7 +27483,7 @@ index da2601a..a5b3186 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8084740..4b4ddc3 100644
+index e226da4..50b4a08 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@@ -28170,7 +28176,7 @@ index 8084740..4b4ddc3 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,10 +864,9 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +864,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -28178,11 +28184,8 @@ index 8084740..4b4ddc3 100644
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
--allow xserver_t self:memprotect mmap_zero;
allow xserver_t self:fd use;
- allow xserver_t self:fifo_file rw_fifo_file_perms;
- allow xserver_t self:sock_file read_sock_file_perms;
-@@ -611,6 +878,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +878,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -28201,7 +28204,7 @@ index 8084740..4b4ddc3 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -630,12 +909,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +909,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -28223,7 +28226,7 @@ index 8084740..4b4ddc3 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -643,6 +929,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +929,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -28231,7 +28234,7 @@ index 8084740..4b4ddc3 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -669,7 +956,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +956,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -28239,7 +28242,7 @@ index 8084740..4b4ddc3 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -679,9 +965,12 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +965,13 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -28247,13 +28250,13 @@ index 8084740..4b4ddc3 100644
+dev_write_raw_memory(xserver_t)
dev_rwx_zero(xserver_t)
--domain_mmap_low(xserver_t)
+domain_dontaudit_read_all_domains_state(xserver_t)
+domain_signal_all_domains(xserver_t)
-
++
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -696,8 +985,13 @@ fs_getattr_xattr_fs(xserver_t)
+ files_read_usr_files(xserver_t)
+@@ -693,8 +985,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -28267,7 +28270,7 @@ index 8084740..4b4ddc3 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -719,11 +1013,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1013,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -28282,7 +28285,7 @@ index 8084740..4b4ddc3 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,20 +1072,44 @@ optional_policy(`
+@@ -773,20 +1073,44 @@ optional_policy(`
')
optional_policy(`
@@ -28328,7 +28331,7 @@ index 8084740..4b4ddc3 100644
xfs_stream_connect(xserver_t)
')
-@@ -804,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1126,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -28341,7 +28344,7 @@ index 8084740..4b4ddc3 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,6 +1149,13 @@ init_use_fds(xserver_t)
+@@ -826,6 +1150,13 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -28355,7 +28358,7 @@ index 8084740..4b4ddc3 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -843,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1172,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -28372,7 +28375,7 @@ index 8084740..4b4ddc3 100644
')
optional_policy(`
-@@ -993,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -991,3 +1325,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -31446,11 +31449,58 @@ index 879bb1e..31efcb2 100644
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
+index 58bc27f..b4f0663 100644
+--- a/policy/modules/system/lvm.if
++++ b/policy/modules/system/lvm.if
+@@ -123,3 +123,21 @@ interface(`lvm_domtrans_clvmd',`
+ corecmd_search_bin($1)
+ domtrans_pattern($1, clvmd_exec_t, clvmd_t)
+ ')
++
++########################################
++## <summary>
++## Read and write to lvm temporary file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lvm_rw_clvmd_tmpfs_files',`
++ gen_require(`
++ type clvmd_tmpfs_t;
++ ')
++
++ allow $1 clvmd_tmpfs_t:file rw_file_perms;
++')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 86ef2da..4eef596 100644
+index 86ef2da..7eb67d1 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
-@@ -135,9 +135,18 @@ lvm_domtrans(clvmd_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
+ type clvmd_initrc_exec_t;
+ init_script_file(clvmd_initrc_exec_t)
+
++type clmvd_tmpfs_t;
++files_tmpfs_file(clmvd_tmpfs_t)
++
+ type clvmd_var_run_t;
+ files_pid_file(clvmd_var_run_t)
+
+@@ -56,6 +59,10 @@ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow clvmd_t self:tcp_socket create_stream_socket_perms;
+ allow clvmd_t self:udp_socket create_socket_perms;
+
++manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t)
++manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t)
++fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file })
++
+ manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
+ files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
+
+@@ -135,9 +142,18 @@ lvm_domtrans(clvmd_t)
lvm_read_config(clvmd_t)
ifdef(`distro_redhat',`
@@ -31469,7 +31519,7 @@ index 86ef2da..4eef596 100644
')
optional_policy(`
-@@ -170,6 +179,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,6 +186,7 @@ dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@@ -31477,7 +31527,7 @@ index 86ef2da..4eef596 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -210,12 +220,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
+@@ -210,12 +227,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
@@ -31493,7 +31543,7 @@ index 86ef2da..4eef596 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -242,6 +255,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -242,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -31501,7 +31551,7 @@ index 86ef2da..4eef596 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -251,8 +265,9 @@ files_read_etc_files(lvm_t)
+@@ -251,8 +272,9 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -31512,7 +31562,7 @@ index 86ef2da..4eef596 100644
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -262,6 +277,7 @@ fs_rw_anon_inodefs_files(lvm_t)
+@@ -262,6 +284,7 @@ fs_rw_anon_inodefs_files(lvm_t)
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
@@ -31520,7 +31570,7 @@ index 86ef2da..4eef596 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -303,9 +319,18 @@ ifdef(`distro_redhat',`
+@@ -303,9 +326,18 @@ ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
@@ -31539,7 +31589,7 @@ index 86ef2da..4eef596 100644
')
optional_policy(`
-@@ -329,6 +354,10 @@ optional_policy(`
+@@ -329,6 +361,10 @@ optional_policy(`
')
optional_policy(`
@@ -32060,7 +32110,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..2639086 100644
+index fca6947..a2f7102 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -32128,7 +32178,7 @@ index fca6947..2639086 100644
+kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
-kernel_dontaudit_getattr_core_if(mount_t)
-+kernel_rw_debugfs(mount_t)
++kernel_manage_debugfs(mount_t)
+kernel_setsched(mount_t)
+kernel_use_fds(mount_t)
+kernel_request_load_module(mount_t)
@@ -34127,7 +34177,7 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..bdb4c7b 100644
+index 416e668..c6e8ffe 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,14 +12,13 @@
@@ -34165,35 +34215,20 @@ index 416e668..bdb4c7b 100644
kernel_unconfined($1)
corenet_unconfined($1)
-@@ -44,6 +45,16 @@ interface(`unconfined_domain_noaudit',`
+@@ -44,6 +45,12 @@ interface(`unconfined_domain_noaudit',`
fs_unconfined($1)
selinux_unconfined($1)
-+ domain_mmap_low_type($1)
++ domain_mmap_low($1)
+
+ mls_file_read_all_levels($1)
+
+ ubac_process_exempt($1)
+
-+ tunable_policy(`mmap_low_allowed',`
-+ allow $1 self:memprotect mmap_zero;
-+ ')
-+
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
allow $1 self:process execheap;
-@@ -57,8 +68,8 @@ interface(`unconfined_domain_noaudit',`
-
- tunable_policy(`allow_execstack',`
- # Allow making the stack executable via mprotect;
-- # execstack implies execmem;
-- allow $1 self:process { execstack execmem };
-+ # execstack implies execmem; Bugzilla #211271
-+ allow $1 self:process { execmem execstack };
- # auditallow $1 self:process execstack;
- ')
-
-@@ -69,6 +80,7 @@ interface(`unconfined_domain_noaudit',`
+@@ -69,6 +76,7 @@ interface(`unconfined_domain_noaudit',`
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -34201,7 +34236,7 @@ index 416e668..bdb4c7b 100644
')
optional_policy(`
-@@ -122,6 +134,10 @@ interface(`unconfined_domain_noaudit',`
+@@ -122,6 +130,10 @@ interface(`unconfined_domain_noaudit',`
## </param>
#
interface(`unconfined_domain',`
@@ -34212,7 +34247,7 @@ index 416e668..bdb4c7b 100644
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
-@@ -178,412 +194,3 @@ interface(`unconfined_alias_domain',`
+@@ -178,412 +190,3 @@ interface(`unconfined_alias_domain',`
interface(`unconfined_execmem_alias_program',`
refpolicywarn(`$0($1) has been deprecated.')
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8e708af..7799e24 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,8 +19,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.1
-Release: 3%{?dist}
+Version: 3.9.2
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,15 @@ exit 0
%endif
%changelog
+* Thu Aug 31 2010 Dan Walsh <dwalsh at redhat.com> 3.9.2-1
+- Merge upstream fix of mmap_zero
+- Allow mount to write files in debugfs_t
+- Allow corosync to communicate with clvmd via tmpfs
+- Allow certmaster to read usr_t files
+- Allow dbus system services to search cgroup_t
+- Define rlogind_t as a login pgm
+
+
* Wed Aug 31 2010 Dan Walsh <dwalsh at redhat.com> 3.9.1-3
- Allow mdadm_t to read/write hugetlbfs
diff --git a/sources b/sources
index 4192ac7..1d0d2b4 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-1351ca1eca73598202c01ea63efba6d1 serefpolicy-3.9.1.tgz
+f35b66c95c41e4c046727789b361a969 serefpolicy-3.9.2.tgz
More information about the scm-commits
mailing list