[selinux-policy/f13/master] - Allow dovecot-deliver to create tmp files - Allow tor to send signals to itself - Handle /var/db/s
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Sep 13 15:34:27 UTC 2010
commit e05169a7865453d6bb118748794d3ab85a250a7f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Sep 13 17:34:10 2010 +0200
- Allow dovecot-deliver to create tmp files
- Allow tor to send signals to itself
- Handle /var/db/sudo
- Remove allow_corosync_rw_tmpfs boolean
policy-F13.patch | 154 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 8 ++-
2 files changed, 126 insertions(+), 36 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index ee29a30..486475b 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2510,10 +2510,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+optional_policy(`
+ xserver_dontaudit_write_log(shutdown_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.fc serefpolicy-3.7.19/policy/modules/admin/sudo.fc
+--- nsaserefpolicy/policy/modules/admin/sudo.fc 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/sudo.fc 2010-09-13 15:54:07.362085420 +0200
+@@ -1,2 +1,4 @@
+
+ /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
++
++/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.19/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/sudo.if 2010-05-28 09:41:59.964611081 +0200
-@@ -73,12 +73,16 @@
++++ serefpolicy-3.7.19/policy/modules/admin/sudo.if 2010-09-13 15:56:30.021085395 +0200
+@@ -32,6 +32,7 @@
+
+ gen_require(`
+ type sudo_exec_t;
++ type sudo_db_t;
+ attribute sudodomain;
+ ')
+
+@@ -47,6 +48,9 @@
+ ubac_constrained($1_sudo_t)
+ role $2 types $1_sudo_t;
+
++ manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
++ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
++
+ ##############################
+ #
+ # Local Policy
+@@ -73,12 +77,16 @@
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
@@ -2531,7 +2557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
-@@ -134,7 +138,11 @@
+@@ -134,7 +142,11 @@
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
@@ -2544,6 +2570,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.te serefpolicy-3.7.19/policy/modules/admin/sudo.te
+--- nsaserefpolicy/policy/modules/admin/sudo.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/sudo.te 2010-09-13 15:54:35.371085087 +0200
+@@ -8,3 +8,6 @@
+
+ type sudo_exec_t;
+ application_executable_file(sudo_exec_t)
++
++type sudo_db_t;
++files_type(sudo_db_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.19/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/su.if 2010-05-28 09:41:59.965611225 +0200
@@ -3000,8 +3036,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.19/policy/modules/apps/chrome.te
--- nsaserefpolicy/policy/modules/apps/chrome.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-05-28 09:41:59.970610618 +0200
-@@ -0,0 +1,86 @@
++++ serefpolicy-3.7.19/policy/modules/apps/chrome.te 2010-09-13 14:43:33.016085201 +0200
+@@ -0,0 +1,88 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3064,6 +3100,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
+miscfiles_read_localization(chrome_sandbox_t)
+miscfiles_read_fonts(chrome_sandbox_t)
+
++sysnet_dontaudit_read_config(chrome_sandbox_t)
++
+optional_policy(`
+ execmem_exec(chrome_sandbox_t)
+')
@@ -18649,8 +18687,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
--- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-09-02 12:55:05.057085167 +0200
-@@ -0,0 +1,145 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-09-13 16:14:36.850085069 +0200
+@@ -0,0 +1,143 @@
+
+policy_module(corosync,1.0.0)
+
@@ -18659,13 +18697,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+# Declarations
+#
+
-+## <desc>
-+## <p>
-+## Allow corosync to read and write generic tmpfs files.
-+## </p>
-+## </desc>
-+gen_tunable(allow_corosync_rw_tmpfs, false)
-+
+type corosync_t;
+type corosync_exec_t;
+init_daemon_domain(corosync_t, corosync_exec_t)
@@ -18762,11 +18793,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
+userdom_delete_user_tmpfs_files(corosync_t)
+userdom_rw_user_tmpfs_files(corosync_t)
+
-+tunable_policy(`allow_corosync_rw_tmpfs',`
-+ fs_rw_tmpfs_files(corosync_t)
-+ fs_delete_tmpfs_files(corosync_t)
++optional_policy(`
++ gen_require(`
++ attribute unconfined_services;
++ ')
++
++ fs_manage_tmpfs_files(corosync_t)
++ init_manage_script_status_files(corosync_t)
+')
+
++
+optional_policy(`
+ ccs_read_config(corosync_t)
+')
@@ -20720,7 +20756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-09-09 10:57:08.707085315 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te 2010-09-13 12:37:55.230085213 +0200
@@ -9,6 +9,9 @@
type dovecot_exec_t;
init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -20740,7 +20776,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
type dovecot_deliver_t;
type dovecot_deliver_exec_t;
-@@ -54,15 +57,16 @@
+@@ -27,6 +30,9 @@
+ domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
+ role system_r types dovecot_deliver_t;
+
++type dovecot_deliver_tmp_t;
++files_tmp_file(dovecot_deliver_tmp_t)
++
+ type dovecot_etc_t;
+ files_config_file(dovecot_etc_t)
+
+@@ -54,15 +60,16 @@
# dovecot local policy
#
@@ -20759,7 +20805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
-@@ -73,14 +77,26 @@
+@@ -73,14 +80,26 @@
can_exec(dovecot_t, dovecot_exec_t)
@@ -20787,7 +20833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-@@ -93,6 +109,7 @@
+@@ -93,6 +112,7 @@
corenet_tcp_sendrecv_generic_node(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
@@ -20795,7 +20841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
corenet_tcp_bind_pop_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -103,6 +120,7 @@
+@@ -103,6 +123,7 @@
dev_read_urand(dovecot_t)
fs_getattr_all_fs(dovecot_t)
@@ -20803,7 +20849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
fs_search_auto_mountpoints(dovecot_t)
fs_list_inotifyfs(dovecot_t)
-@@ -142,6 +160,16 @@
+@@ -142,6 +163,16 @@
')
optional_policy(`
@@ -20820,7 +20866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
seutil_sigchld_newrole(dovecot_t)
')
-@@ -172,11 +200,6 @@
+@@ -172,11 +203,6 @@
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -20832,7 +20878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
dovecot_stream_connect_auth(dovecot_auth_t)
-@@ -197,11 +220,13 @@
+@@ -197,11 +223,13 @@
files_search_pids(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
@@ -20847,7 +20893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_auth_t)
seutil_dontaudit_search_config(dovecot_auth_t)
-@@ -225,6 +250,7 @@
+@@ -225,6 +253,7 @@
')
optional_policy(`
@@ -20855,7 +20901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
postfix_search_spool(dovecot_auth_t)
')
-@@ -234,18 +260,30 @@
+@@ -234,18 +263,34 @@
#
allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
@@ -20865,6 +20911,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
+allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
++manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
++files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
++
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
+
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
@@ -20886,7 +20936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -263,15 +301,24 @@
+@@ -263,15 +308,24 @@
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
tunable_policy(`use_nfs_home_dirs',`
@@ -21070,7 +21120,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.19/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-05-28 09:42:00.108611036 +0200
++++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-09-13 13:10:28.599085102 +0200
+@@ -18,9 +18,9 @@
+ # Local policy
+ #
+
+-allow fprintd_t self:capability sys_ptrace;
++allow fprintd_t self:capability { sys_nice sys_ptrace };
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
+-allow fprintd_t self:process { getsched signal };
++allow fprintd_t self:process { getsched setsched signal };
+
+ manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+ manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
@@ -55,4 +55,6 @@
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
@@ -33843,16 +33905,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
+iscsi_manage_semaphores(tgtd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.19/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/tor.te 2010-08-18 13:49:47.647335258 +0200
-@@ -45,6 +45,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/tor.te 2010-09-13 12:47:18.717085060 +0200
+@@ -43,8 +43,11 @@
+ #
+
allow tor_t self:capability { setgid setuid sys_tty_config };
++allow tor_t self:process signal;
++
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
+allow tor_t self:unix_dgram_socket create_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
allow tor_t self:tcp_socket create_stream_socket_perms;
-@@ -82,6 +83,7 @@
+@@ -82,6 +85,7 @@
corenet_tcp_sendrecv_all_ports(tor_t)
corenet_tcp_sendrecv_all_reserved_ports(tor_t)
corenet_tcp_bind_generic_node(tor_t)
@@ -33860,7 +33926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
corenet_tcp_bind_tor_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
# TOR will need to connect to various ports
-@@ -101,6 +103,8 @@
+@@ -101,6 +105,8 @@
auth_use_nsswitch(tor_t)
@@ -36856,7 +36922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-09-09 13:09:09.505085410 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-09-13 16:15:23.146085276 +0200
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -37089,7 +37155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1712,3 +1808,56 @@
+@@ -1712,3 +1808,74 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -37146,6 +37212,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+ init_dontaudit_use_script_fds($1)
+')
+
++#######################################
++## <summary>
++## Manage init script
++## status files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_manage_script_status_files',`
++ gen_require(`
++ type initrc_state_t;
++ ')
++
++ manage_files_pattern($1, initrc_state_t, initrc_state_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-09-09 10:54:48.345085410 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 02d5772..85a22b4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 56%{?dist}
+Release: 57%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Mon Sep 13 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-57
+- Allow dovecot-deliver to create tmp files
+- Allow tor to send signals to itself
+- Handle /var/db/sudo
+- Remove allow_corosync_rw_tmpfs boolean
+
* Thu Sep 9 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-56
- Add unconfined_mmap_zero_ignore boolean
More information about the scm-commits
mailing list