[selinux-policy/f13/master] - Add labeling for /root/.debug - Remove permissive from cmirrord domain - Dontaudit cmirrord_t sys_
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Sep 15 14:24:33 UTC 2010
commit c2e709eac17a42449c00711ee83170f695cd36ce
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Sep 15 16:24:10 2010 +0200
- Add labeling for /root/.debug
- Remove permissive from cmirrord domain
- Dontaudit cmirrord_t sys_tty_config capability
- Allow virtd to read from processes up to its clearance
policy-F13.patch | 91 ++++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 8 ++++-
2 files changed, 79 insertions(+), 20 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 486475b..ee93bb4 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -18149,8 +18149,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.7.19/policy/modules/services/cmirrord.te
--- nsaserefpolicy/policy/modules/services/cmirrord.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2010-06-04 07:40:07.080159214 +0200
-@@ -0,0 +1,63 @@
++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2010-09-15 15:45:43.101636923 +0200
+@@ -0,0 +1,62 @@
+
+policy_module(cmirrord,1.0.0)
+
@@ -18163,8 +18163,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+type cmirrord_exec_t;
+init_daemon_domain(cmirrord_t, cmirrord_exec_t)
+
-+permissive cmirrord_t;
-+
+type cmirrord_initrc_exec_t;
+init_script_file(cmirrord_initrc_exec_t)
+
@@ -18180,6 +18178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+#
+
+allow cmirrord_t self:capability { net_admin kill };
++dontaudit cmirrord_t self:capability sys_tty_config;
+allow cmirrord_t self:process { fork signal };
+
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
@@ -29014,6 +29013,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.19/policy/modules/services/postgresql.te
+--- nsaserefpolicy/policy/modules/services/postgresql.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postgresql.te 2010-09-15 15:43:14.862386997 +0200
+@@ -251,7 +251,7 @@
+ domain_use_interactive_fds(postgresql_t)
+
+ files_dontaudit_search_home(postgresql_t)
+-files_manage_etc_files(postgresql_t)
++files_read_etc_files(postgresql_t)
+ files_search_etc(postgresql_t)
+ files_read_etc_runtime_files(postgresql_t)
+ files_read_usr_files(postgresql_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.19/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/ppp.te 2010-05-28 09:42:00.159610853 +0200
@@ -33878,9 +33889,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.19/policy/modules/services/tgtd.if
+--- nsaserefpolicy/policy/modules/services/tgtd.if 2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/tgtd.if 2010-09-15 15:55:31.098636967 +0200
+@@ -26,3 +26,21 @@
+
+ allow $1 tgtd_t:sem rw_sem_perms;
+ ')
++
++#######################################
++## <summary>
++## Manage tgtd sempaphores.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tgtd_manage_semaphores',`
++ gen_require(`
++ type tgtd_t;
++ ')
++
++ allow $1 tgtd_t:sem create_sem_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.19/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/tgtd.te 2010-05-28 09:42:00.195610901 +0200
++++ serefpolicy-3.7.19/policy/modules/services/tgtd.te 2010-09-15 15:54:21.234637075 +0200
@@ -38,7 +38,7 @@
allow tgtd_t self:unix_dgram_socket create_socket_perms;
@@ -33890,8 +33926,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
-@@ -60,8 +60,12 @@
+@@ -58,10 +58,18 @@
+ corenet_tcp_bind_iscsi_port(tgtd_t)
+ corenet_sendrecv_iscsi_server_packets(tgtd_t)
++dev_search_sysfs(tgtd_t)
++
files_read_etc_files(tgtd_t)
+fs_read_anon_inodefs_files(tgtd_t)
@@ -33902,7 +33942,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
miscfiles_read_localization(tgtd_t)
+
-+iscsi_manage_semaphores(tgtd_t)
++optional_policy(`
++ iscsi_manage_semaphores(tgtd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.19/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/tor.te 2010-09-13 12:47:18.717085060 +0200
@@ -34404,7 +34446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-09 13:45:21.039085272 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-09-15 15:47:01.852387031 +0200
@@ -1,5 +1,5 @@
-policy_module(virt, 1.3.2)
@@ -34618,7 +34660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -267,6 +315,17 @@
+@@ -267,6 +315,18 @@
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -34629,6 +34671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+mls_file_read_to_clearance(virtd_t)
+mls_file_write_to_clearance(virtd_t)
+mls_process_write_to_clearance(virtd_t)
++mls_process_read_to_clearance(virtd_t)
+mls_net_write_within_range(virtd_t)
+mls_socket_write_to_clearance(virtd_t)
+mls_socket_read_to_clearance(virtd_t)
@@ -34636,7 +34679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
-@@ -291,15 +350,24 @@
+@@ -291,15 +351,24 @@
logging_send_syslog_msg(virtd_t)
@@ -34661,7 +34704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -370,6 +438,8 @@
+@@ -370,6 +439,8 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -34670,7 +34713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -407,6 +477,19 @@
+@@ -407,6 +478,19 @@
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -34690,7 +34733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +510,7 @@
+@@ -427,6 +511,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -34698,7 +34741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -434,10 +518,12 @@
+@@ -434,10 +519,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -34711,7 +34754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -445,6 +531,11 @@
+@@ -445,6 +532,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -34723,7 +34766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -462,8 +553,13 @@
+@@ -462,8 +554,13 @@
')
optional_policy(`
@@ -38196,7 +38239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.19/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2010-06-09 23:08:12.877208512 +0200
++++ serefpolicy-3.7.19/policy/modules/system/iscsi.te 2010-09-15 15:53:35.451386747 +0200
@@ -77,6 +77,8 @@
dev_rw_sysfs(iscsid_t)
@@ -38206,6 +38249,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
+@@ -92,5 +94,5 @@
+ miscfiles_read_localization(iscsid_t)
+
+ optional_policy(`
+- tgtd_rw_semaphores(iscsid_t)
++ tgtd_manage_semaphores(iscsid_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.7.19/policy/modules/system/kdump.te
--- nsaserefpolicy/policy/modules/system/kdump.te 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/kdump.te 2010-08-11 11:35:47.007335356 +0200
@@ -42112,8 +42162,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-09-09 13:46:56.201334848 +0200
-@@ -1,4 +1,15 @@
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-09-15 15:41:19.167386857 +0200
+@@ -1,4 +1,18 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -42121,6 +42171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++/root/\.debug(/.*)? <<none>>
+/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0)
@@ -42130,6 +42181,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+HOME_DIR/\.gvfs(/.*)? <<none>>
++HOME_DIR/\.debug(/.*)? <<none>>
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-08-10 16:46:30.604085285 +0200
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 85a22b4..6f9c7b1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 57%{?dist}
+Release: 58%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Wed Sep 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-58
+- Add labeling for /root/.debug
+- Remove permissive from cmirrord domain
+- Dontaudit cmirrord_t sys_tty_config capability
+- Allow virtd to read from processes up to its clearance
+
* Mon Sep 13 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-57
- Allow dovecot-deliver to create tmp files
- Allow tor to send signals to itself
More information about the scm-commits
mailing list