[selinux-policy] - Add vnstat policy - allow libvirt to send audit messages - Allow chrome-sandbox to search nfs_t
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Sep 16 22:00:05 UTC 2010
commit ea3b7b5dff00170fa23dc553acd429756867b149
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Sep 16 18:00:00 2010 -0400
- Add vnstat policy
- allow libvirt to send audit messages
- Allow chrome-sandbox to search nfs_t
booleans-targeted.conf | 6 +-
modules-targeted.conf | 7 +
policy-F14.patch | 417 ++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 7 +-
4 files changed, 363 insertions(+), 74 deletions(-)
---
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 2f6490c..9973c32 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,14 +1,14 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
-allow_execmem = false
+allow_execmem = true
# Allow making a modified private filemapping executable (text relocation).
#
-allow_execmod = false
+allow_execmod = true
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = false
+allow_execstack = true
# Allow ftpd to read cifs directories.
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 23d9eb7..4c32c94 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1825,6 +1825,13 @@ varnishd = module
#
virt = module
+# Layer: services
+# Module: vnstatd
+#
+# Network traffic Monitor
+#
+vnstatd = module
+
# Layer: apps
# Module: qemu
#
diff --git a/policy-F14.patch b/policy-F14.patch
index be8c885..0e002d9 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -349,10 +349,10 @@ index 66e486e..bfda8e9 100644
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 0b6123e..dd4cd30 100644
+index 0b6123e..d64682f 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
-@@ -119,6 +119,7 @@ seutil_dontaudit_read_config(logrotate_t)
+@@ -119,14 +119,20 @@ seutil_dontaudit_read_config(logrotate_t)
userdom_use_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
@@ -360,8 +360,14 @@ index 0b6123e..dd4cd30 100644
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-@@ -126,7 +127,7 @@ cron_search_spool(logrotate_t)
- mta_send_mail(logrotate_t)
+
+-mta_send_mail(logrotate_t)
++#mta_send_mail(logrotate_t)
++mta_base_mail_template(logrotate)
++mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
++role system_r types logrotate_mail_t;
++logging_read_all_logs(logrotate_mail_t)
++manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
ifdef(`distro_debian', `
- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
@@ -9504,7 +9510,7 @@ index ebe6a9c..e3a1987 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 1854002..b0d95d4 100644
+index 1854002..571c76e 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,46 @@ policy_module(staff, 2.1.2)
@@ -9590,7 +9596,7 @@ index 1854002..b0d95d4 100644
oident_manage_user_content(staff_t)
oident_relabel_user_content(staff_t)
')
-@@ -36,21 +99,62 @@ optional_policy(`
+@@ -36,21 +99,66 @@ optional_policy(`
')
optional_policy(`
@@ -9650,12 +9656,16 @@ index 1854002..b0d95d4 100644
+')
+
+optional_policy(`
++ vnstatd_read_lib_files(staff_t)
++')
++
++optional_policy(`
+ webadm_role_change(staff_r)
+')
optional_policy(`
xserver_role(staff_r, staff_t)
-@@ -138,10 +242,6 @@ ifndef(`distro_redhat',`
+@@ -138,10 +246,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -15636,7 +15646,7 @@ index 35241ed..9822074 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..ff1a1c9 100644
+index f35b243..45f5a6f 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
@@ -15772,7 +15782,17 @@ index f35b243..ff1a1c9 100644
')
optional_policy(`
-@@ -290,6 +334,8 @@ optional_policy(`
+@@ -284,12 +328,18 @@ optional_policy(`
+ udev_read_db(crond_t)
+ ')
+
++optional_policy(`
++ vnstatd_search_lib(crond_t)
++')
++
+ ########################################
+ #
+ # System cron process domain
#
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
@@ -15781,7 +15801,7 @@ index f35b243..ff1a1c9 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -301,10 +347,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -301,10 +351,17 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -15800,7 +15820,7 @@ index f35b243..ff1a1c9 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -324,6 +377,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -324,6 +381,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -15808,7 +15828,7 @@ index f35b243..ff1a1c9 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -335,9 +389,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -335,9 +393,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -15823,7 +15843,7 @@ index f35b243..ff1a1c9 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -360,6 +418,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -360,6 +422,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -15831,7 +15851,7 @@ index f35b243..ff1a1c9 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -386,6 +445,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -386,6 +449,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -15839,7 +15859,7 @@ index f35b243..ff1a1c9 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -410,6 +470,8 @@ seutil_read_config(system_cronjob_t)
+@@ -410,6 +474,8 @@ seutil_read_config(system_cronjob_t)
ifdef(`distro_redhat', `
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -15848,7 +15868,7 @@ index f35b243..ff1a1c9 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -434,6 +496,8 @@ optional_policy(`
+@@ -434,6 +500,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -15857,7 +15877,7 @@ index f35b243..ff1a1c9 100644
')
optional_policy(`
-@@ -441,6 +505,14 @@ optional_policy(`
+@@ -441,6 +509,14 @@ optional_policy(`
')
optional_policy(`
@@ -15872,7 +15892,7 @@ index f35b243..ff1a1c9 100644
ftp_read_log(system_cronjob_t)
')
-@@ -451,15 +523,24 @@ optional_policy(`
+@@ -451,15 +527,24 @@ optional_policy(`
')
optional_policy(`
@@ -15897,7 +15917,7 @@ index f35b243..ff1a1c9 100644
')
optional_policy(`
-@@ -475,7 +556,7 @@ optional_policy(`
+@@ -475,7 +560,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -15906,7 +15926,7 @@ index f35b243..ff1a1c9 100644
')
optional_policy(`
-@@ -490,6 +571,7 @@ optional_policy(`
+@@ -490,6 +575,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -15914,7 +15934,7 @@ index f35b243..ff1a1c9 100644
')
optional_policy(`
-@@ -497,7 +579,13 @@ optional_policy(`
+@@ -497,7 +583,13 @@ optional_policy(`
')
optional_policy(`
@@ -15928,7 +15948,7 @@ index f35b243..ff1a1c9 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,7 +678,10 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -590,7 +682,10 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -16152,7 +16172,7 @@ index e182bf4..f80e725 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..87fc055 100644
+index 39e901a..7852441 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
@@ -16184,7 +16204,7 @@ index 39e901a..87fc055 100644
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-@@ -149,13 +151,20 @@ template(`dbus_role_template',`
+@@ -149,17 +151,25 @@ template(`dbus_role_template',`
term_use_all_terms($1_dbusd_t)
@@ -16206,7 +16226,12 @@ index 39e901a..87fc055 100644
hal_dbus_chat($1_dbusd_t)
')
-@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
+ optional_policy(`
++ xserver_search_xdm_lib($1_dbusd_t)
+ xserver_use_xdm_fds($1_dbusd_t)
+ xserver_rw_xdm_pipes($1_dbusd_t)
+ ')
+@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -16219,7 +16244,7 @@ index 39e901a..87fc055 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -431,13 +442,26 @@ interface(`dbus_system_domain',`
+@@ -431,13 +443,26 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -16246,7 +16271,7 @@ index 39e901a..87fc055 100644
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
-@@ -479,3 +503,22 @@ interface(`dbus_unconfined',`
+@@ -479,3 +504,22 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -23987,10 +24012,10 @@ index 00fa514..9ab1d80 100644
mysql_stream_connect(rgmanager_t)
')
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
-index c2ba53b..a8676c7 100644
+index c2ba53b..d862e7e 100644
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
-@@ -1,6 +1,7 @@
+@@ -1,14 +1,17 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
@@ -23998,8 +24023,10 @@ index c2ba53b..a8676c7 100644
/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
-@@ -9,6 +10,7 @@
+ /var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+
++/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+/var/log/cluster/.*\.*log <<none>>
@@ -27997,7 +28024,7 @@ index 7c5d8d8..e584e21 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..fec701f 100644
+index 3eca020..8dac607 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
@@ -28239,9 +28266,11 @@ index 3eca020..fec701f 100644
mcs_process_set_categories(virtd_t)
-@@ -286,15 +351,24 @@ modutils_manage_module_config(virtd_t)
+@@ -285,16 +350,26 @@ modutils_read_module_config(virtd_t)
+ modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
++logging_send_audit_msgs(virtd_t)
+selinux_validate_context(virtd_t)
+
@@ -28264,7 +28293,7 @@ index 3eca020..fec701f 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +439,8 @@ optional_policy(`
+@@ -365,6 +440,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -28273,7 +28302,7 @@ index 3eca020..fec701f 100644
')
optional_policy(`
-@@ -402,6 +478,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+@@ -402,6 +479,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -28293,7 +28322,7 @@ index 3eca020..fec701f 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +511,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +512,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -28301,7 +28330,7 @@ index 3eca020..fec701f 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +519,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +520,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -28314,7 +28343,7 @@ index 3eca020..fec701f 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +532,11 @@ files_search_all(virt_domain)
+@@ -440,6 +533,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -28326,7 +28355,7 @@ index 3eca020..fec701f 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +554,121 @@ optional_policy(`
+@@ -457,8 +555,121 @@ optional_policy(`
')
optional_policy(`
@@ -28448,6 +28477,249 @@ index 3eca020..fec701f 100644
+ userdom_search_admin_dir(virsh_ssh_t)
+')
+
+diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
+new file mode 100644
+index 0000000..7667c31
+--- /dev/null
++++ b/policy/modules/services/vnstatd.fc
+@@ -0,0 +1,6 @@
++
++/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
++
++/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
++
++/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
+diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
+new file mode 100644
+index 0000000..85dba86
+--- /dev/null
++++ b/policy/modules/services/vnstatd.if
+@@ -0,0 +1,150 @@
++
++## <summary>policy for vnstatd</summary>
++
++
++########################################
++## <summary>
++## Execute a domain transition to run vnstatd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vnstatd_domtrans',`
++ gen_require(`
++ type vnstatd_t, vnstatd_exec_t;
++ ')
++
++ domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
++')
++
++
++
++########################################
++## <summary>
++## Execute a domain transition to run vnstat.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vnstatd_domtrans_vnstat',`
++ gen_require(`
++ type vnstat_t, vnstat_exec_t;
++ ')
++
++ domtrans_pattern($1, vnstat_exec_t, vnstat_t)
++')
++
++########################################
++## <summary>
++## Search vnstatd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vnstatd_search_lib',`
++ gen_require(`
++ type vnstatd_var_lib_t;
++ ')
++
++ allow $1 vnstatd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read vnstatd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vnstatd_read_lib_files',`
++ gen_require(`
++ type vnstatd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## vnstatd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vnstatd_manage_lib_files',`
++ gen_require(`
++ type vnstatd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage vnstatd lib dirs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vnstatd_manage_lib_dirs',`
++ gen_require(`
++ type vnstatd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an vnstatd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`vnstatd_admin',`
++ gen_require(`
++ type vnstatd_t;
++ type vnstatd_var_lib_t;
++ ')
++
++ allow $1 vnstatd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, vnstatd_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, vnstatd_var_lib_t)
++
++')
+diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
+new file mode 100644
+index 0000000..db526e6
+--- /dev/null
++++ b/policy/modules/services/vnstatd.te
+@@ -0,0 +1,69 @@
++policy_module(vnstatd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type vnstatd_t;
++type vnstatd_exec_t;
++init_daemon_domain(vnstatd_t, vnstatd_exec_t)
++
++permissive vnstatd_t;
++
++type vnstatd_var_lib_t;
++files_type(vnstatd_var_lib_t)
++
++type vnstat_t;
++type vnstat_exec_t;
++application_domain(vnstat_t, vnstat_exec_t)
++cron_system_entry(vnstat_t, vnstat_exec_t)
++
++########################################
++#
++# vnstatd local policy
++#
++allow vnstatd_t self:process { fork signal };
++
++allow vnstatd_t self:fifo_file rw_fifo_file_perms;
++allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
++manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file } )
++
++domain_use_interactive_fds(vnstatd_t)
++
++files_read_etc_files(vnstatd_t)
++
++logging_send_syslog_msg(vnstatd_t)
++
++miscfiles_read_localization(vnstatd_t)
++
++########################################
++#
++# vnstat local policy
++#
++allow vnstat_t self:process { signal };
++
++allow vnstat_t self:fifo_file rw_fifo_file_perms;
++allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
++manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
++files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file } )
++
++kernel_read_network_state(vnstat_t)
++kernel_read_system_state(vnstat_t)
++
++domain_use_interactive_fds(vnstat_t)
++
++files_read_etc_files(vnstat_t)
++
++fs_getattr_xattr_fs(vnstat_t)
++
++logging_send_syslog_msg(vnstat_t)
++
++miscfiles_read_localization(vnstat_t)
++
++
diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
index 1174ad8..f4c4c1b 100644
--- a/policy/modules/services/w3c.te
@@ -29441,7 +29713,7 @@ index da2601a..f34a53f 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..5fbf38f 100644
+index e226da4..29d5384 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@@ -29616,7 +29888,7 @@ index e226da4..5fbf38f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -246,30 +292,64 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -246,50 +292,105 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(iceauth_t)
')
@@ -29683,8 +29955,13 @@ index e226da4..5fbf38f 100644
+fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
- # cjp: why?
-@@ -279,17 +359,37 @@ auth_use_nsswitch(xauth_t)
+-# cjp: why?
+-term_use_ptmx(xauth_t)
++# Probably a leak
++term_dontaudit_use_ptmx(xauth_t)
++term_dontaudit_use_console(xauth_t)
+
+ auth_use_nsswitch(xauth_t)
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -29722,7 +29999,7 @@ index e226da4..5fbf38f 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -301,20 +401,33 @@ optional_policy(`
+@@ -301,20 +402,33 @@ optional_policy(`
# XDM Local policy
#
@@ -29759,7 +30036,7 @@ index e226da4..5fbf38f 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -322,32 +435,55 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -322,32 +436,55 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -29820,7 +30097,7 @@ index e226da4..5fbf38f 100644
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -355,10 +491,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
+@@ -355,10 +492,13 @@ allow xdm_t xserver_tmp_t:dir { setattr list_dir_perms };
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -29834,7 +30111,7 @@ index e226da4..5fbf38f 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -367,15 +506,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -367,15 +507,22 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -29858,7 +30135,7 @@ index e226da4..5fbf38f 100644
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -390,18 +536,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -390,18 +537,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -29882,7 +30159,7 @@ index e226da4..5fbf38f 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -410,18 +560,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -410,18 +561,23 @@ dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -29909,7 +30186,7 @@ index e226da4..5fbf38f 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -432,9 +587,17 @@ files_list_mnt(xdm_t)
+@@ -432,9 +588,17 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -29927,7 +30204,7 @@ index e226da4..5fbf38f 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,28 +606,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -443,28 +607,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -29966,7 +30243,7 @@ index e226da4..5fbf38f 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -473,6 +644,13 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -473,6 +645,13 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -29980,7 +30257,7 @@ index e226da4..5fbf38f 100644
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,11 +682,17 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -504,11 +683,17 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -29998,7 +30275,7 @@ index e226da4..5fbf38f 100644
')
optional_policy(`
-@@ -516,12 +700,51 @@ optional_policy(`
+@@ -516,12 +701,51 @@ optional_policy(`
')
optional_policy(`
@@ -30050,7 +30327,7 @@ index e226da4..5fbf38f 100644
hostname_exec(xdm_t)
')
-@@ -539,20 +762,64 @@ optional_policy(`
+@@ -539,20 +763,64 @@ optional_policy(`
')
optional_policy(`
@@ -30117,7 +30394,7 @@ index e226da4..5fbf38f 100644
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -561,7 +828,6 @@ optional_policy(`
+@@ -561,7 +829,6 @@ optional_policy(`
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -30125,7 +30402,7 @@ index e226da4..5fbf38f 100644
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +838,10 @@ optional_policy(`
+@@ -572,6 +839,10 @@ optional_policy(`
')
optional_policy(`
@@ -30136,7 +30413,7 @@ index e226da4..5fbf38f 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +866,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +867,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -30145,7 +30422,7 @@ index e226da4..5fbf38f 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +880,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +881,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -30164,7 +30441,7 @@ index e226da4..5fbf38f 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +911,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +912,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -30186,7 +30463,7 @@ index e226da4..5fbf38f 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +931,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +932,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -30194,7 +30471,7 @@ index e226da4..5fbf38f 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +958,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +959,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -30202,7 +30479,7 @@ index e226da4..5fbf38f 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,8 +967,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +968,13 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -30216,7 +30493,7 @@ index e226da4..5fbf38f 100644
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
files_read_usr_files(xserver_t)
-@@ -693,8 +987,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +988,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -30230,7 +30507,7 @@ index e226da4..5fbf38f 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1015,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1016,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -30245,7 +30522,7 @@ index e226da4..5fbf38f 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1075,28 @@ optional_policy(`
+@@ -773,12 +1076,28 @@ optional_policy(`
')
optional_policy(`
@@ -30275,7 +30552,7 @@ index e226da4..5fbf38f 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1105,10 @@ optional_policy(`
+@@ -787,6 +1106,10 @@ optional_policy(`
')
optional_policy(`
@@ -30286,7 +30563,7 @@ index e226da4..5fbf38f 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1124,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1125,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -30299,7 +30576,7 @@ index e226da4..5fbf38f 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -826,6 +1148,13 @@ init_use_fds(xserver_t)
+@@ -826,6 +1149,13 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -30313,7 +30590,7 @@ index e226da4..5fbf38f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1170,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1171,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -30330,7 +30607,7 @@ index e226da4..5fbf38f 100644
')
optional_policy(`
-@@ -991,3 +1323,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -991,3 +1324,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e2f8051..cf315b4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.5
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,11 @@ exit 0
%endif
%changelog
+* Thu Sep 16 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-2
+- Add vnstat policy
+- allow libvirt to send audit messages
+- Allow chrome-sandbox to search nfs_t
+
* Thu Sep 16 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-1
- Update to upstream
More information about the scm-commits
mailing list