[selinux-policy/f15/master] - xdm_t needs getsession for switch user - Every app that used to exec init is now execing systemdct
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Apr 13 19:22:05 UTC 2011
commit 8fa280d0fe548109ab12a002c667c10ff138b994
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Apr 13 21:23:04 2011 +0000
- xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl
- Allow squid to manage krb5_host_rcache_t files
- Allow foghorn to connect to agentx port
- Fixes for colord policy
policy-F15.patch | 329 ++++++++++++++++++++++++++++-----------------------
selinux-policy.spec | 9 ++-
2 files changed, 191 insertions(+), 147 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index d6e37c0..b75b1a0 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -10988,7 +10988,7 @@ index 16108f6..7307872 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..0718ea9 100644
+index 958ca84..aaf48dc 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -11458,7 +11458,32 @@ index 958ca84..0718ea9 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3914,6 +4268,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3858,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',`
+ dontaudit $1 tmp_t:dir list_dir_perms;
+ ')
+
++#######################################
++## <summary>
++## Allow read and write to the tmp directory (/tmp).
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain not to audit.
++## </summary>
++## </param>
++#
++interface(`files_rw_generic_tmp_dir',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ allow $1 tmp_t:dir rw_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Remove entries from the tmp directory.
+@@ -3914,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -11491,7 +11516,7 @@ index 958ca84..0718ea9 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3968,7 +4348,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4366,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -11500,7 +11525,7 @@ index 958ca84..0718ea9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3976,17 +4356,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3976,17 +4374,95 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -11519,33 +11544,27 @@ index 958ca84..0718ea9 100644
## <summary>
-## List all tmp directories.
+## Relabel a file from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3994,22 +4374,100 @@ interface(`files_setattr_all_tmp_dirs',`
- ## </summary>
- ## </param>
- #
--interface(`files_list_all_tmp',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_relabelfrom_tmp_files',`
- gen_require(`
-- attribute tmpfile;
++ gen_require(`
+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir list_dir_perms;
++ ')
++
+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp files.
++')
++
++########################################
++## <summary>
+## Relabel all tmp dirs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -11603,33 +11622,10 @@ index 958ca84..0718ea9 100644
+########################################
+## <summary>
+## List all tmp directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_list_all_tmp',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain not to audit.
- ## </summary>
- ## </param>
- #
-@@ -4127,6 +4585,15 @@ interface(`files_purge_tmp',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4127,6 +4603,15 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11645,7 +11641,7 @@ index 958ca84..0718ea9 100644
')
########################################
-@@ -4736,6 +5203,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5221,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -11670,7 +11666,7 @@ index 958ca84..0718ea9 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5556,25 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5574,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11696,7 +11692,7 @@ index 958ca84..0718ea9 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5084,6 +5588,8 @@ interface(`files_search_locks',`
+@@ -5084,6 +5606,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11705,7 +11701,7 @@ index 958ca84..0718ea9 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5103,11 +5609,32 @@ interface(`files_dontaudit_search_locks',`
+@@ -5103,11 +5627,32 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -11738,7 +11734,7 @@ index 958ca84..0718ea9 100644
## Add and remove entries in the /var/lock
## directories.
## </summary>
-@@ -5122,6 +5649,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5122,6 +5667,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11746,7 +11742,7 @@ index 958ca84..0718ea9 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5140,7 +5668,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5140,7 +5686,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -11755,7 +11751,7 @@ index 958ca84..0718ea9 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5156,12 +5684,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5702,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11772,7 +11768,7 @@ index 958ca84..0718ea9 100644
')
########################################
-@@ -5180,7 +5708,7 @@ interface(`files_manage_generic_locks',`
+@@ -5180,7 +5726,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11781,7 +11777,7 @@ index 958ca84..0718ea9 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5207,6 +5735,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5753,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -11809,7 +11805,7 @@ index 958ca84..0718ea9 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5221,7 +5770,7 @@ interface(`files_read_all_locks',`
+@@ -5221,7 +5788,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11818,7 +11814,7 @@ index 958ca84..0718ea9 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5243,7 +5792,7 @@ interface(`files_manage_all_locks',`
+@@ -5243,7 +5810,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11827,7 +11823,7 @@ index 958ca84..0718ea9 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5275,7 +5824,7 @@ interface(`files_lock_filetrans',`
+@@ -5275,7 +5842,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11836,7 +11832,7 @@ index 958ca84..0718ea9 100644
filetrans_pattern($1, var_lock_t, $2, $3)
')
-@@ -5332,9 +5881,47 @@ interface(`files_search_pids',`
+@@ -5332,9 +5899,47 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11884,7 +11880,7 @@ index 958ca84..0718ea9 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5542,6 +6129,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6147,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -11947,7 +11943,7 @@ index 958ca84..0718ea9 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6202,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6220,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -11992,7 +11988,7 @@ index 958ca84..0718ea9 100644
')
########################################
-@@ -5844,3 +6525,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6543,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -21499,10 +21495,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..eadbdf4
+index 0000000..63872b7
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,83 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -21549,11 +21545,12 @@ index 0000000..eadbdf4
+dev_write_raw_memory(colord_t)
+dev_read_video_dev(colord_t)
+dev_write_video_dev(colord_t)
++dev_rw_printer(colord_t)
+dev_read_rand(colord_t)
+dev_read_sysfs(colord_t)
+dev_read_urand(colord_t)
+dev_list_sysfs(colord_t)
-+dev_read_generic_usb_dev(colord_t)
++dev_rw_generic_usb_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
@@ -21562,11 +21559,14 @@ index 0000000..eadbdf4
+files_read_etc_files(colord_t)
+files_read_usr_files(colord_t)
+
++logging_send_syslog_msg(colord_t)
++
+miscfiles_read_localization(colord_t)
+
+sysnet_dns_name_resolve(colord_t)
+
+optional_policy(`
++ cups_read_config(colord_t)
+ cups_read_rw_config(colord_t)
+ cups_stream_connect(colord_t)
+ cups_dbus_chat(colord_t)
@@ -21675,7 +21675,7 @@ index fd15dfe..ad224fa 100644
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..894d4e0 100644
+index e67a003..192332a 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,6 +15,9 @@ logging_log_file(consolekit_log_t)
@@ -21688,10 +21688,12 @@ index e67a003..894d4e0 100644
########################################
#
# consolekit local policy
-@@ -69,11 +72,12 @@ logging_send_audit_msgs(consolekit_t)
+@@ -69,11 +72,14 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
++systemd_exec_systemctl(consolekit_t)
++
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
userdom_dontaudit_read_user_home_content_files(consolekit_t)
@@ -21703,7 +21705,7 @@ index e67a003..894d4e0 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(consolekit_t)
')
-@@ -83,6 +87,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -83,6 +89,14 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -21718,7 +21720,7 @@ index e67a003..894d4e0 100644
dbus_system_domain(consolekit_t, consolekit_exec_t)
optional_policy(`
-@@ -99,6 +111,10 @@ optional_policy(`
+@@ -99,6 +113,10 @@ optional_policy(`
')
optional_policy(`
@@ -21729,7 +21731,7 @@ index e67a003..894d4e0 100644
policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
-@@ -106,9 +122,10 @@ optional_policy(`
+@@ -106,9 +124,10 @@ optional_policy(`
')
optional_policy(`
@@ -21742,7 +21744,7 @@ index e67a003..894d4e0 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -125,5 +142,6 @@ optional_policy(`
+@@ -125,5 +144,6 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
@@ -28017,7 +28019,7 @@ index 3525d24..e5db539 100644
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..9026661 100644
+index 604f67b..65fdeb0 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -28098,7 +28100,15 @@ index 604f67b..9026661 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -296,28 +314,6 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,6 +307,7 @@ interface(`kerberos_manage_host_rcache',`
+
+ seutil_read_file_contexts($1)
+
++ files_rw_generic_tmp_dir($1)
+ allow $1 krb5_host_rcache_t:file manage_file_perms;
+ files_search_tmp($1)
+ ')
+@@ -296,28 +315,6 @@ interface(`kerberos_manage_host_rcache',`
########################################
## <summary>
@@ -28127,7 +28137,7 @@ index 604f67b..9026661 100644
## All of the rules required to administrate
## an kerberos environment
## </summary>
-@@ -338,9 +334,8 @@ interface(`kerberos_admin',`
+@@ -338,9 +335,8 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -28138,7 +28148,7 @@ index 604f67b..9026661 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +373,41 @@ interface(`kerberos_admin',`
+@@ -378,3 +374,41 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -37887,7 +37897,7 @@ index de37806..229a3c7 100644
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..64feaec 100644
+index 93c896a..b161b6b 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0)
@@ -37979,7 +37989,7 @@ index 93c896a..64feaec 100644
')
optional_policy(`
-@@ -114,13 +127,34 @@ optional_policy(`
+@@ -114,13 +127,37 @@ optional_policy(`
lvm_read_config(fenced_t)
')
@@ -37989,8 +37999,11 @@ index 93c896a..64feaec 100644
+#
+
+allow foghorn_t self:process { signal };
++allow foghorn_t self:tcp_socket create_stream_socket_perms;
+allow foghorn_t self:udp_socket create_socket_perms;
+
++corenet_tcp_connect_agentx_port(foghorn_t)
++
+dev_read_urand(foghorn_t)
+
+files_read_etc_files(foghorn_t)
@@ -38015,7 +38028,7 @@ index 93c896a..64feaec 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +173,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +176,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -38026,7 +38039,7 @@ index 93c896a..64feaec 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +184,10 @@ optional_policy(`
+@@ -154,9 +187,10 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -38038,7 +38051,7 @@ index 93c896a..64feaec 100644
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
-@@ -168,8 +199,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +202,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -38048,7 +38061,7 @@ index 93c896a..64feaec 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -199,6 +229,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -199,6 +232,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -38057,7 +38070,7 @@ index 93c896a..64feaec 100644
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +239,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +242,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -38068,7 +38081,7 @@ index 93c896a..64feaec 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +251,28 @@ optional_policy(`
+@@ -223,18 +254,28 @@ optional_policy(`
# rhcs domains common policy
#
@@ -41095,7 +41108,7 @@ index d2496bd..1d0c078 100644
allow $1 squid_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..d45dc67 100644
+index 4b2230e..950e65a 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -41150,6 +41163,14 @@ index 4b2230e..d45dc67 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
+@@ -206,3 +208,7 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(squid_t)
+ ')
++
++optional_policy(`
++ kerberos_manage_host_rcache(squid_t)
++')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..2d60774 100644
--- a/policy/modules/services/ssh.fc
@@ -45438,7 +45459,7 @@ index 130ced9..33c8170 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..4f1be57 100644
+index 6c01261..0f60717 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -45764,7 +45785,7 @@ index 6c01261..4f1be57 100644
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
-+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched setsched setrlimit signal_perms setkeycreate ptrace };
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -45944,7 +45965,7 @@ index 6c01261..4f1be57 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -433,9 +594,22 @@ files_list_mnt(xdm_t)
+@@ -433,9 +594,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -45952,6 +45973,7 @@ index 6c01261..4f1be57 100644
+files_dontaudit_write_usr_files(xdm_t)
+files_dontaudit_getattr_all_dirs(xdm_t)
+files_dontaudit_getattr_all_symlinks(xdm_t)
++files_dontaudit_getattr_all_tmp_sockets(xdm_t)
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
@@ -45967,7 +45989,7 @@ index 6c01261..4f1be57 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -444,28 +618,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -444,28 +619,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -46006,7 +46028,7 @@ index 6c01261..4f1be57 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -474,9 +656,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -474,9 +657,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -46037,7 +46059,7 @@ index 6c01261..4f1be57 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -492,6 +695,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -492,6 +696,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -46052,7 +46074,7 @@ index 6c01261..4f1be57 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -505,11 +716,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -505,11 +717,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -46074,7 +46096,7 @@ index 6c01261..4f1be57 100644
')
optional_policy(`
-@@ -517,7 +738,43 @@ optional_policy(`
+@@ -517,7 +739,43 @@ optional_policy(`
')
optional_policy(`
@@ -46119,7 +46141,7 @@ index 6c01261..4f1be57 100644
')
optional_policy(`
-@@ -527,6 +784,16 @@ optional_policy(`
+@@ -527,6 +785,16 @@ optional_policy(`
')
optional_policy(`
@@ -46136,7 +46158,7 @@ index 6c01261..4f1be57 100644
hostname_exec(xdm_t)
')
-@@ -544,28 +811,65 @@ optional_policy(`
+@@ -544,28 +812,65 @@ optional_policy(`
')
optional_policy(`
@@ -46211,7 +46233,7 @@ index 6c01261..4f1be57 100644
')
optional_policy(`
-@@ -577,6 +881,14 @@ optional_policy(`
+@@ -577,6 +882,14 @@ optional_policy(`
')
optional_policy(`
@@ -46226,7 +46248,7 @@ index 6c01261..4f1be57 100644
xfs_stream_connect(xdm_t)
')
-@@ -601,7 +913,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +914,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -46235,7 +46257,7 @@ index 6c01261..4f1be57 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -615,8 +927,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +928,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -46251,7 +46273,7 @@ index 6c01261..4f1be57 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +954,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +955,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -46273,7 +46295,7 @@ index 6c01261..4f1be57 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +974,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +975,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -46281,7 +46303,7 @@ index 6c01261..4f1be57 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -674,7 +1001,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +1002,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -46289,7 +46311,7 @@ index 6c01261..4f1be57 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -684,11 +1010,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1011,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -46307,7 +46329,7 @@ index 6c01261..4f1be57 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -699,8 +1031,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1032,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -46321,7 +46343,7 @@ index 6c01261..4f1be57 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1050,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1051,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -46330,7 +46352,7 @@ index 6c01261..4f1be57 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1057,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1058,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -46345,7 +46367,7 @@ index 6c01261..4f1be57 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1116,36 @@ optional_policy(`
+@@ -780,16 +1117,36 @@ optional_policy(`
')
optional_policy(`
@@ -46383,7 +46405,7 @@ index 6c01261..4f1be57 100644
unconfined_domtrans(xserver_t)
')
-@@ -798,6 +1154,10 @@ optional_policy(`
+@@ -798,6 +1155,10 @@ optional_policy(`
')
optional_policy(`
@@ -46394,7 +46416,7 @@ index 6c01261..4f1be57 100644
xfs_stream_connect(xserver_t)
')
-@@ -813,10 +1173,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1174,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -46408,7 +46430,7 @@ index 6c01261..4f1be57 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1184,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1185,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -46417,7 +46439,7 @@ index 6c01261..4f1be57 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -837,6 +1197,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1198,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -46427,7 +46449,7 @@ index 6c01261..4f1be57 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1207,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1208,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -46439,7 +46461,7 @@ index 6c01261..4f1be57 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1220,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1221,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -46456,7 +46478,7 @@ index 6c01261..4f1be57 100644
')
optional_policy(`
-@@ -864,6 +1235,10 @@ optional_policy(`
+@@ -864,6 +1236,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -46467,7 +46489,7 @@ index 6c01261..4f1be57 100644
########################################
#
# Rules common to all X window domains
-@@ -907,7 +1282,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1283,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -46476,7 +46498,7 @@ index 6c01261..4f1be57 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -961,11 +1336,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1337,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -46508,7 +46530,7 @@ index 6c01261..4f1be57 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -987,18 +1382,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1383,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -48065,7 +48087,7 @@ index 354ce93..f97fbb7 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..3388f34 100644
+index cc83689..8c9b7fa 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -48282,7 +48304,18 @@ index cc83689..3388f34 100644
mls_rangetrans_target($1)
')
')
-@@ -519,10 +632,30 @@ interface(`init_sigchld',`
+@@ -451,6 +564,10 @@ interface(`init_exec',`
+
+ corecmd_search_bin($1)
+ can_exec($1, init_exec_t)
++
++ tunable_policy(`init_systemd',`
++ systemd_exec_systemctl($1)
++ ')
+ ')
+
+ ########################################
+@@ -519,10 +636,30 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -48315,7 +48348,7 @@ index cc83689..3388f34 100644
')
########################################
-@@ -688,19 +821,24 @@ interface(`init_telinit',`
+@@ -688,19 +825,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -48341,7 +48374,7 @@ index cc83689..3388f34 100644
')
')
-@@ -773,18 +911,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +915,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -48365,7 +48398,7 @@ index cc83689..3388f34 100644
')
')
-@@ -800,19 +939,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +943,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -48388,11 +48421,11 @@ index cc83689..3388f34 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -48405,13 +48438,17 @@ index cc83689..3388f34 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -868,9 +1029,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1033,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -48426,7 +48463,7 @@ index cc83689..3388f34 100644
files_search_etc($1)
')
-@@ -1079,6 +1245,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1249,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -48451,7 +48488,7 @@ index cc83689..3388f34 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1314,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1318,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -48465,7 +48502,7 @@ index cc83689..3388f34 100644
')
########################################
-@@ -1375,6 +1554,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1558,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -48493,7 +48530,7 @@ index cc83689..3388f34 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1661,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1665,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -48519,7 +48556,7 @@ index cc83689..3388f34 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1738,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1742,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -48544,7 +48581,7 @@ index cc83689..3388f34 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1911,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1915,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -48553,7 +48590,7 @@ index cc83689..3388f34 100644
')
########################################
-@@ -1715,6 +1952,74 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1956,74 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -48628,7 +48665,7 @@ index cc83689..3388f34 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2054,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2058,139 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cda6f97..227f73c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 14%{?dist}
+Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
%endif
%changelog
+* Wed Apr 13 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-15
+- xdm_t needs getsession for switch user
+- Every app that used to exec init is now execing systemdctl
+- Allow squid to manage krb5_host_rcache_t files
+- Allow foghorn to connect to agentx port
+- Fixes for colord policy
+
* Mon Apr 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-14
- Need to allow apps that use locks to read /var/lock if it is a symlink
- Allow systemd to create tasks
More information about the scm-commits
mailing list