[selinux-policy] - fetchmail can use kerberos - ksmtuned reads in shell programs - gnome_systemctl_t reads the proces
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Aug 4 20:33:25 UTC 2011
commit 913fabe1c83f83505b3f243c85f6441e5932e3da
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Aug 4 22:32:55 2011 +0200
- fetchmail can use kerberos
- ksmtuned reads in shell programs
- gnome_systemctl_t reads the process state of ntp
- dnsmasq_t asks the kernel to load multiple kernel mod
- Add rules for domains executing systemctl
- Bogus text within fc file
policy-F16.patch | 280 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 10 ++-
2 files changed, 185 insertions(+), 105 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 860e92d..0d78818 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1084,7 +1084,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
-index 75ce30f..b48b383 100644
+index 75ce30f..7db2988 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -19,6 +19,12 @@ files_lock_file(logwatch_lock_t)
@@ -1143,7 +1143,7 @@ index 75ce30f..b48b383 100644
files_getattr_all_file_type_fs(logwatch_t)
')
-@@ -145,3 +160,22 @@ optional_policy(`
+@@ -145,3 +160,23 @@ optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -1158,6 +1158,7 @@ index 75ce30f..b48b383 100644
+manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
+
+dev_read_rand(logwatch_mail_t)
++dev_read_sysfs(logwatch_mail_t)
+
+logging_read_all_logs(logwatch_mail_t)
+
@@ -6678,7 +6679,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..170963f 100644
+index fbb5c5a..2339227 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -6716,7 +6717,7 @@ index fbb5c5a..170963f 100644
')
########################################
-@@ -228,6 +238,33 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +238,35 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
@@ -6725,6 +6726,8 @@ index fbb5c5a..170963f 100644
+ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
++ allow mozilla_plugin_t $1:shm rw_shm_perms;
++ allow mozilla_plugin_t $1:sem create_sem_perms;
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ allow $1 mozilla_plugin_t:process { ptrace signal_perms };
@@ -6750,7 +6753,7 @@ index fbb5c5a..170963f 100644
')
########################################
-@@ -269,9 +306,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +308,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -6779,7 +6782,7 @@ index fbb5c5a..170963f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +334,28 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +336,28 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -16004,7 +16007,7 @@ index 6346378..edbe041 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..9740613 100644
+index d91c62f..848f59b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -16024,12 +16027,21 @@ index d91c62f..9740613 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -247,6 +250,9 @@ dev_delete_generic_blk_files(kernel_t)
- dev_create_generic_chr_files(kernel_t)
- dev_delete_generic_chr_files(kernel_t)
+@@ -242,11 +245,14 @@ dev_search_usbfs(kernel_t)
+ # devtmpfs handling:
+ dev_create_generic_dirs(kernel_t)
+ dev_delete_generic_dirs(kernel_t)
+-dev_create_generic_blk_files(kernel_t)
+-dev_delete_generic_blk_files(kernel_t)
+-dev_create_generic_chr_files(kernel_t)
+-dev_delete_generic_chr_files(kernel_t)
++dev_create_all_blk_files(kernel_t)
++dev_delete_all_blk_files(kernel_t)
++dev_create_all_chr_files(kernel_t)
++dev_delete_all_chr_files(kernel_t)
dev_mounton(kernel_t)
+dev_filetrans_all_named_dev(kernel_t)
-+#storage_filetrans_all_named_dev(kernel_t)
++storage_filetrans_all_named_dev(kernel_t)
+term_filetrans_all_named_dev(kernel_t)
# Mount root file system. Used when loading a policy
@@ -18983,7 +18995,7 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..fc2c9ec
+index 0000000..db35ff1
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,553 @@
@@ -19364,9 +19376,9 @@ index 0000000..fc2c9ec
+ lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
-+optional_policy(`
-+ mock_role(unconfined_r, unconfined_t)
-+')
++#optional_policy(`
++# mock_role(unconfined_r, unconfined_t)
++#')
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
@@ -30896,10 +30908,10 @@ index 9bd812b..c4abec3 100644
## an dnsmasq environment
## </summary>
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..df87ba8 100644
+index fdaeeba..d707dde 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
-@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
@@ -30910,7 +30922,11 @@ index fdaeeba..df87ba8 100644
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
-@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
++kernel_request_load_module(dnsmasq_t)
+
+ corenet_all_recvfrom_unlabeled(dnsmasq_t)
+ corenet_all_recvfrom_netlabel(dnsmasq_t)
+@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
@@ -30919,7 +30935,7 @@ index fdaeeba..df87ba8 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +99,16 @@ optional_policy(`
+@@ -96,7 +100,16 @@ optional_policy(`
')
optional_policy(`
@@ -30936,7 +30952,7 @@ index fdaeeba..df87ba8 100644
')
optional_policy(`
-@@ -114,4 +126,5 @@ optional_policy(`
+@@ -114,4 +127,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
@@ -32449,6 +32465,21 @@ index 6537214..7d64c0a 100644
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
+diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
+index 3459d93..c39305a 100644
+--- a/policy/modules/services/fetchmail.te
++++ b/policy/modules/services/fetchmail.te
+@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+ userdom_dontaudit_search_user_home_dirs(fetchmail_t)
+
+ optional_policy(`
++ kerberos_use(fetchmail_t)
++')
++
++optional_policy(`
+ procmail_domtrans(fetchmail_t)
+ ')
+
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index 9b7036a..4770f61 100644
--- a/policy/modules/services/finger.te
@@ -33797,7 +33828,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..b9032a7 100644
+index 4fde46b..eac72e4 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -9,24 +9,32 @@ type gnomeclock_t;
@@ -33836,7 +33867,7 @@ index 4fde46b..b9032a7 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +43,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +43,47 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -33876,17 +33907,13 @@ index 4fde46b..b9032a7 100644
+files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t)
+files_manage_etc_symlinks(gnomeclock_systemctl_t)
+
-+fs_dontaudit_search_cgroup_dirs(gnomeclock_systemctl_t)
-+
-+# needed by systemctl
-+init_stream_connect(gnomeclock_systemctl_t)
-+init_read_state(gnomeclock_systemctl_t)
-+init_list_pid_dirs(gnomeclock_systemctl_t)
++miscfiles_read_localization(gnomeclock_systemctl_t)
+
+systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
+
+optional_policy(`
-+ ntpd_read_unit_file(gnomeclock_systemctl_t)
++ ntp_read_unit_file(gnomeclock_systemctl_t)
++ ntp_read_state(gnomeclock_systemctl_t)
+')
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 7d97298..d6b2959 100644
@@ -35215,7 +35242,7 @@ index da2127e..6538d66 100644
+
+sysnet_read_config(jabberd_domain)
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..74ec098 100644
+index 3525d24..e065744 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -35227,13 +35254,12 @@ index 3525d24..74ec098 100644
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-@@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -30,4 +30,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+
-+krb5_host_rcache_t
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
@@ -35798,7 +35824,7 @@ index 6fd0b4c..b733e45 100644
-
')
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
-index a73b7a1..7fa55e8 100644
+index a73b7a1..677998f 100644
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -9,6 +9,9 @@ type ksmtuned_t;
@@ -35822,13 +35848,14 @@ index a73b7a1..7fa55e8 100644
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
-@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t)
+@@ -31,9 +38,17 @@ kernel_read_system_state(ksmtuned_t)
dev_rw_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
corecmd_exec_bin(ksmtuned_t)
++corecmd_exec_shell(ksmtuned_t)
files_read_etc_files(ksmtuned_t)
@@ -36263,7 +36290,7 @@ index 49e04e5..69db026 100644
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..0aebce6 100644
+index 6a78de1..a32fbe8 100644
--- a/policy/modules/services/lircd.te
+++ b/policy/modules/services/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -36283,7 +36310,7 @@ index 6a78de1..0aebce6 100644
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:unix_dgram_socket create_socket_perms;
allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -44,13 +45,13 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -44,13 +45,14 @@ corenet_tcp_bind_lirc_port(lircd_t)
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
@@ -36293,6 +36320,7 @@ index 6a78de1..0aebce6 100644
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
dev_rw_input_dev(lircd_t)
++dev_read_sysfs(lircd_t)
-files_read_etc_files(lircd_t)
+files_read_config_files(lircd_t)
@@ -37663,15 +37691,14 @@ index 47e3612..ece07ab 100644
# The milter runs from /var/lib/spamass-milter
diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
new file mode 100644
-index 0000000..68ad33f
+index 0000000..8d0e473
--- /dev/null
+++ b/policy/modules/services/mock.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,5 @@
+
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
+
-+/var/lib/mock -d gen_context(system_u:object_r:mock_var_lib_t,s0)
-+/var/lib/mock(/.*)? <<none>>
++/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
@@ -40576,7 +40603,7 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..be0d107 100644
+index e80f8c0..d90ed98 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',`
@@ -40593,7 +40620,7 @@ index e80f8c0..be0d107 100644
+## </summary>
+## </param>
+#
-+interface(`ntpd_read_unit_file',`
++interface(`ntp_read_unit_file',`
+ gen_require(`
+ type ntpd_unit_file_t;
+ ')
@@ -40605,7 +40632,33 @@ index e80f8c0..be0d107 100644
########################################
## <summary>
## Read and write ntpd shared memory.
-@@ -140,11 +159,10 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +141,25 @@ interface(`ntp_rw_shm',`
+
+ ########################################
+ ## <summary>
++## Allow the domain to read ntpd state files in /proc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ntp_read_state',`
++ gen_require(`
++ type ntpd_t;
++ ')
++
++ kernel_search_proc($1)
++ ps_process_pattern($1, ntpd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an ntp environment
+ ## </summary>
+@@ -140,11 +178,10 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -49859,7 +49912,7 @@ index adea9f9..d5b2d93 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..f00a814 100644
+index 606a098..5e4d100 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
@@ -49867,7 +49920,7 @@ index 606a098..f00a814 100644
#
-allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
-+allow fsdaemon_t self:capability { dac_override setpcap setgid sys_rawio sys_admin };
++allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
@@ -57262,7 +57315,7 @@ index 21ae664..3e448dd 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..16b2616 100644
+index 9fb4747..a59cfc2 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -57285,7 +57338,7 @@ index 9fb4747..16b2616 100644
########################################
#
# zarafa-deliver local policy
-@@ -57,6 +63,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -57303,11 +57356,10 @@ index 9fb4747..16b2616 100644
+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+
-+
#######################################
#
# zarafa-ical local policy
-@@ -136,6 +157,34 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
+@@ -136,6 +156,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
@@ -57321,6 +57373,8 @@ index 9fb4747..16b2616 100644
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process setrlimit;
+
++dev_read_rand(zarafa_gateway_t)
++
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
@@ -57342,7 +57396,7 @@ index 9fb4747..16b2616 100644
########################################
#
# zarafa domains local policy
-@@ -156,6 +205,4 @@ kernel_read_system_state(zarafa_domain)
+@@ -156,6 +206,4 @@ kernel_read_system_state(zarafa_domain)
files_read_etc_files(zarafa_domain)
@@ -59254,7 +59308,7 @@ index 94fd8dd..417ec32 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..4d20828 100644
+index 29a9565..2163271 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -59330,7 +59384,7 @@ index 29a9565..4d20828 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -100,11 +134,15 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -100,11 +134,16 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -59347,10 +59401,11 @@ index 29a9565..4d20828 100644
+manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
+files_pid_filetrans(init_t, init_var_run_t, { dir file })
++allow init_t init_var_run_t:dir mounton;
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -114,25 +152,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,25 +153,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -59385,7 +59440,7 @@ index 29a9565..4d20828 100644
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
-@@ -151,10 +198,19 @@ mls_file_read_all_levels(init_t)
+@@ -151,10 +199,19 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -59406,7 +59461,7 @@ index 29a9565..4d20828 100644
# Run init scripts.
init_domtrans_script(init_t)
-@@ -162,12 +218,16 @@ init_domtrans_script(init_t)
+@@ -162,12 +219,16 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -59423,7 +59478,7 @@ index 29a9565..4d20828 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +238,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +239,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -59432,7 +59487,7 @@ index 29a9565..4d20828 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +246,136 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +247,137 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -59497,6 +59552,7 @@ index 29a9565..4d20828 100644
+ files_create_lock_dirs(init_t)
+ files_relabel_all_lock_dirs(init_t)
+
++ fs_getattr_all_fs(init_t)
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_cgroup_files(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
@@ -59571,7 +59627,7 @@ index 29a9565..4d20828 100644
')
optional_policy(`
-@@ -203,6 +383,17 @@ optional_policy(`
+@@ -203,6 +385,17 @@ optional_policy(`
')
optional_policy(`
@@ -59589,7 +59645,7 @@ index 29a9565..4d20828 100644
unconfined_domain(init_t)
')
-@@ -212,7 +403,7 @@ optional_policy(`
+@@ -212,7 +405,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -59598,7 +59654,7 @@ index 29a9565..4d20828 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -59614,7 +59670,7 @@ index 29a9565..4d20828 100644
init_write_initctl(initrc_t)
-@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -59651,7 +59707,7 @@ index 29a9565..4d20828 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -59659,7 +59715,7 @@ index 29a9565..4d20828 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -59670,7 +59726,7 @@ index 29a9565..4d20828 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -59687,7 +59743,7 @@ index 29a9565..4d20828 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -59695,7 +59751,7 @@ index 29a9565..4d20828 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -59707,7 +59763,7 @@ index 29a9565..4d20828 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -59721,7 +59777,7 @@ index 29a9565..4d20828 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -59730,7 +59786,7 @@ index 29a9565..4d20828 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -59738,7 +59794,7 @@ index 29a9565..4d20828 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -59746,7 +59802,7 @@ index 29a9565..4d20828 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -59768,7 +59824,7 @@ index 29a9565..4d20828 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -59779,7 +59835,7 @@ index 29a9565..4d20828 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +702,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +704,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -59788,7 +59844,7 @@ index 29a9565..4d20828 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +717,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +719,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -59796,7 +59852,7 @@ index 29a9565..4d20828 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +747,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +749,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -59830,7 +59886,7 @@ index 29a9565..4d20828 100644
')
optional_policy(`
-@@ -531,10 +781,26 @@ ifdef(`distro_redhat',`
+@@ -531,10 +783,26 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -59857,7 +59913,7 @@ index 29a9565..4d20828 100644
')
optional_policy(`
-@@ -549,6 +815,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +817,39 @@ ifdef(`distro_suse',`
')
')
@@ -59897,7 +59953,7 @@ index 29a9565..4d20828 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +860,8 @@ optional_policy(`
+@@ -561,6 +862,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -59906,7 +59962,7 @@ index 29a9565..4d20828 100644
')
optional_policy(`
-@@ -577,6 +878,7 @@ optional_policy(`
+@@ -577,6 +880,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -59914,7 +59970,7 @@ index 29a9565..4d20828 100644
')
optional_policy(`
-@@ -589,6 +891,11 @@ optional_policy(`
+@@ -589,6 +893,11 @@ optional_policy(`
')
optional_policy(`
@@ -59926,7 +59982,7 @@ index 29a9565..4d20828 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +912,13 @@ optional_policy(`
+@@ -605,9 +914,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -59940,7 +59996,7 @@ index 29a9565..4d20828 100644
')
optional_policy(`
-@@ -649,6 +960,11 @@ optional_policy(`
+@@ -649,6 +962,11 @@ optional_policy(`
')
optional_policy(`
@@ -59952,7 +60008,7 @@ index 29a9565..4d20828 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1005,7 @@ optional_policy(`
+@@ -689,6 +1007,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -59960,7 +60016,7 @@ index 29a9565..4d20828 100644
')
optional_policy(`
-@@ -706,7 +1023,13 @@ optional_policy(`
+@@ -706,7 +1025,13 @@ optional_policy(`
')
optional_policy(`
@@ -59974,7 +60030,7 @@ index 29a9565..4d20828 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1052,10 @@ optional_policy(`
+@@ -729,6 +1054,10 @@ optional_policy(`
')
optional_policy(`
@@ -59985,7 +60041,7 @@ index 29a9565..4d20828 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1065,20 @@ optional_policy(`
+@@ -738,10 +1067,20 @@ optional_policy(`
')
optional_policy(`
@@ -60006,7 +60062,7 @@ index 29a9565..4d20828 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1087,10 @@ optional_policy(`
+@@ -750,6 +1089,10 @@ optional_policy(`
')
optional_policy(`
@@ -60017,7 +60073,7 @@ index 29a9565..4d20828 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1112,6 @@ optional_policy(`
+@@ -771,8 +1114,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -60026,7 +60082,7 @@ index 29a9565..4d20828 100644
')
optional_policy(`
-@@ -790,10 +1129,12 @@ optional_policy(`
+@@ -790,10 +1131,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -60039,7 +60095,7 @@ index 29a9565..4d20828 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1146,6 @@ optional_policy(`
+@@ -805,7 +1148,6 @@ optional_policy(`
')
optional_policy(`
@@ -60047,7 +60103,7 @@ index 29a9565..4d20828 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1155,24 @@ optional_policy(`
+@@ -815,11 +1157,24 @@ optional_policy(`
')
optional_policy(`
@@ -60073,7 +60129,7 @@ index 29a9565..4d20828 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1182,25 @@ optional_policy(`
+@@ -829,6 +1184,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -60099,7 +60155,7 @@ index 29a9565..4d20828 100644
')
optional_policy(`
-@@ -844,6 +1216,10 @@ optional_policy(`
+@@ -844,6 +1218,10 @@ optional_policy(`
')
optional_policy(`
@@ -60110,7 +60166,7 @@ index 29a9565..4d20828 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1230,149 @@ optional_policy(`
+@@ -854,3 +1232,149 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -63233,7 +63289,7 @@ index 2cc4bda..167c358 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..7b10445 100644
+index 170e2c7..b85fc73 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -199,6 +199,10 @@ interface(`seutil_run_newrole',`
@@ -63449,7 +63505,7 @@ index 170e2c7..7b10445 100644
## Full management of the semanage
## module store.
## </summary>
-@@ -1149,3 +1313,199 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1313,198 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -63527,7 +63583,6 @@ index 170e2c7..7b10445 100644
+ seutil_get_semanage_read_lock($1)
+
+ userdom_dontaudit_write_user_home_content_files($1)
-+
+')
+
+
@@ -64708,10 +64763,10 @@ index 0000000..3248032
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..7501ef8
+index 0000000..d46fb42
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,377 @@
+@@ -0,0 +1,376 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -64729,17 +64784,16 @@ index 0000000..7501ef8
+ gen_require(`
+ type systemd_systemctl_exec_t;
+ role system_r;
++ attribute systemctl_domain;
+ ')
+
-+ type $1_systemctl_t;
++ type $1_systemctl_t, systemctl_domain;
+ domain_type($1_systemctl_t)
+ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
+
+ role system_r types $1_systemctl_t;
+
+ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
-+
-+ init_use_fds($1_t)
+')
+
+########################################
@@ -65091,10 +65145,10 @@ index 0000000..7501ef8
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..0185280
+index 0000000..d079aca
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,319 @@
+@@ -0,0 +1,337 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -65103,6 +65157,8 @@ index 0000000..0185280
+#
+
+attribute systemd_unit_file_type;
++attribute systemd_domain;
++attribute systemctl_domain;
+
+# New in f16
+permissive systemd_logger_t;
@@ -65414,6 +65470,22 @@ index 0000000..0185280
+logging_send_syslog_msg(systemd_logger_t)
+
+miscfiles_read_localization(systemd_logger_t)
++
++
++########################################
++#
++# systemd_sysctl domains local policy
++#
++fs_list_cgroup_dirs(systemctl_domain)
++fs_read_cgroup_files(systemctl_domain)
++
++# needed by systemctl
++init_stream_connect(systemctl_domain)
++init_read_state(systemctl_domain)
++init_list_pid_dirs(systemctl_domain)
++init_use_fds(systemctl_domain)
++
++miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 0291685..7e94f4b 100644
--- a/policy/modules/system/udev.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ee04699..1ac7e57 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 14%{?dist}
+Release: 16%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Aug 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-16
+- fetchmail can use kerberos
+- ksmtuned reads in shell programs
+- gnome_systemctl_t reads the process state of ntp
+- dnsmasq_t asks the kernel to load multiple kernel modules
+- Add rules for domains executing systemctl
+- Bogus text within fc file
+
* Wed Aug 3 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-14
- Add cfengine policy
More information about the scm-commits
mailing list