[selinux-policy/f16] - Allow abrt to getattr on blk files - Add type for rhev-agent log file - Fix labeling for /dev/dmfm
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Dec 6 12:22:01 UTC 2011
commit 61e73f0a14f68488f1a2e3a9b19cc690380e1778
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Dec 6 13:21:36 2011 +0100
- Allow abrt to getattr on blk files
- Add type for rhev-agent log file
- Fix labeling for /dev/dmfm
- Dontaudit wicd leaking
- Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it
- Label /etc/locale.conf correctly
- Allow user_mail_t to read /dev/random
- Allow postfix-smtpd to read MIMEDefang
- Add label for /var/log/suphp.log
- Allow swat_t to connect and read/write nmbd_t sock_file
- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf
- Allow systemd-tmpfiles to change user identity in object contexts
- More fixes for rhev_agentd_t consolehelper policy
policy-F16.patch | 339 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 17 +++-
2 files changed, 227 insertions(+), 129 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index d880889..3505dbf 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -5631,10 +5631,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..479e9f7 100644
+index f5afe78..5597c91 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,818 @@
+@@ -1,44 +1,861 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -6398,24 +6398,43 @@ index f5afe78..479e9f7 100644
+## Manage generic gnome home files.
+## </summary>
+## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_generic_home_files',`
++ gen_require(`
++ type gnome_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++')
++
++########################################
++## <summary>
++## Manage generic gnome home directories.
++## </summary>
++## <param name="domain">
## <summary>
-## Role allowed access
+## Domain allowed access.
## </summary>
## </param>
+#
-+interface(`gnome_manage_generic_home_files',`
++interface(`gnome_manage_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++ allow $1 gnome_home_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
-+## Manage generic gnome home directories.
++## Append gconf home files
+## </summary>
## <param name="domain">
## <summary>
@@ -6425,106 +6444,105 @@ index f5afe78..479e9f7 100644
## </param>
#
-interface(`gnome_role',`
-+interface(`gnome_manage_generic_home_dirs',`
++interface(`gnome_append_gconf_home_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
-+ type gnome_home_t;
++ type gconf_home_t;
')
- role $1 types gconfd_t;
--
++ append_files_pattern($1, gconf_home_t, gconf_home_t)
++')
++
++########################################
++## <summary>
++## manage gconf home files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_manage_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ ')
+
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-+ userdom_search_user_home_dirs($1)
-+ allow $1 gnome_home_t:dir manage_dir_perms;
++ allow $1 gconf_home_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
- ps_process_pattern($2, gconfd_t)
+########################################
+## <summary>
-+## Append gconf home files
++## Connect to gnome over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
+#
-+interface(`gnome_append_gconf_home_files',`
++interface(`gnome_stream_connect',`
+ gen_require(`
-+ type gconf_home_t;
++ attribute gnome_home_type;
+ ')
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
-+ append_files_pattern($1, gconf_home_t, gconf_home_t)
++ # Connect to pulseaudit server
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
')
########################################
## <summary>
-## Execute gconf programs in
-## in the caller domain.
-+## manage gconf home files
++## list gnome homedir content (.config)
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +820,117 @@ interface(`gnome_role',`
+@@ -46,37 +863,92 @@ interface(`gnome_role',`
## </summary>
## </param>
#
-interface(`gnome_exec_gconf',`
-+interface(`gnome_manage_gconf_home_files',`
++interface(`gnome_list_home_config',`
gen_require(`
- type gconfd_exec_t;
-+ type gconf_home_t;
++ type config_home_t;
')
- can_exec($1, gconfd_exec_t)
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
++ allow $1 config_home_t:dir list_dir_perms;
')
########################################
## <summary>
-## Read gconf config files.
-+## Connect to gnome over an unix stream socket.
++## Set attributes of gnome homedir content (.config)
## </summary>
+-## <param name="user_domain">
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
- ## <param name="user_domain">
## <summary>
-+## The type of the user domain.
-+## </summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
-+')
-+
-+########################################
-+## <summary>
-+## list gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-template(`gnome_read_gconf_config',`
-+interface(`gnome_list_home_config',`
++interface(`gnome_setattr_home_config',`
gen_require(`
- type gconf_etc_t;
+ type config_home_t;
@@ -6533,12 +6551,13 @@ index f5afe78..479e9f7 100644
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ allow $1 config_home_t:dir list_dir_perms;
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
-+## Set attributes of gnome homedir content (.config)
++## read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6546,39 +6565,38 @@ index f5afe78..479e9f7 100644
+## </summary>
+## </param>
+#
-+interface(`gnome_setattr_home_config',`
++interface(`gnome_read_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
++ list_dirs_pattern($1, config_home_t, config_home_t)
++ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
+
-+########################################
++#######################################
+## <summary>
-+## read gnome homedir content (.config)
++## delete gnome homedir content (.config)
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`gnome_read_home_config',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
++interface(`gnome_delete_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
+
-+ list_dirs_pattern($1, config_home_t, config_home_t)
-+ read_files_pattern($1, config_home_t, config_home_t)
-+ read_lnk_files_pattern($1, config_home_t, config_home_t)
++ delete_files_pattern($1, config_home_t, config_home_t)
')
#######################################
## <summary>
-## Create, read, write, and delete gconf config files.
-+## delete gnome homedir content (.config)
++## setattr gnome homedir content (.config)
+## </summary>
+## <param name="domain">
+## <summary>
@@ -6586,12 +6604,12 @@ index f5afe78..479e9f7 100644
+## </summary>
+## </param>
+#
-+interface(`gnome_delete_home_config',`
++interface(`gnome_setattr_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
-+ delete_files_pattern($1, config_home_t, config_home_t)
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
@@ -6600,7 +6618,7 @@ index f5afe78..479e9f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +938,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +956,53 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -6665,7 +6683,7 @@ index f5afe78..479e9f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +992,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1010,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -6687,7 +6705,7 @@ index f5afe78..479e9f7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1010,299 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1028,299 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -14619,10 +14637,10 @@ index 35fed4f..51ad69a 100644
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..b48524e 100644
+index 6cf8784..fa24001 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -15,11 +15,13 @@
+@@ -15,12 +15,14 @@
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -14632,10 +14650,12 @@ index 6cf8784..b48524e 100644
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+-/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
- /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
@@ -57,8 +59,10 @@
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -23890,7 +23910,7 @@ index 0b827c5..b2d6129 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..4b0f7cc 100644
+index 30861ec..7a32618 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -24009,15 +24029,16 @@ index 30861ec..4b0f7cc 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +155,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +155,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
++dev_getattr_all_blk_files(abrt_t)
+dev_read_rand(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +166,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -24027,7 +24048,7 @@ index 30861ec..4b0f7cc 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +175,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -24036,7 +24057,7 @@ index 30861ec..4b0f7cc 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,15 +186,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +187,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -24063,7 +24084,7 @@ index 30861ec..4b0f7cc 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +213,11 @@ optional_policy(`
+@@ -150,6 +214,11 @@ optional_policy(`
')
optional_policy(`
@@ -24075,7 +24096,7 @@ index 30861ec..4b0f7cc 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +235,7 @@ optional_policy(`
+@@ -167,6 +236,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -24083,7 +24104,7 @@ index 30861ec..4b0f7cc 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +247,35 @@ optional_policy(`
+@@ -178,12 +248,35 @@ optional_policy(`
')
optional_policy(`
@@ -24120,7 +24141,7 @@ index 30861ec..4b0f7cc 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +293,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -24149,7 +24170,7 @@ index 30861ec..4b0f7cc 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +315,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +316,128 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -24732,7 +24753,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..a9959fa 100644
+index 9e39aa5..85ca8ac 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -24814,7 +24835,7 @@ index 9e39aa5..a9959fa 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,20 +85,25 @@ ifdef(`distro_suse', `
+@@ -73,20 +85,26 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -24839,10 +24860,11 @@ index 9e39aa5..a9959fa 100644
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +122,27 @@ ifdef(`distro_debian', `
+@@ -105,7 +123,27 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -29566,7 +29588,7 @@ index 1f11572..9eb2461 100644
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..4c06224 100644
+index f758323..9f2a358 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,16 @@
@@ -29660,7 +29682,7 @@ index f758323..4c06224 100644
+
+optional_policy(`
+ spamd_stream_connect(clamd_t)
-+ spamd_read_pid(clamd_t)
++ spamassassin_read_pid_files(clamd_t)
+')
+
tunable_policy(`clamd_use_jit',`
@@ -44760,7 +44782,7 @@ index 343cee3..e5519fd 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..65fd01f 100644
+index 64268e4..59cd713 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -45007,7 +45029,7 @@ index 64268e4..65fd01f 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(user_mail_t)
fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +316,47 @@ optional_policy(`
+@@ -292,3 +316,49 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -45035,6 +45057,8 @@ index 64268e4..65fd01f 100644
+kernel_read_network_state(user_mail_domain)
+kernel_request_load_module(user_mail_domain)
+
++dev_read_urand(user_mail_domain)
++
+files_read_usr_files(user_mail_domain)
+
+optional_policy(`
@@ -46044,7 +46068,7 @@ index 386543b..8e8f911 100644
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..8666a3c 100644
+index 2324d9e..4f46ff8 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -46119,7 +46143,7 @@ index 2324d9e..8666a3c 100644
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -191,3 +236,77 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +236,96 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -46171,6 +46195,25 @@ index 2324d9e..8666a3c 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
+
++#######################################
++## <summary>
++## Dontaudit the specified domain to read and write
++## to Network Manager tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_dontaudit_rw_tmp_files',`
++ gen_require(`
++ type NetworkManager_tmp_t;
++ ')
++
++ dontaudit $1 NetworkManager_tmp_t:file { read write };
++')
++
+########################################
+## <summary>
+## Transition to networkmanager named content
@@ -50470,7 +50513,7 @@ index 46bee12..76b68b5 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..149da7a 100644
+index a32c4b3..c24aed3 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -50850,18 +50893,19 @@ index a32c4b3..149da7a 100644
')
optional_policy(`
-@@ -599,6 +689,10 @@ optional_policy(`
+@@ -599,6 +689,11 @@ optional_policy(`
')
optional_policy(`
+ milter_stream_connect_all(postfix_smtpd_t)
++ spamassassin_read_pid_files(postfix_smtpd_t)
+')
+
+optional_policy(`
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +705,6 @@ optional_policy(`
+@@ -611,7 +706,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -50869,7 +50913,7 @@ index a32c4b3..149da7a 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +723,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +724,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -54537,13 +54581,15 @@ index 93c896a..8c29c39 100644
+')
diff --git a/policy/modules/services/rhev.fc b/policy/modules/services/rhev.fc
new file mode 100644
-index 0000000..4e7605a
+index 0000000..9a8524d
--- /dev/null
+++ b/policy/modules/services/rhev.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,5 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
++
++/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
diff --git a/policy/modules/services/rhev.if b/policy/modules/services/rhev.if
new file mode 100644
index 0000000..bf11e25
@@ -54628,10 +54674,10 @@ index 0000000..bf11e25
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
-index 0000000..1ec5e7c
+index 0000000..5fdaf06
--- /dev/null
+++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,108 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -54650,6 +54696,9 @@ index 0000000..1ec5e7c
+type rhev_agentd_tmp_t;
+files_tmp_file(rhev_agentd_tmp_t)
+
++type rhev_agentd_log_t;
++logging_log_file(rhev_agentd_log_t)
++
+########################################
+#
+# rhev_agentd_t local policy
@@ -54666,6 +54715,8 @@ index 0000000..1ec5e7c
+manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
+
++manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
++
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
@@ -54708,11 +54759,31 @@ index 0000000..1ec5e7c
+')
+
+optional_policy(`
-+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
++ xserver_dbus_chat_xdm(rhev_agentd_t)
+')
+
++######################################
++#
++# rhev_agentd_t consolehelper local policy
++#
++
+optional_policy(`
-+ xserver_dbus_chat_xdm(rhev_agentd_t)
++ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
++
++ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file append;
++
++ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
++ kernel_read_system_state(rhev_agentd_consolehelper_t)
++
++ term_use_virtio_console(rhev_agentd_consolehelper_t)
++
++ optional_policy(`
++ dbus_session_bus_client(rhev_agentd_consolehelper_t)
++ ')
++
++ optional_policy(`
++ unconfined_dbus_chat(rhev_agentd_consolehelper_t)
++ ')
+')
+
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
@@ -56717,7 +56788,7 @@ index 82cb169..0a29f68 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..4290ecd 100644
+index e30bb63..76f4f25 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -56952,16 +57023,17 @@ index e30bb63..4290ecd 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +694,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +694,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
-allow swat_t smbd_var_run_t:file { lock unlink };
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
++stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +709,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +710,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -56976,7 +57048,7 @@ index e30bb63..4290ecd 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +729,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +730,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -56984,7 +57056,7 @@ index e30bb63..4290ecd 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +774,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +775,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -56993,7 +57065,7 @@ index e30bb63..4290ecd 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +805,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +806,7 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -57002,7 +57074,7 @@ index e30bb63..4290ecd 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +828,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +829,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -57024,7 +57096,7 @@ index e30bb63..4290ecd 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +856,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +857,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -57032,7 +57104,7 @@ index e30bb63..4290ecd 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +874,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +875,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -57047,7 +57119,7 @@ index e30bb63..4290ecd 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +891,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +892,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -57060,7 +57132,7 @@ index e30bb63..4290ecd 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +938,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +939,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -57069,7 +57141,7 @@ index e30bb63..4290ecd 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +956,18 @@ optional_policy(`
+@@ -922,6 +957,18 @@ optional_policy(`
#
optional_policy(`
@@ -57088,7 +57160,7 @@ index e30bb63..4290ecd 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +978,12 @@ optional_policy(`
+@@ -932,9 +979,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -58405,7 +58477,7 @@ index 6b3abf9..a785741 100644
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
-index c954f31..d5e959d 100644
+index c954f31..eb3c330 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -14,6 +14,7 @@
@@ -58542,7 +58614,7 @@ index c954f31..d5e959d 100644
+## </summary>
+## </param>
+#
-+interface(`spamd_read_pid',`
++interface(`spamassassin_read_pid_files',`
+ gen_require(`
+ type spamd_t, spamd_var_run_t;
+ ')
@@ -71615,19 +71687,21 @@ index a0a0ebf..5e4149d 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 172287e..ec1f0e8 100644
+index 172287e..88fc786 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
-@@ -9,7 +9,7 @@ ifdef(`distro_gentoo',`
+@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
# /etc
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
-@@ -34,7 +34,7 @@ ifdef(`distro_redhat',`
+
+@@ -34,7 +35,7 @@ ifdef(`distro_redhat',`
#
/usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
@@ -71637,7 +71711,7 @@ index 172287e..ec1f0e8 100644
/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..38de7a8 100644
+index 926ba65..b2d74f7 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',`
@@ -71675,7 +71749,7 @@ index 926ba65..38de7a8 100644
')
########################################
-@@ -769,3 +788,41 @@ interface(`miscfiles_manage_localization',`
+@@ -769,3 +788,42 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -71702,6 +71776,7 @@ index 926ba65..38de7a8 100644
+ ')
+
+ files_etc_filetrans($1, locale_t, file, "localtime")
++ files_etc_filetrans($1, locale_t, file, "locale.conf")
+ files_var_filetrans($1, man_t, dir, "man")
+ files_etc_filetrans($1, locale_t, file, "timezone")
+ files_etc_filetrans($1, locale_t, file, "clock")
@@ -74130,7 +74205,7 @@ index ff80d0a..be800df 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..889356a 100644
+index 34d0ec5..dac04f8 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -74381,7 +74456,7 @@ index 34d0ec5..889356a 100644
')
optional_policy(`
-@@ -335,6 +408,18 @@ optional_policy(`
+@@ -335,6 +408,22 @@ optional_policy(`
')
optional_policy(`
@@ -74393,6 +74468,10 @@ index 34d0ec5..889356a 100644
+')
+
+optional_policy(`
++ networkmanager_dontaudit_rw_tmp_files(ifconfig_t)
++')
++
++optional_policy(`
+ netutils_domtrans(dhcpc_t)
+')
+
@@ -74400,7 +74479,7 @@ index 34d0ec5..889356a 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +441,9 @@ optional_policy(`
+@@ -356,3 +445,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -74437,10 +74516,10 @@ index 0000000..db57bc7
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..5571350
+index 0000000..1688a39
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,503 @@
+@@ -0,0 +1,504 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -74667,6 +74746,7 @@ index 0000000..5571350
+
+ allow $1 systemd_logind_t:dbus send_msg;
+ allow systemd_logind_t $1:dbus send_msg;
++ ps_process_pattern(systemd_logind_t, $1)
+')
+
+#######################################
@@ -74946,10 +75026,10 @@ index 0000000..5571350
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b7da774
+index 0000000..9e08125
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,378 @@
+@@ -0,0 +1,381 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -75151,6 +75231,8 @@ index 0000000..b7da774
+
+dev_write_kmsg(systemd_tmpfiles_t)
+
++domain_obj_id_change_exemption(systemd_tmpfiles_t)
++
+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
+fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
@@ -75235,6 +75317,7 @@ index 0000000..b7da774
+ # we have /run/user/$USER/dconf
+ gnome_delete_home_config(systemd_tmpfiles_t)
+ gnome_delete_home_config_dirs(systemd_tmpfiles_t)
++ gnome_setattr_home_config_dirs(systemd_tmpfiles_t)
+')
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7a72978..9c4eb14 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 64%{?dist}
+Release: 65%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,21 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Dec 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-65
+- Allow abrt to getattr on blk files
+- Add type for rhev-agent log file
+- Fix labeling for /dev/dmfm
+- Dontaudit wicd leaking
+- Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it
+- Label /etc/locale.conf correctly
+- Allow user_mail_t to read /dev/random
+- Allow postfix-smtpd to read MIMEDefang
+- Add label for /var/log/suphp.log
+- Allow swat_t to connect and read/write nmbd_t sock_file
+- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf
+- Allow systemd-tmpfiles to change user identity in object contexts
+- More fixes for rhev_agentd_t consolehelper policy
+
* Fri Dec 2 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-64
- Use fs_use_xattr for squashf
- Fix procs_type interface
More information about the scm-commits
mailing list