[selinux-policy/f16] - sssd needs sys_admin capability
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Dec 21 13:52:57 UTC 2011
commit 2a01431de5205f980c76c061e07337b21205e0d3
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Dec 21 14:52:49 2011 +0100
- sssd needs sys_admin capability
policy-F16.patch | 105 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 5 ++-
2 files changed, 82 insertions(+), 28 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 0ae075c..72c2443 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -14740,7 +14740,7 @@ index 6cf8784..fa24001 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..39b1056 100644
+index f820f3b..d29862e 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -15418,7 +15418,7 @@ index f820f3b..39b1056 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5150,812 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5150,822 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -16147,6 +16147,16 @@ index f820f3b..39b1056 100644
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
@@ -16232,10 +16242,18 @@ index f820f3b..39b1056 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 08f01e7..1c2562c 100644
+index 08f01e7..4fba365 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
-@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
+@@ -20,6 +20,7 @@ files_mountpoint(device_t)
+ files_associate_tmp(device_t)
+ fs_type(device_t)
+ fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
++dev_node(device_t)
+
+ #
+ # Type for /dev/agpgart
+@@ -108,6 +109,7 @@ dev_node(ksm_device_t)
#
type kvm_device_t;
dev_node(kvm_device_t)
@@ -16243,7 +16261,7 @@ index 08f01e7..1c2562c 100644
#
# Type for /dev/lirc
-@@ -118,6 +119,12 @@ dev_node(lirc_device_t)
+@@ -118,6 +120,12 @@ dev_node(lirc_device_t)
#
# Type for /dev/mapper/control
#
@@ -16256,7 +16274,7 @@ index 08f01e7..1c2562c 100644
type lvm_control_t;
dev_node(lvm_control_t)
-@@ -265,6 +272,7 @@ dev_node(v4l_device_t)
+@@ -265,6 +273,7 @@ dev_node(v4l_device_t)
#
type vhost_device_t;
dev_node(vhost_device_t)
@@ -16264,7 +16282,7 @@ index 08f01e7..1c2562c 100644
# Type for vmware devices.
type vmware_device_t;
-@@ -310,5 +318,5 @@ files_associate_tmp(device_node)
+@@ -310,5 +319,5 @@ files_associate_tmp(device_node)
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -19366,7 +19384,7 @@ index f125dc2..f5e522e 100644
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 6346378..8c500cd 100644
+index 6346378..7a317b8 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -345,13 +345,8 @@ interface(`kernel_load_module',`
@@ -19383,7 +19401,32 @@ index 6346378..8c500cd 100644
')
########################################
-@@ -2072,7 +2067,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -1464,6 +1459,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+
+ ########################################
+ ## <summary>
++## Allow attempts to read all proc types.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_read_all_proc',`
++ gen_require(`
++ attribute proc_type;
++ ')
++
++ read_files_pattern($1, proc_type, proc_type)
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts by caller to search
+ ## the base directory of sysctls.
+ ## </summary>
+@@ -2072,7 +2085,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -19392,7 +19435,7 @@ index 6346378..8c500cd 100644
')
########################################
-@@ -2293,7 +2288,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2293,7 +2306,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@@ -19401,7 +19444,7 @@ index 6346378..8c500cd 100644
## </summary>
## </param>
#
-@@ -2475,6 +2470,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2475,6 +2488,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@@ -19426,7 +19469,7 @@ index 6346378..8c500cd 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
-@@ -2619,7 +2632,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2619,7 +2650,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -19435,7 +19478,7 @@ index 6346378..8c500cd 100644
')
########################################
-@@ -2657,6 +2670,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2657,6 +2688,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@@ -19460,7 +19503,7 @@ index 6346378..8c500cd 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
-@@ -2684,6 +2715,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2684,6 +2733,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@@ -19486,7 +19529,7 @@ index 6346378..8c500cd 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2793,6 +2843,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2793,6 +2861,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -19520,7 +19563,7 @@ index 6346378..8c500cd 100644
########################################
## <summary>
-@@ -2948,6 +3025,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2948,6 +3043,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@@ -19545,7 +19588,7 @@ index 6346378..8c500cd 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2962,4 +3057,25 @@ interface(`kernel_unconfined',`
+@@ -2962,4 +3075,25 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -27814,10 +27857,10 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..1441c62
+index 0000000..0bb9297
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,171 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -27870,6 +27913,7 @@ index 0000000..1441c62
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
++dev_rw_xserver_misc(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
@@ -27983,8 +28027,6 @@ index 0000000..1441c62
+
+corenet_tcp_connect_boinc_port(boinc_project_t)
+
-+dev_rw_xserver_misc(boinc_project_t)
-+
+files_dontaudit_search_home(boinc_project_t)
+
+optional_policy(`
@@ -58380,7 +58422,7 @@ index 275f9fb..2a0e198 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..9509742 100644
+index 3d8d1b3..e666122 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -58407,7 +58449,7 @@ index 3d8d1b3..9509742 100644
allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
-@@ -41,10 +43,11 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -41,18 +43,18 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
@@ -58421,7 +58463,16 @@ index 3d8d1b3..9509742 100644
kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
-@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
+ kernel_read_fs_sysctls(snmpd_t)
+ kernel_read_net_sysctls(snmpd_t)
+ kernel_read_proc_symlinks(snmpd_t)
+-kernel_read_system_state(snmpd_t)
+-kernel_read_network_state(snmpd_t)
++kernel_read_all_proc(snmpd_t)
+
+ corecmd_exec_bin(snmpd_t)
+ corecmd_exec_shell(snmpd_t)
+@@ -94,15 +96,19 @@ files_search_home(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
@@ -58442,7 +58493,7 @@ index 3d8d1b3..9509742 100644
logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -60466,7 +60517,7 @@ index 941380a..ce8c972 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..5c32a99 100644
+index 8ffa257..b231b96 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -60483,7 +60534,7 @@ index 8ffa257..5c32a99 100644
#
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid };
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e6f1750..47469f0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 67%{?dist}
+Release: 68%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Dec 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-68
+- sssd needs sys_admin capability
+
* Thu Dec 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-67
- Add httpd_can_connect_ldap() interface
- NetworkManager needs to write to /sys/class/net/ib*/mode
More information about the scm-commits
mailing list