[selinux-policy/f13/master] - Make screen working for sysadm_u - Add /dev/crash crash_dev_t - Backport read_policy
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 8 16:07:11 UTC 2011
commit 5bebe67373bf29b3006ca2366f3eb920e1870c88
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Feb 8 17:07:21 2011 +0000
- Make screen working for sysadm_u
- Add /dev/crash crash_dev_t
- Backport read_policy
policy-F13.patch | 292 ++++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 7 +-
2 files changed, 214 insertions(+), 85 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index cd3c7b6..b551b50 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -180,8 +180,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 ser
.EE
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.7.19/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/flask/access_vectors 2011-01-19 18:02:35.000000000 +0000
-@@ -816,3 +816,32 @@
++++ serefpolicy-3.7.19/policy/flask/access_vectors 2011-02-07 16:30:15.963796001 +0000
+@@ -363,6 +363,7 @@
+ setbool
+ setsecparam
+ setcheckreqprot
++ read_policy
+ }
+
+
+@@ -816,3 +817,32 @@
class x_keyboard
inherits x_device
@@ -2954,8 +2962,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2011-01-14 13:43:24.000000000 +0000
-@@ -0,0 +1,70 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2011-02-07 15:02:32.542796002 +0000
+@@ -0,0 +1,71 @@
+policy_module(shutdown,1.0.0)
+
+########################################
@@ -3024,6 +3032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
+
+optional_policy(`
++ xserver_xdm_append_log(shutdown_t)
+ xserver_dontaudit_write_log(shutdown_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.19/policy/modules/admin/smoltclient.te
@@ -9962,8 +9971,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.19/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc 2010-06-03 07:52:19.000000000 +0000
-@@ -70,6 +70,7 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.fc 2011-02-08 15:55:14.029796002 +0000
+@@ -17,6 +17,7 @@
+ /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
+ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
++/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
+ /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
+@@ -70,6 +71,7 @@
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
@@ -9971,7 +9988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
-@@ -108,10 +109,12 @@
+@@ -108,10 +110,12 @@
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -9984,7 +10001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -163,6 +166,7 @@
+@@ -163,6 +167,7 @@
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
@@ -9992,7 +10009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -186,3 +190,8 @@
+@@ -186,3 +191,8 @@
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -10003,7 +10020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2011-01-18 16:18:36.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2011-02-08 16:10:25.428796002 +0000
@@ -407,7 +407,7 @@
########################################
@@ -10191,7 +10208,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1823,6 +1958,24 @@
+@@ -1441,6 +1576,24 @@
+ rw_chr_files_pattern($1, device_t, cpu_device_t)
+ ')
+
++#######################################
++## <summary>
++## Read the kernel crash device
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_crash',`
++ gen_require(`
++ type device_t, crash_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, crash_device_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write the the hardware SSL accelerator.
+@@ -1823,6 +1976,24 @@
read_chr_files_pattern($1, device_t, kmsg_device_t)
')
@@ -10216,7 +10258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
########################################
## <summary>
## Write to the kernel messages device
-@@ -2042,6 +2195,24 @@
+@@ -2042,6 +2213,24 @@
########################################
## <summary>
@@ -10241,7 +10283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Read the lvm comtrol device.
## </summary>
## <param name="domain">
-@@ -2597,6 +2768,7 @@
+@@ -2597,6 +2786,7 @@
type mtrr_device_t;
')
@@ -10249,7 +10291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
dontaudit $1 mtrr_device_t:chr_file write;
')
-@@ -2875,24 +3047,6 @@
+@@ -2875,24 +3065,6 @@
########################################
## <summary>
@@ -10274,7 +10316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3440,6 +3594,24 @@
+@@ -3440,6 +3612,24 @@
########################################
## <summary>
@@ -10299,7 +10341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3733,6 +3905,42 @@
+@@ -3733,6 +3923,42 @@
########################################
## <summary>
@@ -10342,7 +10384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3905,6 +4113,24 @@
+@@ -3905,6 +4131,24 @@
########################################
## <summary>
@@ -10369,7 +10411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.19/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.te 2010-06-03 07:52:19.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.te 2011-02-08 15:56:57.441796002 +0000
@@ -1,5 +1,5 @@
-policy_module(devices, 1.9.3)
@@ -10377,7 +10419,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
########################################
#
-@@ -101,6 +101,7 @@
+@@ -55,6 +55,12 @@
+ type cpu_device_t;
+ dev_node(cpu_device_t)
+
++#
++# crash_device_t is the type of /dev/crash
++#
++type crash_device_t;
++dev_node(crash_device_t)
++
+ # for the IBM zSeries z90crypt hardware ssl accelorator
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+@@ -101,6 +107,7 @@
#
type kvm_device_t;
dev_node(kvm_device_t)
@@ -10385,7 +10440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
#
# Type for /dev/lirc
-@@ -239,6 +240,18 @@
+@@ -239,6 +246,18 @@
dev_node(usb_device_t)
#
@@ -10404,7 +10459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
# userio_device_t is the type for /dev/uio[0-9]+
#
type userio_device_t;
-@@ -289,5 +302,6 @@
+@@ -289,5 +308,6 @@
#
allow devices_unconfined_type self:capability sys_rawio;
@@ -12854,7 +12909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te
+attribute mcsuntrustedproc;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.19/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/selinux.if 2010-05-28 07:42:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/selinux.if 2011-02-07 16:33:28.029796002 +0000
@@ -40,7 +40,7 @@
# because of this statement, any module which
@@ -12880,7 +12935,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
-@@ -404,6 +406,7 @@
+@@ -301,6 +303,26 @@
+ }
+ ')
+
++#######################################
++## <summary>
++## Allow caller to read the policy from the kernel.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`selinux_read_policy',`
++ gen_require(`
++ type security_t;
++ ')
++
++ allow $1 security_t:dir list_dir_perms;
++ allow $1 security_t:file read_file_perms;
++ allow $1 security_t:security read_policy;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow caller to set the state of Booleans to
+@@ -404,6 +426,7 @@
')
allow $1 security_t:dir list_dir_perms;
@@ -12888,7 +12970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
allow $1 boolean_type:file rw_file_perms;
if(!secure_mode_policyload) {
-@@ -622,3 +625,23 @@
+@@ -622,3 +645,23 @@
typeattribute $1 selinux_unconfined_type;
')
@@ -13082,8 +13164,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.19/policy/modules/roles/auditadm.te
--- nsaserefpolicy/policy/modules/roles/auditadm.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/auditadm.te 2010-05-28 07:42:00.000000000 +0000
-@@ -29,10 +29,13 @@
++++ serefpolicy-3.7.19/policy/modules/roles/auditadm.te 2011-02-07 16:38:06.752796002 +0000
+@@ -23,16 +23,21 @@
+
+ domain_kill_all_domains(auditadm_t)
+
++selinux_read_policy(auditadm_t)
++
+ logging_send_syslog_msg(auditadm_t)
+ logging_read_generic_logs(auditadm_t)
+ logging_manage_audit_log(auditadm_t)
logging_manage_audit_config(auditadm_t)
logging_run_auditctl(auditadm_t, auditadm_r)
logging_run_auditd(auditadm_t, auditadm_r)
@@ -13136,8 +13226,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.19/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2011-01-27 14:38:59.870455000 +0000
-@@ -9,25 +9,62 @@
++++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2011-02-07 16:38:37.088796001 +0000
+@@ -9,25 +9,64 @@
role staff_r;
userdom_unpriv_user_template(staff)
@@ -13158,6 +13248,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+
+auth_domtrans_pam_console(staff_t)
+
++selinux_read_policy(staff_t)
++
+init_dbus_chat_script(staff_t)
+
+seutil_read_module_store(staff_t)
@@ -13200,7 +13292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
bluetooth_role(staff_r, staff_t)
')
-@@ -99,12 +136,18 @@
+@@ -99,12 +138,18 @@
oident_manage_user_content(staff_t)
oident_relabel_user_content(staff_t)
')
@@ -13219,7 +13311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
pyzor_role(staff_r, staff_t)
')
-@@ -119,22 +162,27 @@
+@@ -119,22 +164,27 @@
optional_policy(`
screen_role_template(staff, staff_r, staff_t)
')
@@ -13247,7 +13339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
sudo_role_template(staff, staff_r, staff_t)
-@@ -145,6 +193,11 @@
+@@ -145,6 +195,11 @@
userdom_dontaudit_use_user_terminals(staff_t)
')
@@ -13259,7 +13351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
optional_policy(`
thunderbird_role(staff_r, staff_t)
')
-@@ -169,6 +222,77 @@
+@@ -169,6 +224,77 @@
wireshark_role(staff_r, staff_t)
')
@@ -13339,11 +13431,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-01-19 17:18:43.000000000 +0000
-@@ -28,17 +28,29 @@
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-02-08 16:31:28.403796002 +0000
+@@ -28,17 +28,31 @@
corecmd_exec_shell(sysadm_t)
++dev_read_crash(sysadm_t)
++
+domain_dontaudit_read_all_domains_state(sysadm_t)
+
mls_process_read_up(sysadm_t)
@@ -13370,7 +13464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -56,6 +68,7 @@
+@@ -56,6 +70,7 @@
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -13378,7 +13472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
tunable_policy(`allow_ptrace',`
-@@ -70,7 +83,9 @@
+@@ -70,7 +85,9 @@
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -13389,7 +13483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -98,17 +113,25 @@
+@@ -98,17 +115,25 @@
bind_run_ndc(sysadm_t, sysadm_r)
')
@@ -13415,7 +13509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
-@@ -126,16 +149,18 @@
+@@ -126,16 +151,18 @@
consoletype_run(sysadm_t, sysadm_r)
')
@@ -13436,7 +13530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -165,9 +190,11 @@
+@@ -165,9 +192,11 @@
ethereal_run_tethereal(sysadm_t, sysadm_r)
')
@@ -13448,7 +13542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
-@@ -177,6 +204,7 @@
+@@ -177,6 +206,7 @@
fstools_run(sysadm_t, sysadm_r)
')
@@ -13456,7 +13550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
games_role(sysadm_r, sysadm_t)
')
-@@ -192,6 +220,7 @@
+@@ -192,6 +222,7 @@
optional_policy(`
gpg_role(sysadm_r, sysadm_t)
')
@@ -13464,7 +13558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
-@@ -205,6 +234,13 @@
+@@ -205,6 +236,13 @@
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -13478,7 +13572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
')
optional_policy(`
-@@ -212,12 +248,18 @@
+@@ -212,12 +250,18 @@
')
optional_policy(`
@@ -13497,7 +13591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
kudzu_run(sysadm_t, sysadm_r)
-@@ -227,9 +269,11 @@
+@@ -227,9 +271,11 @@
libs_run_ldconfig(sysadm_t, sysadm_r)
')
@@ -13509,7 +13603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
logrotate_run(sysadm_t, sysadm_r)
-@@ -252,8 +296,10 @@
+@@ -252,8 +298,10 @@
optional_policy(`
mount_run(sysadm_t, sysadm_r)
@@ -13520,7 +13614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mozilla_role(sysadm_r, sysadm_t)
')
-@@ -261,6 +307,7 @@
+@@ -261,6 +309,7 @@
optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')
@@ -13528,7 +13622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
mta_role(sysadm_r, sysadm_t)
-@@ -275,6 +322,10 @@
+@@ -275,6 +324,10 @@
')
optional_policy(`
@@ -13539,7 +13633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -308,8 +359,14 @@
+@@ -308,8 +361,14 @@
')
optional_policy(`
@@ -13554,7 +13648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
quota_run(sysadm_t, sysadm_r)
-@@ -319,9 +376,11 @@
+@@ -319,9 +378,11 @@
raid_domtrans_mdadm(sysadm_t)
')
@@ -13566,7 +13660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rpc_domtrans_nfsd(sysadm_t)
-@@ -331,9 +390,11 @@
+@@ -331,9 +392,11 @@
rpm_run(sysadm_t, sysadm_r)
')
@@ -13578,7 +13672,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
rsync_exec(sysadm_t)
-@@ -358,8 +419,14 @@
+@@ -346,6 +409,7 @@
+
+ optional_policy(`
+ screen_role_template(sysadm, sysadm_r, sysadm_t)
++ allow sysadm_screen_t self:capability { dac_read_search dac_override };
+ ')
+
+ optional_policy(`
+@@ -358,8 +422,14 @@
')
optional_policy(`
@@ -13593,7 +13695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -382,9 +449,11 @@
+@@ -382,9 +452,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -13605,7 +13707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,17 +462,21 @@
+@@ -393,17 +465,21 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -13627,7 +13729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
unconfined_domtrans(sysadm_t)
-@@ -417,9 +490,11 @@
+@@ -417,9 +493,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -13639,7 +13741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +502,15 @@
+@@ -427,9 +505,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -13655,7 +13757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +521,30 @@
+@@ -440,13 +524,30 @@
')
optional_policy(`
@@ -31451,13 +31553,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
+userdom_dontaudit_search_user_home_content(portreserve_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.19/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.fc 2010-05-28 07:42:00.000000000 +0000
-@@ -1,4 +1,5 @@
++++ serefpolicy-3.7.19/policy/modules/services/postfix.fc 2011-02-08 13:09:33.994796002 +0000
+@@ -1,5 +1,6 @@
# postfix
+-/etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
- /etc/postfix(/.*)? gen_context(system_u:object_r:postfix_etc_t,s0)
++/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
ifdef(`distro_redhat', `
/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@@ -29,12 +30,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -31471,6 +31575,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+@@ -44,9 +43,9 @@
+ /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+ /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+
+-/var/lib/postfix(/.*)? gen_context(system_u:object_r:postfix_data_t,s0)
++/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
+
+-/var/spool/postfix(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
++/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
+ /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+ /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+ /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2011-01-19 10:28:09.000000000 +0000
@@ -47732,7 +47848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2011-01-27 14:49:05.612455000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2011-02-07 16:39:28.257796001 +0000
@@ -30,8 +30,9 @@
')
@@ -48906,7 +49022,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1234,6 +1449,7 @@
+@@ -1219,6 +1434,7 @@
+ selinux_set_enforce_mode($1)
+ selinux_set_all_booleans($1)
+ selinux_set_parameters($1)
++ selinux_read_policy($1)
+
+ auth_relabel_all_files_except_shadow($1)
+ auth_relabel_shadow($1)
+@@ -1234,6 +1450,7 @@
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -48914,7 +49038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1272,11 +1488,15 @@
+@@ -1272,11 +1489,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -48930,7 +49054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1387,6 +1607,7 @@
+@@ -1387,6 +1608,7 @@
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -48938,7 +49062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_home($1)
')
-@@ -1433,6 +1654,14 @@
+@@ -1433,6 +1655,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -48953,7 +49077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1448,9 +1677,11 @@
+@@ -1448,9 +1678,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -48965,7 +49089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1507,6 +1738,42 @@
+@@ -1507,6 +1739,42 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -49008,7 +49132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1581,6 +1848,8 @@
+@@ -1581,6 +1849,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -49017,7 +49141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1595,10 +1864,12 @@
+@@ -1595,10 +1865,12 @@
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -49032,7 +49156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1641,6 +1912,24 @@
+@@ -1641,6 +1913,24 @@
########################################
## <summary>
@@ -49057,7 +49181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1692,10 +1981,30 @@
+@@ -1692,10 +1982,30 @@
type user_home_dir_t, user_home_t;
')
@@ -49088,7 +49212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
## Do not audit attempts to read user home files.
-@@ -1708,11 +2017,14 @@
+@@ -1708,11 +2018,14 @@
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -49106,7 +49230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1802,8 +2114,7 @@
+@@ -1802,8 +2115,7 @@
type user_home_dir_t, user_home_t;
')
@@ -49116,7 +49240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -1815,24 +2126,17 @@
+@@ -1815,24 +2127,17 @@
## Domain allowed access.
## </summary>
## </param>
@@ -49145,7 +49269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
-@@ -1866,6 +2170,7 @@
+@@ -1866,6 +2171,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -49153,7 +49277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2102,6 +2407,25 @@
+@@ -2102,6 +2408,25 @@
########################################
## <summary>
@@ -49179,7 +49303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to list user
## temporary directories.
## </summary>
-@@ -2218,6 +2542,25 @@
+@@ -2218,6 +2543,25 @@
########################################
## <summary>
@@ -49205,7 +49329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Do not audit attempts to manage users
## temporary files.
## </summary>
-@@ -2427,13 +2770,14 @@
+@@ -2427,13 +2771,14 @@
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -49221,7 +49345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## </summary>
## <param name="domain">
## <summary>
-@@ -2454,6 +2798,24 @@
+@@ -2454,6 +2799,24 @@
########################################
## <summary>
@@ -49246,7 +49370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2747,6 +3109,25 @@
+@@ -2747,6 +3110,25 @@
########################################
## <summary>
@@ -49272,7 +49396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Execute bin_t in the unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -2787,7 +3168,7 @@
+@@ -2787,7 +3169,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -49281,7 +49405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2803,11 +3184,13 @@
+@@ -2803,11 +3185,13 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -49297,7 +49421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2944,7 +3327,7 @@
+@@ -2944,7 +3328,7 @@
type user_tmp_t;
')
@@ -49306,7 +49430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
-@@ -2981,6 +3364,7 @@
+@@ -2981,6 +3365,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -49314,7 +49438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3495,725 @@
+@@ -3111,3 +3496,725 @@
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a329e6c..9b3eebb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 90%{?dist}
+Release: 91%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
%endif
%changelog
+* Tue Feb 8 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-91
+- Make screen working for sysadm_u
+- Add /dev/crash crash_dev_t
+- Backport read_policy
+
* Mon Feb 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-90
- shutdown is passed stdout to a xdm_log_t file
- dovecot_etc_t contains a lnk_file that domains need to read
More information about the scm-commits
mailing list