[selinux-policy/f13/master] - Fix for cmirrord - Add mcsnetwrite attribute
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 22 17:29:42 UTC 2011
commit df544cead422c61b3cdf680d1db31aca4721a74f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Feb 22 18:29:29 2011 +0000
- Fix for cmirrord
- Add mcsnetwrite attribute
policy-F13.patch | 64 ++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 6 ++++-
2 files changed, 51 insertions(+), 19 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index f022009..5efc171 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -290,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
--- nsaserefpolicy/policy/mcs 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/mcs 2011-01-19 18:02:35.000000000 +0000
++++ serefpolicy-3.7.19/policy/mcs 2011-02-22 18:00:53.341097838 +0000
@@ -86,10 +86,10 @@
(( h1 dom h2 ) and ( l2 eq h2 ));
@@ -332,7 +332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
( h1 dom h2 );
-@@ -126,9 +132,18 @@
+@@ -126,10 +132,22 @@
mlsconstrain db_tuple { relabelfrom select update delete use }
( h1 dom h2 );
@@ -341,17 +341,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
+ ( h1 dom h2 );
+
+mlsconstrain db_view { drop getattr setattr relabelfrom expand }
-+ ( h1 dom h2 );
-+
-+mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
( h1 dom h2 );
++mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
++ ( h1 dom h2 );
++
+mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+ ( h1 dom h2 );
+
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
++mlsconstrain packet { send recv }
++ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
++
+ ') dnl end enable_mcs
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls
--- nsaserefpolicy/policy/mls 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/mls 2011-01-19 18:02:35.000000000 +0000
@@ -6711,8 +6715,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.19/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te 2010-08-05 08:55:36.000000000 +0000
-@@ -0,0 +1,299 @@
++++ serefpolicy-3.7.19/policy/modules/apps/nsplugin.te 2011-02-22 10:30:33.961204258 +0000
+@@ -0,0 +1,300 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -6844,6 +6848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+
+term_dontaudit_getattr_all_ptys(nsplugin_t)
+term_dontaudit_getattr_all_ttys(nsplugin_t)
++term_dontaudit_use_ptmx(nsplugin_t)
+
+auth_use_nsswitch(nsplugin_t)
+
@@ -12849,7 +12854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2011-01-18 17:00:20.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2011-02-22 18:11:18.509708746 +0000
@@ -46,15 +46,6 @@
sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -12910,7 +12915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -270,19 +275,30 @@
+@@ -270,19 +275,31 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -12920,6 +12925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
mcs_process_set_categories(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
++mcs_socket_write_all_levels(kernel_t)
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
@@ -12941,7 +12947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -359,6 +375,10 @@
+@@ -359,6 +376,10 @@
unconfined_domain_noaudit(kernel_t)
')
@@ -12954,8 +12960,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
# Unlabeled process local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.if serefpolicy-3.7.19/policy/modules/kernel/mcs.if
--- nsaserefpolicy/policy/modules/kernel/mcs.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/mcs.if 2010-09-23 10:59:03.000000000 +0000
-@@ -102,3 +102,29 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/mcs.if 2011-02-22 18:10:51.518373164 +0000
+@@ -102,3 +102,49 @@
typeattribute $1 mcssetcats;
')
@@ -12985,14 +12991,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.if
+
+ typeattribute $1 mcsuntrustedproc;
+')
++
++######################################
++## <summary>
++## Make specified domain MCS trusted
++## for writing to sockets at any level.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mcs_socket_write_all_levels',`
++ gen_require(`
++ attribute mcsnetwrite;
++ ')
++
++ typeattribute $1 mcsnetwrite;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-3.7.19/policy/modules/kernel/mcs.te
--- nsaserefpolicy/policy/modules/kernel/mcs.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/mcs.te 2010-09-23 10:58:14.000000000 +0000
-@@ -11,3 +11,4 @@
++++ serefpolicy-3.7.19/policy/modules/kernel/mcs.te 2011-02-22 18:10:17.478211093 +0000
+@@ -11,3 +11,5 @@
attribute mcssetcats;
attribute mcswriteall;
attribute mcsreadall;
+attribute mcsuntrustedproc;
++attribute mcsnetwrite;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.19/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/kernel/selinux.if 2011-02-07 16:33:28.029796002 +0000
@@ -13082,12 +13109,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.19/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc 2011-02-17 14:54:15.022796002 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc 2011-02-22 18:04:02.158449928 +0000
@@ -12,6 +12,7 @@
/dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,s0)
++/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -20016,8 +20043,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.7.19/policy/modules/services/cmirrord.te
--- nsaserefpolicy/policy/modules/services/cmirrord.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2011-02-14 15:14:10.351796002 +0000
-@@ -0,0 +1,65 @@
++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2011-02-22 18:05:44.240937074 +0000
+@@ -0,0 +1,66 @@
+
+policy_module(cmirrord,1.0.0)
+
@@ -20064,6 +20091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, { file })
+
+domain_use_interactive_fds(cmirrord_t)
++domain_obj_id_change_exemption(cmirrord_t)
+
+files_read_etc_files(cmirrord_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 36264c0..963672b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 93%{?dist}
+Release: 94%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Tue Feb 22 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-94
+- Fix for cmirrord
+- Add mcsnetwrite attribute
+
* Thu Feb 17 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-93
- Allow all sandbox to read selinux poilcy config files
- Add allow_daemons_use_tcp_wrappers boolean
More information about the scm-commits
mailing list