[selinux-policy] - Add initial policy for system-setup-keyboard which is now daemon - Label /var/lock/subsys/shorewal
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 5 09:09:17 UTC 2011
commit b559c4ec49f2c63aec6fefd9c34fb37b8b2d1bb8
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Jan 5 10:08:57 2011 +0000
- Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t
- Allow users to communicate with the gpg_agent_t
- Dontaudit mozilla_plugin_t using the inherited terminal
- Allow sambagui to read files in /usr
- webalizer manages squid log files
- Allow unconfined domains to bind ports to raw_ip_sockets
- Allow abrt to manage rpm logs when running yum
- Need labels for /var/run/bittlebee
- Label .ssh under amanda
- Remove unused genrequires for virt_domain_template
- Allow virt_domain to use fd inherited from virtd_t
- Allow iptables to read shorewall config
modules-targeted.conf | 7 +
policy-F15.patch | 363 ++++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 17 ++-
3 files changed, 310 insertions(+), 77 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 5f04812..5fd759d 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2321,3 +2321,10 @@ pingd = module
#
milter = module
+# Layer: services
+# Module: keyboardd
+#
+# system-setup-keyboard is a keyboard layout daemon that monitors
+# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
+#
+keyboardd = module
diff --git a/policy-F15.patch b/policy-F15.patch
index a692a3a..af42ac2 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1537,6 +1537,17 @@ index 47a8f7d..31f474e 100644
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
+diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
+index 029cb7e..48d1363 100644
+--- a/policy/modules/admin/shorewall.fc
++++ b/policy/modules/admin/shorewall.fc
+@@ -11,4 +11,6 @@
+ /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+
++/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0)
++
+ /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index 0948921..f198119 100644
--- a/policy/modules/admin/shorewall.if
@@ -3442,10 +3453,10 @@ index e9853d4..717d163 100644
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
-index 40e0a2a..13d939a 100644
+index 40e0a2a..f4a103c 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
-@@ -54,6 +54,8 @@ interface(`gpg_role',`
+@@ -54,10 +54,13 @@ interface(`gpg_role',`
manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
@@ -3454,7 +3465,12 @@ index 40e0a2a..13d939a 100644
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
-@@ -85,6 +87,43 @@ interface(`gpg_domtrans',`
+
++ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
+ ifdef(`hide_broken_symptoms',`
+ #Leaked File Descriptors
+ dontaudit gpg_t $2:socket_class_set { getattr read write };
+@@ -85,6 +88,43 @@ interface(`gpg_domtrans',`
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
@@ -3886,7 +3902,7 @@ index e6d84e8..b027189 100644
########################################
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
-index 167950d..97853ff 100644
+index 167950d..ef63b20 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -82,12 +82,12 @@ dev_read_urand(java_t)
@@ -3903,7 +3919,7 @@ index 167950d..97853ff 100644
fs_getattr_xattr_fs(java_t)
fs_dontaudit_rw_tmpfs_files(java_t)
-@@ -143,12 +143,15 @@ optional_policy(`
+@@ -143,14 +143,21 @@ optional_policy(`
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
@@ -3919,6 +3935,12 @@ index 167950d..97853ff 100644
optional_policy(`
rpm_domtrans(unconfined_java_t)
+ ')
++
++ optional_policy(`
++ wine_domtrans(unconfined_java_t)
++ ')
+ ')
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
index f63c4c2..3812a46 100644
--- a/policy/modules/apps/kdumpgui.te
@@ -4298,7 +4320,7 @@ index 9a6d67d..5ac3ea5 100644
## mozilla over dbus.
## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..451a1c0 100644
+index 2a91fa8..593cefa 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -4380,7 +4402,7 @@ index 2a91fa8..451a1c0 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,149 @@ optional_policy(`
+@@ -266,3 +291,151 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4426,6 +4448,7 @@ index 2a91fa8..451a1c0 100644
+corecmd_exec_bin(mozilla_plugin_t)
+corecmd_exec_shell(mozilla_plugin_t)
+
++corenet_tcp_connect_generic_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
@@ -4471,6 +4494,7 @@ index 2a91fa8..451a1c0 100644
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
++userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
+
+userdom_list_user_tmp(mozilla_plugin_t)
@@ -5993,11 +6017,14 @@ index c605046..15c17a0 100644
+miscfiles_read_localization(rssh_chroot_helper_t)
+
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index 9ec1478..26bb71c 100644
+index 9ec1478..ceec04a 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
-@@ -29,7 +29,7 @@ dev_dontaudit_read_urand(sambagui_t)
+@@ -27,9 +27,10 @@ corecmd_exec_bin(sambagui_t)
+ dev_dontaudit_read_urand(sambagui_t)
+
++files_read_usr_files(sambagui_t)
files_read_etc_files(sambagui_t)
files_search_var_lib(sambagui_t)
-files_search_usr(sambagui_t)
@@ -6005,7 +6032,7 @@ index 9ec1478..26bb71c 100644
auth_use_nsswitch(sambagui_t)
-@@ -39,6 +39,8 @@ miscfiles_read_localization(sambagui_t)
+@@ -39,6 +40,8 @@ miscfiles_read_localization(sambagui_t)
nscd_dontaudit_search_pid(sambagui_t)
@@ -6014,7 +6041,7 @@ index 9ec1478..26bb71c 100644
# handling with samba conf files
samba_append_log(sambagui_t)
samba_manage_config(sambagui_t)
-@@ -53,5 +55,9 @@ optional_policy(`
+@@ -53,5 +56,9 @@ optional_policy(`
')
optional_policy(`
@@ -7701,6 +7728,18 @@ index c76ceb2..d7df452 100644
')
optional_policy(`
+diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
+index f79314b..8325a8d 100644
+--- a/policy/modules/apps/webalizer.te
++++ b/policy/modules/apps/webalizer.te
+@@ -103,3 +103,7 @@ optional_policy(`
+ optional_policy(`
+ nscd_socket_use(webalizer_t)
+ ')
++
++optional_policy(`
++ squid_manage_logs(webalizer_t)
++')
diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
index 9d24449..2666317 100644
--- a/policy/modules/apps/wine.fc
@@ -8028,7 +8067,7 @@ index b06df19..c0763c2 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index edefaf3..7548158 100644
+index edefaf3..e9599e0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@@ -8237,6 +8276,13 @@ index edefaf3..7548158 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
+@@ -274,5 +315,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+ # Bind to any network address.
+-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
++allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
+ allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b2da10..7c29e17 100644
--- a/policy/modules/kernel/devices.fc
@@ -8881,7 +8927,7 @@ index bc534c1..778d512 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 3517db2..4dd4bef 100644
+index 3517db2..ebf38e4 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -8906,17 +8952,19 @@ index 3517db2..4dd4bef 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-@@ -74,7 +82,8 @@ ifdef(`distro_suse',`
+@@ -74,7 +82,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/X11/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
++
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -95,7 +104,7 @@ ifdef(`distro_suse',`
+@@ -95,7 +106,7 @@ ifdef(`distro_suse',`
# HOME_ROOT
# expanded by genhomedircon
#
@@ -8925,7 +8973,7 @@ index 3517db2..4dd4bef 100644
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
-@@ -159,6 +168,12 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -159,6 +170,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -8938,7 +8986,7 @@ index 3517db2..4dd4bef 100644
#
# /selinux
#
-@@ -172,12 +187,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -172,12 +189,6 @@ HOME_ROOT/lost\+found/.* <<none>>
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
@@ -8951,7 +8999,7 @@ index 3517db2..4dd4bef 100644
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -217,7 +226,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -217,7 +228,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -8959,7 +9007,7 @@ index 3517db2..4dd4bef 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -233,6 +241,8 @@ ifndef(`distro_redhat',`
+@@ -233,6 +243,8 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -8968,7 +9016,7 @@ index 3517db2..4dd4bef 100644
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-@@ -249,7 +259,7 @@ ifndef(`distro_redhat',`
+@@ -249,7 +261,7 @@ ifndef(`distro_redhat',`
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -8977,7 +9025,7 @@ index 3517db2..4dd4bef 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -258,3 +268,7 @@ ifndef(`distro_redhat',`
+@@ -258,3 +270,7 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -13521,7 +13569,7 @@ index 0b827c5..8961dba 100644
admin_pattern($1, abrt_tmp_t)
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..7065b02 100644
+index 30861ec..d3996c8 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -13629,7 +13677,15 @@ index 30861ec..7065b02 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -178,12 +205,18 @@ optional_policy(`
+@@ -167,6 +194,7 @@ optional_policy(`
+ rpm_exec(abrt_t)
+ rpm_dontaudit_manage_db(abrt_t)
+ rpm_manage_cache(abrt_t)
++ rpm_manage_log(abrt_t)
+ rpm_manage_pid_files(abrt_t)
+ rpm_read_db(abrt_t)
+ rpm_signull(abrt_t)
+@@ -178,12 +206,18 @@ optional_policy(`
')
optional_policy(`
@@ -13649,7 +13705,7 @@ index 30861ec..7065b02 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +236,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -203,6 +237,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@@ -13657,7 +13713,7 @@ index 30861ec..7065b02 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +250,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +251,8 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -13667,7 +13723,7 @@ index 30861ec..7065b02 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +259,18 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +260,18 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -16123,19 +16179,74 @@ index 4deca04..42aa033 100644
')
optional_policy(`
+diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
+index 0197980..f8bce2c 100644
+--- a/policy/modules/services/bitlbee.fc
++++ b/policy/modules/services/bitlbee.fc
+@@ -4,3 +4,6 @@
+ /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
+
+ /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
++
++/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
++/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..6591639 100644
+index f4e7ad3..68aebc4 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
-@@ -28,7 +28,7 @@ files_type(bitlbee_var_t)
+@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
+ type bitlbee_var_t;
+ files_type(bitlbee_var_t)
+
++type bitlbee_var_run_t;
++files_type(bitlbee_var_run_t)
++
+ ########################################
+ #
+ # Local policy
#
- allow bitlbee_t self:capability { setgid setuid };
+-allow bitlbee_t self:capability { setgid setuid };
-allow bitlbee_t self:process signal;
++allow bitlbee_t self:capability { setgid setuid sys_nice };
+allow bitlbee_t self:process { setsched signal };
++
++allow bitlbee_t self:fifo_file rw_fifo_file_perms;
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
+-allow bitlbee_t self:fifo_file rw_fifo_file_perms;
++allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
+
+ bitlbee_read_config(bitlbee_t)
+
+ # tmp files
+ manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
++manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
++files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
+
+ # user account information is read and edited at runtime; give the usual
+ # r/w access to bitlbee_var_t
+ manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
+ files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
+
++manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
++manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
++manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
++files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
++
+ kernel_read_system_state(bitlbee_t)
+
+ corenet_all_recvfrom_unlabeled(bitlbee_t)
+@@ -52,6 +63,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
+ corenet_udp_sendrecv_generic_node(bitlbee_t)
+ corenet_tcp_sendrecv_generic_if(bitlbee_t)
+ corenet_tcp_sendrecv_generic_node(bitlbee_t)
++corenet_tcp_bind_generic_node(bitlbee_t)
+ # Allow bitlbee to connect to jabber servers
+ corenet_tcp_connect_jabber_client_port(bitlbee_t)
+ corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 3e45431..fa57a6f 100644
--- a/policy/modules/services/bluetooth.if
@@ -19695,10 +19806,34 @@ index 0f28095..cf33683 100644
logging_send_syslog_msg(hplip_t)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
-index c43ff4c..5bf3e60 100644
+index c43ff4c..a9783e3 100644
--- a/policy/modules/services/cvs.if
+++ b/policy/modules/services/cvs.if
-@@ -58,9 +58,8 @@ interface(`cvs_exec',`
+@@ -1,5 +1,23 @@
+ ## <summary>Concurrent versions system</summary>
+
++######################################
++## <summary>
++## Dontaudit Attempts to list the CVS data and metadata.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cvs_dontaudit_list_data',`
++ gen_require(`
++ type cvs_data_t;
++ ')
++
++ dontaudit $1 cvs_data_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Read the CVS data and metadata.
+@@ -58,9 +76,8 @@ interface(`cvs_exec',`
#
interface(`cvs_admin',`
gen_require(`
@@ -24337,6 +24472,75 @@ index 835b16b..dd32883 100644
+ files_list_tmp($1)
admin_pattern($1, kerneloops_tmp_t)
')
+diff --git a/policy/modules/services/keyboardd.fc b/policy/modules/services/keyboardd.fc
+new file mode 100644
+index 0000000..485aacc
+--- /dev/null
++++ b/policy/modules/services/keyboardd.fc
+@@ -0,0 +1,2 @@
++
++/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0)
+diff --git a/policy/modules/services/keyboardd.if b/policy/modules/services/keyboardd.if
+new file mode 100644
+index 0000000..26391e6
+--- /dev/null
++++ b/policy/modules/services/keyboardd.if
+@@ -0,0 +1,21 @@
++
++## <summary>policy for system-setup-keyboard daemon</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run keyboard setup daemon.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keyboardd_domtrans',`
++ gen_require(`
++ type keyboardd_t, keyboardd_exec_t;
++ ')
++
++ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
++')
++
+diff --git a/policy/modules/services/keyboardd.te b/policy/modules/services/keyboardd.te
+new file mode 100644
+index 0000000..a2bf9c3
+--- /dev/null
++++ b/policy/modules/services/keyboardd.te
+@@ -0,0 +1,28 @@
++
++policy_module(keyboardd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type keyboardd_t;
++type keyboardd_exec_t;
++init_daemon_domain(keyboardd_t, keyboardd_exec_t)
++
++permissive keyboardd_t;
++
++########################################
++#
++# keyboardd local policy
++#
++
++allow keyboardd_t self:fifo_file rw_fifo_file_perms;
++allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
++
++files_rw_etc_runtime_files(keyboardd_t)
++files_etc_filetrans_etc_runtime(keyboardd_t, file)
++
++files_read_etc_files(keyboardd_t)
++
++miscfiles_read_localization(keyboardd_t)
diff --git a/policy/modules/services/ksmtuned.fc b/policy/modules/services/ksmtuned.fc
index 9c0c835..8360166 100644
--- a/policy/modules/services/ksmtuned.fc
@@ -35712,20 +35916,21 @@ index 4b2230e..d45dc67 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 078bcd7..06da5f7 100644
+index 078bcd7..2d60774 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -1,4 +1,9 @@
+@@ -1,4 +1,10 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
+
++/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -14,3 +19,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+@@ -14,3 +20,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
@@ -36023,7 +36228,7 @@ index 22adaca..784c363 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..4cdb5c2 100644
+index 2dad3c8..f4626c0 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -36243,7 +36448,7 @@ index 2dad3c8..4cdb5c2 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +287,39 @@ optional_policy(`
+@@ -232,33 +287,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -36289,10 +36494,14 @@ index 2dad3c8..4cdb5c2 100644
-',`
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
++')
++
++optional_policy(`
++ amanda_search_lib(sshd_t)
')
optional_policy(`
-@@ -266,11 +327,24 @@ optional_policy(`
+@@ -266,11 +331,24 @@ optional_policy(`
')
optional_policy(`
@@ -36318,7 +36527,7 @@ index 2dad3c8..4cdb5c2 100644
')
optional_policy(`
-@@ -284,6 +358,11 @@ optional_policy(`
+@@ -284,6 +362,11 @@ optional_policy(`
')
optional_policy(`
@@ -36330,7 +36539,7 @@ index 2dad3c8..4cdb5c2 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +371,26 @@ optional_policy(`
+@@ -292,26 +375,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -36376,7 +36585,7 @@ index 2dad3c8..4cdb5c2 100644
') dnl endif TODO
########################################
-@@ -324,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +407,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -36384,7 +36593,7 @@ index 2dad3c8..4cdb5c2 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +431,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +435,6 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -37483,13 +37692,14 @@ index 2124b6a..6546d6e 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..8822e63 100644
+index 7c5d8d8..5e2f264 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
-@@ -14,13 +14,14 @@
+@@ -13,14 +13,14 @@
+ #
template(`virt_domain_template',`
gen_require(`
- type virtd_t;
+- type virtd_t;
- attribute virt_image_type;
- attribute virt_domain;
+ attribute virt_image_type, virt_domain;
@@ -37503,7 +37713,7 @@ index 7c5d8d8..8822e63 100644
role system_r types $1_t;
type $1_devpts_t;
-@@ -35,17 +36,18 @@ template(`virt_domain_template',`
+@@ -35,17 +35,18 @@ template(`virt_domain_template',`
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
@@ -37526,7 +37736,7 @@ index 7c5d8d8..8822e63 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +59,6 @@ template(`virt_domain_template',`
+@@ -57,18 +58,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -37545,7 +37755,7 @@ index 7c5d8d8..8822e63 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -101,9 +91,9 @@ interface(`virt_image',`
+@@ -101,9 +90,9 @@ interface(`virt_image',`
## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
@@ -37557,7 +37767,7 @@ index 7c5d8d8..8822e63 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -37573,7 +37783,7 @@ index 7c5d8d8..8822e63 100644
')
########################################
-@@ -185,13 +175,13 @@ interface(`virt_read_config',`
+@@ -185,13 +174,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -37589,7 +37799,7 @@ index 7c5d8d8..8822e63 100644
')
########################################
-@@ -231,6 +221,24 @@ interface(`virt_read_content',`
+@@ -231,6 +220,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -37614,7 +37824,7 @@ index 7c5d8d8..8822e63 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +276,36 @@ interface(`virt_manage_pid_files',`
########################################
## <summary>
@@ -37651,7 +37861,7 @@ index 7c5d8d8..8822e63 100644
## Search virt lib directories.
## </summary>
## <param name="domain">
-@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +345,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -37676,7 +37886,7 @@ index 7c5d8d8..8822e63 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +408,9 @@ interface(`virt_read_log',`
+@@ -352,9 +407,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -37688,7 +37898,7 @@ index 7c5d8d8..8822e63 100644
## </param>
#
interface(`virt_append_log',`
-@@ -424,6 +480,24 @@ interface(`virt_read_images',`
+@@ -424,6 +479,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -37713,7 +37923,7 @@ index 7c5d8d8..8822e63 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +507,15 @@ interface(`virt_read_images',`
+@@ -433,15 +506,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -37734,7 +37944,7 @@ index 7c5d8d8..8822e63 100644
')
########################################
-@@ -516,3 +590,51 @@ interface(`virt_admin',`
+@@ -516,3 +589,51 @@ interface(`virt_admin',`
virt_manage_log($1)
')
@@ -37787,7 +37997,7 @@ index 7c5d8d8..8822e63 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..333a07f 100644
+index 3eca020..191efb7 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -37986,7 +38196,7 @@ index 3eca020..333a07f 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,22 +209,28 @@ optional_policy(`
+@@ -174,21 +209,28 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -38009,17 +38219,17 @@ index 3eca020..333a07f 100644
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
-
++allow virt_domain virtd_t:fd use;
++
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
-+
+
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-
-@@ -200,8 +241,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +242,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -38036,7 +38246,7 @@ index 3eca020..333a07f 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +267,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +268,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -38044,7 +38254,7 @@ index 3eca020..333a07f 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +287,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +288,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -38078,7 +38288,7 @@ index 3eca020..333a07f 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +320,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +321,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -38097,7 +38307,7 @@ index 3eca020..333a07f 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +355,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +356,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -38128,7 +38338,7 @@ index 3eca020..333a07f 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +449,8 @@ optional_policy(`
+@@ -365,6 +450,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -38137,7 +38347,7 @@ index 3eca020..333a07f 100644
')
optional_policy(`
-@@ -396,12 +482,25 @@ optional_policy(`
+@@ -396,12 +483,25 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -38164,7 +38374,7 @@ index 3eca020..333a07f 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +521,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +522,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -38172,7 +38382,7 @@ index 3eca020..333a07f 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +529,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +530,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -38185,7 +38395,7 @@ index 3eca020..333a07f 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +542,11 @@ files_search_all(virt_domain)
+@@ -440,6 +543,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -38197,7 +38407,7 @@ index 3eca020..333a07f 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +564,117 @@ optional_policy(`
+@@ -457,8 +565,117 @@ optional_policy(`
')
optional_policy(`
@@ -43730,7 +43940,7 @@ index 5c94dfe..59bfb17 100644
########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index a3fdcb3..bce3aea 100644
+index a3fdcb3..96b3872 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
@@ -43814,11 +44024,12 @@ index a3fdcb3..bce3aea 100644
')
optional_policy(`
-@@ -124,6 +135,7 @@ optional_policy(`
+@@ -124,6 +135,8 @@ optional_policy(`
optional_policy(`
shorewall_rw_lib_files(iptables_t)
+ shorewall_read_tmp_files(iptables_t)
++ shorewall_read_config(iptables_t)
')
optional_policy(`
@@ -44393,7 +44604,7 @@ index 3fb1915..26e9f79 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..3644f0f 100644
+index 571599b..b323b73 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,10 @@
@@ -44439,7 +44650,7 @@ index 571599b..3644f0f 100644
/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+/var/stockmaniac/templates_cache gen_context(system_u:object_r:var_log_t,s0)
++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7002d79..1669f5d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.12
-Release: 3%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,21 @@ exit 0
%endif
%changelog
+* Wed Jan 5 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.12-5
+- Add initial policy for system-setup-keyboard which is now daemon
+- Label /var/lock/subsys/shorewall as shorewall_lock_t
+- Allow users to communicate with the gpg_agent_t
+- Dontaudit mozilla_plugin_t using the inherited terminal
+- Allow sambagui to read files in /usr
+- webalizer manages squid log files
+- Allow unconfined domains to bind ports to raw_ip_sockets
+- Allow abrt to manage rpm logs when running yum
+- Need labels for /var/run/bittlebee
+- Label .ssh under amanda
+- Remove unused genrequires for virt_domain_template
+- Allow virt_domain to use fd inherited from virtd_t
+- Allow iptables to read shorewall config
+
* Tue Dec 28 2010 Dan Walsh <dwalsh at redhat.com> 3.9.12-4
- Gnome apps list config_home_t
- mpd creates lnk files in homedir
More information about the scm-commits
mailing list