[selinux-policy/f14/master] - Make kernel_t domain MLS trusted for lowering the level of file. - Add label for /var/lib/tftpboot
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 7 13:53:01 UTC 2011
commit 0c51660d0e1cc80b5175f2a9bbebd5a8f0fde590
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jan 7 14:52:38 2011 +0000
- Make kernel_t domain MLS trusted for lowering the level of file.
- Add label for /var/lib/tftpboot/grub directory
- Fixes for mpd policy
- Fix amanda_search_lib interface
booleans-targeted.conf | 2 +-
policy-F14.patch | 266 ++++++++++++++++++++++++++++++++++++++----------
selinux-policy.spec | 8 ++-
3 files changed, 222 insertions(+), 54 deletions(-)
---
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index c7f8c40..a5d2a50 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -28,7 +28,7 @@ allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
-allow_gssd_read_tmp = false
+allow_gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
diff --git a/policy-F14.patch b/policy-F14.patch
index d4abbec..90e5965 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -363,6 +363,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
files_search_var_lib(alsa_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-3.9.7/policy/modules/admin/amanda.if
+--- nsaserefpolicy/policy/modules/admin/amanda.if 2010-10-12 22:42:51.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/admin/amanda.if 2011-01-07 14:20:44.420042287 +0100
+@@ -59,11 +59,11 @@
+ #
+ interface(`amanda_search_lib',`
+ gen_require(`
+- type amanda_usr_lib_t;
++ type amanda_var_lib_t;
+ ')
+
+ files_search_usr($1)
+- allow $1 amanda_usr_lib_t:dir search_dir_perms;
++ allow $1 amanda_var_lib_t:dir search_dir_perms;
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.9.7/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2010-10-12 22:42:51.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/admin/anaconda.te 2010-11-05 14:02:26.401653043 +0100
@@ -462,8 +479,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
apache_exec_modules(certwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.9.7/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2010-10-12 22:42:51.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/admin/consoletype.te 2010-11-05 14:02:26.403649559 +0100
-@@ -85,10 +85,7 @@
++++ serefpolicy-3.9.7/policy/modules/admin/consoletype.te 2011-01-05 10:57:38.790042250 +0100
+@@ -48,6 +48,7 @@
+ mls_file_write_all_levels(consoletype_t)
+
+ term_use_all_terms(consoletype_t)
++term_use_ptmx(consoletype_t)
+
+ init_use_fds(consoletype_t)
+ init_use_script_ptys(consoletype_t)
+@@ -85,10 +86,7 @@
')
optional_policy(`
@@ -1890,7 +1915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.9.7/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-10-12 22:42:51.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/admin/usermanage.te 2010-11-05 14:02:26.429649744 +0100
++++ serefpolicy-3.9.7/policy/modules/admin/usermanage.te 2011-01-07 10:32:45.063051683 +0100
@@ -88,9 +88,7 @@
# for SSP
dev_read_urand(chfn_t)
@@ -1902,7 +1927,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
-@@ -291,17 +289,18 @@
+@@ -194,8 +192,7 @@
+ selinux_compute_relabel_context(groupadd_t)
+ selinux_compute_user_contexts(groupadd_t)
+
+-term_use_all_ttys(groupadd_t)
+-term_use_all_ptys(groupadd_t)
++term_use_all_terms(groupadd_t)
+
+ init_use_fds(groupadd_t)
+ init_read_utmp(groupadd_t)
+@@ -291,17 +288,18 @@
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -1925,7 +1960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
domain_use_interactive_fds(passwd_t)
-@@ -332,6 +331,7 @@
+@@ -332,6 +330,7 @@
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -1933,7 +1968,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -426,7 +426,7 @@
+@@ -381,8 +380,7 @@
+ fs_getattr_xattr_fs(sysadm_passwd_t)
+ fs_search_auto_mountpoints(sysadm_passwd_t)
+
+-term_use_all_ttys(sysadm_passwd_t)
+-term_use_all_ptys(sysadm_passwd_t)
++term_use_all_terms(sysadm_passwd_t)
+
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
+@@ -426,7 +424,7 @@
# Useradd local policy
#
@@ -1942,7 +1987,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -498,12 +498,8 @@
+@@ -469,8 +467,7 @@
+ selinux_compute_relabel_context(useradd_t)
+ selinux_compute_user_contexts(useradd_t)
+
+-term_use_all_ttys(useradd_t)
+-term_use_all_ptys(useradd_t)
++term_use_all_terms(useradd_t)
+
+ auth_domtrans_chk_passwd(useradd_t)
+ auth_rw_lastlog(useradd_t)
+@@ -498,12 +495,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -10433,7 +10488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.9.7/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/kernel.te 2010-11-23 10:16:46.974397100 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/kernel.te 2011-01-07 10:48:11.095291107 +0100
@@ -52,6 +52,7 @@
fs_type(debugfs_t)
allow debugfs_t self:filesystem associate;
@@ -10460,7 +10515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -268,19 +271,29 @@
+@@ -268,19 +271,30 @@
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -10473,6 +10528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
++mls_file_downgrade(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
@@ -10490,7 +10546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -357,6 +370,10 @@
+@@ -357,6 +371,10 @@
unconfined_domain_noaudit(kernel_t)
')
@@ -10689,7 +10745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.9.7/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/terminal.if 2010-11-05 14:02:26.558900072 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/terminal.if 2011-01-07 10:36:13.526042624 +0100
@@ -292,9 +292,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -12903,7 +12959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.9.7/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/abrt.te 2010-11-18 15:36:30.856398611 +0100
++++ serefpolicy-3.9.7/policy/modules/services/abrt.te 2011-01-07 14:18:32.638042294 +0100
@@ -5,6 +5,14 @@
# Declarations
#
@@ -13011,7 +13067,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -178,12 +206,18 @@
+@@ -170,6 +198,7 @@
+ rpm_manage_pid_files(abrt_t)
+ rpm_read_db(abrt_t)
+ rpm_signull(abrt_t)
++ rpm_manage_log(abrt_t)
+ ')
+
+ # to run mailx plugin
+@@ -178,12 +207,18 @@
')
optional_policy(`
@@ -13031,7 +13095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +237,7 @@
+@@ -203,6 +238,7 @@
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@@ -13039,7 +13103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +251,8 @@
+@@ -216,7 +252,8 @@
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -13049,7 +13113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +260,18 @@
+@@ -224,4 +261,18 @@
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -17345,8 +17409,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.9.7/policy/modules/services/cobbler.fc
--- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/cobbler.fc 2010-11-05 14:02:26.615901791 +0100
-@@ -1,7 +1,32 @@
++++ serefpolicy-3.9.7/policy/modules/services/cobbler.fc 2011-01-07 11:47:43.865042388 +0100
+@@ -1,7 +1,33 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -17360,6 +17424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -24388,8 +24453,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock.te serefpolicy-3.9.7/policy/modules/services/mock.te
--- nsaserefpolicy/policy/modules/services/mock.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/mock.te 2010-11-05 14:02:26.714916688 +0100
-@@ -0,0 +1,99 @@
++++ serefpolicy-3.9.7/policy/modules/services/mock.te 2011-01-07 10:56:33.999042315 +0100
+@@ -0,0 +1,101 @@
+policy_module(mock,1.0.0)
+
+########################################
@@ -24421,6 +24486,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mock
+#
+
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++# Needed because mock can run java and mono withing build environment
++allow mock_t self:process { execmem execstack };
+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
@@ -24880,8 +24947,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.9.7/policy/modules/services/mpd.te
--- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/mpd.te 2011-01-03 09:01:26.100042370 +0100
-@@ -0,0 +1,127 @@
++++ serefpolicy-3.9.7/policy/modules/services/mpd.te 2011-01-07 14:05:16.237042445 +0100
+@@ -0,0 +1,143 @@
+policy_module(mpd, 1.0.0)
+
+########################################
@@ -24893,7 +24960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+type mpd_exec_t;
+init_daemon_domain(mpd_t, mpd_exec_t)
+
-+permissive mpd_t;
++#permissive mpd_t;
+
+type mpd_initrc_exec_t;
+init_script_file(mpd_initrc_exec_t)
@@ -24951,6 +25018,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
+
++# needed by pulseaudio
++kernel_getattr_proc(mpd_t)
+kernel_read_system_state(mpd_t)
+kernel_read_kernel_sysctls(mpd_t)
+
@@ -24965,6 +25034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+corenet_tcp_bind_soundd_port(mpd_t)
+
+dev_read_sound(mpd_t)
++dev_write_sound(mpd_t)
+dev_read_sysfs(mpd_t)
+
+files_read_usr_files(mpd_t)
@@ -24997,6 +25067,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
+
+optional_policy(`
++ consolekit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(mpd_t)
+')
+
@@ -25007,8 +25081,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
+
+optional_policy(`
++ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
+ udev_read_db(mpd_t)
+')
++
++optional_policy(`
++ xserver_dontaudit_stream_connect(mpd_t)
++ xserver_dontaudit_read_xdm_pid(mpd_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.9.7/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2010-10-12 22:42:48.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/mta.fc 2010-11-05 14:02:26.724901297 +0100
@@ -25823,7 +25906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
+miscfiles_read_localization(munin_plugin_domain)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.9.7/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/mysql.if 2010-12-22 13:16:48.806042370 +0100
++++ serefpolicy-3.9.7/policy/modules/services/mysql.if 2011-01-05 10:55:41.877042746 +0100
@@ -18,6 +18,24 @@
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
')
@@ -25849,7 +25932,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
########################################
## <summary>
## Send a generic signal to MySQL.
-@@ -73,6 +91,7 @@
+@@ -36,6 +54,24 @@
+ allow $1 mysqld_t:process signal;
+ ')
+
++######################################
++## <summary>
++## Send a null signal to mysql.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_signull',`
++ gen_require(`
++ type mysqld_t;
++ ')
++
++ allow $1 mysqld_t:process signull;
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the specified domain to connect to postgresql with a tcp socket.
+@@ -73,6 +109,7 @@
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
')
@@ -25857,7 +25965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
-@@ -252,7 +271,7 @@
+@@ -252,7 +289,7 @@
')
logging_search_logs($1)
@@ -25866,7 +25974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
######################################
-@@ -329,10 +348,9 @@
+@@ -329,10 +366,9 @@
#
interface(`mysql_admin',`
gen_require(`
@@ -25880,7 +25988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +361,17 @@
+@@ -343,13 +379,17 @@
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -25900,7 +26008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.9.7/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/mysql.te 2010-11-15 10:46:22.654148291 +0100
++++ serefpolicy-3.9.7/policy/modules/services/mysql.te 2011-01-05 10:57:13.941041475 +0100
@@ -6,9 +6,9 @@
#
@@ -25966,7 +26074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-@@ -183,6 +186,8 @@
+@@ -183,11 +186,14 @@
hostname_exec(mysqld_safe_t)
@@ -25975,6 +26083,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
miscfiles_read_localization(mysqld_safe_t)
mysql_manage_db_files(mysqld_safe_t)
+ mysql_read_config(mysqld_safe_t)
+ mysql_search_pid_files(mysqld_safe_t)
++mysql_signull(mysqld_safe_t)
+ mysql_write_log(mysqld_safe_t)
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.9.7/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/nagios.if 2010-12-03 10:05:15.156153251 +0100
@@ -36745,7 +36859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.9.7/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/virt.te 2010-11-05 14:02:26.858649759 +0100
++++ serefpolicy-3.9.7/policy/modules/services/virt.te 2011-01-07 14:27:06.569042442 +0100
@@ -5,57 +5,66 @@
# Declarations
#
@@ -37040,9 +37154,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -37062,7 +37176,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +440,8 @@
+@@ -313,6 +388,10 @@
+ ')
+
+ optional_policy(`
++ dmidecode_domtrans(virtd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(virtd_t)
+
+ optional_policy(`
+@@ -365,6 +444,8 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -37071,7 +37196,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -396,12 +473,25 @@
+@@ -396,12 +477,25 @@
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -37098,7 +37223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +512,7 @@
+@@ -422,6 +516,7 @@
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -37106,7 +37231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +520,12 @@
+@@ -429,10 +524,12 @@
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -37119,7 +37244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +533,11 @@
+@@ -440,6 +537,11 @@
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -37131,7 +37256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +555,117 @@
+@@ -457,8 +559,117 @@
')
optional_policy(`
@@ -37649,7 +37774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.9.7/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.if 2010-11-05 14:02:26.868650362 +0100
++++ serefpolicy-3.9.7/policy/modules/services/xserver.if 2011-01-07 14:01:38.250051627 +0100
@@ -19,9 +19,10 @@
interface(`xserver_restricted_role',`
gen_require(`
@@ -38039,16 +38164,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -805,7 +869,7 @@
+@@ -805,7 +869,25 @@
')
files_search_pids($1)
- allow $1 xdm_var_run_t:file read_file_perms;
+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
++')
++
++#######################################
++## <summary>
++## Dontaudit Read XDM pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_read_xdm_pid',`
++ gen_require(`
++ type xdm_var_run_t;
++ ')
++
++ dontaudit $1 xdm_var_run_t:file read_file_perms;
')
########################################
-@@ -897,7 +961,7 @@
+@@ -897,7 +979,7 @@
')
logging_search_logs($1)
@@ -38057,7 +38200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -916,7 +980,7 @@
+@@ -916,7 +998,7 @@
type xserver_log_t;
')
@@ -38066,7 +38209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -963,6 +1027,45 @@
+@@ -963,6 +1045,45 @@
########################################
## <summary>
@@ -38112,7 +38255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1079,7 @@
+@@ -976,7 +1097,7 @@
type xdm_tmp_t;
')
@@ -38121,7 +38264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1141,24 @@
+@@ -1038,6 +1159,24 @@
########################################
## <summary>
@@ -38146,7 +38289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1173,7 @@
+@@ -1052,7 +1191,7 @@
type xdm_tmp_t;
')
@@ -38155,7 +38298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1070,8 +1191,10 @@
+@@ -1070,8 +1209,10 @@
type xserver_t, xserver_exec_t;
')
@@ -38167,15 +38310,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1185,6 +1308,7 @@
+@@ -1185,6 +1326,26 @@
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow xserver_t $1:shm rw_shm_perms;
++')
++
++#######################################
++## <summary>
++## Dontaudit attempts to connect to xserver
++## over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xserver_dontaudit_stream_connect',`
++ gen_require(`
++ type xserver_t, xserver_tmp_t;
++ ')
++
++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
')
########################################
-@@ -1210,7 +1334,7 @@
+@@ -1210,7 +1371,7 @@
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -38184,7 +38346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1344,23 @@
+@@ -1220,13 +1381,23 @@
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -38209,7 +38371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1243,10 +1377,355 @@
+@@ -1243,10 +1414,355 @@
#
interface(`xserver_unconfined',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 441f5cc..54f7812 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
%endif
%changelog
+* Fri Jan 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-21
+- Make kernel_t domain MLS trusted for lowering the level of file.
+- Add label for /var/lib/tftpboot/grub directory
+- Fixes for mpd policy
+- Fix amanda_search_lib interface
+
* Tue Jan 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-20
- Fixes for iscsi policy
- Allow dmesg to read system state
More information about the scm-commits
mailing list