[selinux-policy/f15] - More fixes for postfix policy - Allow virsh_t setsched - Add mcelog_log_t type for mcelog log file
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jul 15 15:10:42 UTC 2011
commit a217a49af9834e3642f16b1d8464ca242784b7b4
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jul 15 17:10:16 2011 +0200
- More fixes for postfix policy
- Allow virsh_t setsched
- Add mcelog_log_t type for mcelog log file
- Add virt_ptynode attribute
policy-F15.patch | 235 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 8 ++-
2 files changed, 156 insertions(+), 87 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 9732ec0..6f4279d 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -938,19 +938,20 @@ index 75ce30f..0e77aea 100644
')
diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc
-index 56c43c0..de535e4 100644
+index 56c43c0..0641226 100644
--- a/policy/modules/admin/mcelog.fc
+++ b/policy/modules/admin/mcelog.fc
-@@ -1 +1,4 @@
+@@ -1 +1,5 @@
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
-+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
++/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
+
++/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..24a6ad6 100644
+index 5671977..ef8bc09 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
-@@ -7,8 +7,11 @@ policy_module(mcelog, 1.1.0)
+@@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0)
type mcelog_t;
type mcelog_exec_t;
@@ -960,13 +961,20 @@ index 5671977..24a6ad6 100644
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
++
++type mcelog_log_t;
++logging_log_file(mcelog_log_t)
########################################
#
-@@ -17,10 +20,18 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
+@@ -17,10 +23,22 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
allow mcelog_t self:capability sys_admin;
++manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
++logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
++
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
@@ -982,7 +990,7 @@ index 5671977..24a6ad6 100644
files_read_etc_files(mcelog_t)
-@@ -30,3 +41,7 @@ mls_file_read_all_levels(mcelog_t)
+@@ -30,3 +48,7 @@ mls_file_read_all_levels(mcelog_t)
logging_send_syslog_msg(mcelog_t)
miscfiles_read_localization(mcelog_t)
@@ -23636,10 +23644,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..9fe6628
+index 0000000..ebad6da
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,124 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -23733,6 +23741,7 @@ index 0000000..9fe6628
+sysnet_dns_name_resolve(colord_t)
+
+userdom_read_inherited_user_home_content_files(colord_t)
++userdom_rw_user_tmpfs_files(colord_t)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(colord_t)
@@ -24123,7 +24132,7 @@ index 13d2f63..a048c53 100644
type cpuspeed_t;
type cpuspeed_exec_t;
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..6030f34 100644
+index 2eefc08..34ab5ce 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
@@ -14,9 +14,10 @@
@@ -24138,14 +24147,12 @@ index 2eefc08..6030f34 100644
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-@@ -45,3 +46,7 @@ ifdef(`distro_suse', `
+@@ -45,3 +46,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
-+
-+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 35241ed..a75e22c 100644
--- a/policy/modules/services/cron.if
@@ -27238,7 +27245,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..ce42295 100644
+index cbe14e4..b0a8e17 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -27340,7 +27347,16 @@ index cbe14e4..ce42295 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -235,6 +255,8 @@ optional_policy(`
+@@ -200,6 +220,8 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+ kernel_read_all_sysctls(dovecot_auth_t)
+ kernel_read_system_state(dovecot_auth_t)
+
++corecmd_exec_bin(dovecot_auth_t)
++
+ logging_send_audit_msgs(dovecot_auth_t)
+ logging_send_syslog_msg(dovecot_auth_t)
+
+@@ -235,6 +257,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -27349,7 +27365,7 @@ index cbe14e4..ce42295 100644
')
optional_policy(`
-@@ -242,6 +264,8 @@ optional_policy(`
+@@ -242,6 +266,8 @@ optional_policy(`
')
optional_policy(`
@@ -27358,7 +27374,7 @@ index cbe14e4..ce42295 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -249,23 +273,42 @@ optional_policy(`
+@@ -249,23 +275,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -27403,7 +27419,7 @@ index cbe14e4..ce42295 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -301,5 +344,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +346,15 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -28306,7 +28322,7 @@ index bc27421..a65582e 100644
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..f735e6b 100644
+index 8a74a83..f947224 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -28349,7 +28365,15 @@ index 8a74a83..f735e6b 100644
########################################
#
# anon-sftp local policy
-@@ -133,7 +152,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -122,6 +141,7 @@ ifdef(`enable_mcs',`
+
+ files_read_etc_files(anon_sftpd_t)
+
++miscfiles_read_localization(anon_sftpd_t)
+ miscfiles_read_public_files(anon_sftpd_t)
+
+ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +153,7 @@ tunable_policy(`sftpd_anon_write',`
# ftpd local policy
#
@@ -28358,7 +28382,7 @@ index 8a74a83..f735e6b 100644
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +170,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +171,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -28366,7 +28390,7 @@ index 8a74a83..f735e6b 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +181,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +182,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -28382,7 +28406,7 @@ index 8a74a83..f735e6b 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -219,6 +237,7 @@ auth_append_login_records(ftpd_t)
+@@ -219,6 +238,7 @@ auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)
@@ -28390,7 +28414,7 @@ index 8a74a83..f735e6b 100644
init_rw_utmp(ftpd_t)
-@@ -270,10 +289,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -28408,7 +28432,7 @@ index 8a74a83..f735e6b 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -316,6 +338,25 @@ optional_policy(`
+@@ -316,6 +339,25 @@ optional_policy(`
')
optional_policy(`
@@ -28434,7 +28458,7 @@ index 8a74a83..f735e6b 100644
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,10 +388,11 @@ optional_policy(`
+@@ -347,10 +389,11 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -28447,12 +28471,14 @@ index 8a74a83..f735e6b 100644
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
# Allow ftpdctl to read config files
-@@ -368,15 +410,28 @@ files_read_etc_files(sftpd_t)
+@@ -368,15 +411,30 @@ files_read_etc_files(sftpd_t)
# allow read access to /home by default
userdom_read_user_home_content_files(sftpd_t)
userdom_read_user_home_content_symlinks(sftpd_t)
+userdom_dontaudit_list_admin_dir(sftpd_t)
+
++miscfiles_read_localization(sftpd_t)
++
+tunable_policy(`sftpd_full_access',`
+ allow sftpd_t self:capability { dac_override dac_read_search };
+ fs_read_noxattr_fs_files(sftpd_t)
@@ -37772,7 +37798,7 @@ index 46bee12..83cb270 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..e160aa1 100644
+index 06e37d4..b4d7354 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -37892,7 +37918,7 @@ index 06e37d4..e160aa1 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,7 +239,7 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +239,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -37901,7 +37927,17 @@ index 06e37d4..e160aa1 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -264,8 +283,8 @@ optional_policy(`
+ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
+ files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir)
+
++manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++
+ manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+ manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+@@ -264,8 +287,8 @@ optional_policy(`
# Postfix local local policy
#
@@ -37911,7 +37947,7 @@ index 06e37d4..e160aa1 100644
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +292,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +296,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -37920,7 +37956,7 @@ index 06e37d4..e160aa1 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +307,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +311,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -37939,7 +37975,7 @@ index 06e37d4..e160aa1 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -304,9 +330,22 @@ optional_policy(`
+@@ -304,9 +334,22 @@ optional_policy(`
')
optional_policy(`
@@ -37962,7 +37998,7 @@ index 06e37d4..e160aa1 100644
########################################
#
# Postfix map local policy
-@@ -372,6 +411,7 @@ optional_policy(`
+@@ -372,6 +415,7 @@ optional_policy(`
# Postfix pickup local policy
#
@@ -37970,7 +38006,18 @@ index 06e37d4..e160aa1 100644
allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -390,8 +430,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+@@ -381,6 +425,10 @@ rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
+
+ postfix_list_spool(postfix_pickup_t)
+
++allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
++read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
++delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
++
+ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+ read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+@@ -390,8 +438,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
# Postfix pipe local policy
#
@@ -37980,7 +38027,7 @@ index 06e37d4..e160aa1 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +441,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +449,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -37989,7 +38036,7 @@ index 06e37d4..e160aa1 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +462,7 @@ optional_policy(`
+@@ -420,6 +470,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -37997,7 +38044,7 @@ index 06e37d4..e160aa1 100644
')
optional_policy(`
-@@ -436,6 +479,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,6 +487,9 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -38007,7 +38054,7 @@ index 06e37d4..e160aa1 100644
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -507,6 +553,8 @@ optional_policy(`
+@@ -507,6 +561,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -38016,20 +38063,20 @@ index 06e37d4..e160aa1 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +567,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +575,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
+
-+allow postfix_qmgr_t postfix_spool_maildrop_t:dir list_dir_perms;
-+allow postfix_qmgr_t postfix_spool_maildrop_t:file read_file_perms;
++manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +591,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +599,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -38038,7 +38085,7 @@ index 06e37d4..e160aa1 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +640,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +648,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -38055,7 +38102,18 @@ index 06e37d4..e160aa1 100644
')
optional_policy(`
-@@ -611,8 +669,8 @@ optional_policy(`
+@@ -599,6 +665,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mysql_stream_connect(postfix_smtpd_t)
++')
++
++optional_policy(`
+ postgrey_stream_connect(postfix_smtpd_t)
+ ')
+
+@@ -611,8 +681,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -38065,7 +38123,7 @@ index 06e37d4..e160aa1 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +688,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +700,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -45969,10 +46027,10 @@ index 2124b6a..7b0af0f 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..b961fd7 100644
+index 7c5d8d8..03cc7aee 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
-@@ -13,14 +13,15 @@
+@@ -13,39 +13,42 @@
#
template(`virt_domain_template',`
gen_require(`
@@ -45981,6 +46039,7 @@ index 7c5d8d8..b961fd7 100644
- attribute virt_domain;
+ attribute virt_image_type, virt_domain;
+ attribute virt_tmpfs_type;
++ attribute virt_ptynode;
')
type $1_t, virt_domain;
@@ -45990,8 +46049,10 @@ index 7c5d8d8..b961fd7 100644
+ mcs_untrusted_proc($1_t)
role system_r types $1_t;
- type $1_devpts_t;
-@@ -29,23 +30,24 @@ template(`virt_domain_template',`
+- type $1_devpts_t;
++ type $1_devpts_t, virt_ptynode;
+ term_pty($1_devpts_t)
+
type $1_tmp_t;
files_tmp_file($1_tmp_t)
@@ -46021,7 +46082,7 @@ index 7c5d8d8..b961fd7 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +59,6 @@ template(`virt_domain_template',`
+@@ -57,18 +60,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -46040,7 +46101,7 @@ index 7c5d8d8..b961fd7 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -101,9 +91,9 @@ interface(`virt_image',`
+@@ -101,9 +92,9 @@ interface(`virt_image',`
## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
@@ -46052,7 +46113,7 @@ index 7c5d8d8..b961fd7 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +155,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -46068,7 +46129,7 @@ index 7c5d8d8..b961fd7 100644
')
########################################
-@@ -185,13 +175,13 @@ interface(`virt_read_config',`
+@@ -185,13 +176,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -46084,7 +46145,7 @@ index 7c5d8d8..b961fd7 100644
')
########################################
-@@ -231,6 +221,24 @@ interface(`virt_read_content',`
+@@ -231,6 +222,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -46109,7 +46170,7 @@ index 7c5d8d8..b961fd7 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +278,36 @@ interface(`virt_manage_pid_files',`
########################################
## <summary>
@@ -46146,7 +46207,7 @@ index 7c5d8d8..b961fd7 100644
## Search virt lib directories.
## </summary>
## <param name="domain">
-@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +347,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -46171,7 +46232,7 @@ index 7c5d8d8..b961fd7 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +408,9 @@ interface(`virt_read_log',`
+@@ -352,9 +409,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -46183,7 +46244,7 @@ index 7c5d8d8..b961fd7 100644
## </param>
#
interface(`virt_append_log',`
-@@ -424,6 +480,24 @@ interface(`virt_read_images',`
+@@ -424,6 +481,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -46208,7 +46269,7 @@ index 7c5d8d8..b961fd7 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +507,15 @@ interface(`virt_read_images',`
+@@ -433,15 +508,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -46229,7 +46290,7 @@ index 7c5d8d8..b961fd7 100644
')
########################################
-@@ -500,6 +574,7 @@ interface(`virt_manage_images',`
+@@ -500,6 +575,7 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -46237,7 +46298,7 @@ index 7c5d8d8..b961fd7 100644
')
allow $1 virtd_t:process { ptrace signal_perms };
-@@ -515,4 +590,149 @@ interface(`virt_admin',`
+@@ -515,4 +591,149 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -46388,14 +46449,15 @@ index 7c5d8d8..b961fd7 100644
+ allow $1 virt_tmpfs_type:file manage_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..1d39c1b 100644
+index 3eca020..931dbce 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
# Declarations
#
+attribute virsh_transition_domain;
++attribute virt_ptynode;
+
## <desc>
-## <p>
@@ -46479,7 +46541,7 @@ index 3eca020..1d39c1b 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,23 +72,31 @@ files_config_file(virt_etc_t)
+@@ -62,23 +73,31 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -46512,7 +46574,7 @@ index 3eca020..1d39c1b 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +108,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -46524,7 +46586,7 @@ index 3eca020..1d39c1b 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -104,15 +127,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +128,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -46541,7 +46603,7 @@ index 3eca020..1d39c1b 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -120,6 +140,9 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+@@ -120,6 +141,9 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
dontaudit svirt_t virt_content_t:file write_file_perms;
dontaudit svirt_t virt_content_t:dir write;
@@ -46551,7 +46613,7 @@ index 3eca020..1d39c1b 100644
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
-@@ -133,6 +156,8 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +157,8 @@ dev_list_sysfs(svirt_t)
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
@@ -46560,7 +46622,7 @@ index 3eca020..1d39c1b 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +172,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +173,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -46576,7 +46638,7 @@ index 3eca020..1d39c1b 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +189,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +190,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -46599,7 +46661,7 @@ index 3eca020..1d39c1b 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +214,33 @@ optional_policy(`
+@@ -174,21 +215,33 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -46637,7 +46699,7 @@ index 3eca020..1d39c1b 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +252,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +253,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -46646,6 +46708,7 @@ index 3eca020..1d39c1b 100644
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++allow virtd_t virt_ptynode:chr_file rw_term_perms;
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -46654,7 +46717,7 @@ index 3eca020..1d39c1b 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +278,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +280,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -46662,7 +46725,7 @@ index 3eca020..1d39c1b 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +298,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +300,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -46695,7 +46758,7 @@ index 3eca020..1d39c1b 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +330,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +332,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -46714,7 +46777,7 @@ index 3eca020..1d39c1b 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +365,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +367,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -46745,7 +46808,7 @@ index 3eca020..1d39c1b 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +407,10 @@ optional_policy(`
+@@ -313,6 +409,10 @@ optional_policy(`
')
optional_policy(`
@@ -46756,7 +46819,7 @@ index 3eca020..1d39c1b 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,6 +427,10 @@ optional_policy(`
+@@ -329,6 +429,10 @@ optional_policy(`
')
optional_policy(`
@@ -46767,7 +46830,7 @@ index 3eca020..1d39c1b 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +467,8 @@ optional_policy(`
+@@ -365,6 +469,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -46776,7 +46839,7 @@ index 3eca020..1d39c1b 100644
')
optional_policy(`
-@@ -394,14 +498,26 @@ optional_policy(`
+@@ -394,14 +500,26 @@ optional_policy(`
# virtual domains common policy
#
@@ -46805,7 +46868,7 @@ index 3eca020..1d39c1b 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +538,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +540,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -46813,7 +46876,7 @@ index 3eca020..1d39c1b 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +546,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +548,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -46826,7 +46889,7 @@ index 3eca020..1d39c1b 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +559,14 @@ files_search_all(virt_domain)
+@@ -440,6 +561,14 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -46841,7 +46904,7 @@ index 3eca020..1d39c1b 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +584,117 @@ optional_policy(`
+@@ -457,8 +586,117 @@ optional_policy(`
')
optional_policy(`
@@ -46866,7 +46929,7 @@ index 3eca020..1d39c1b 100644
+typealias virsh_exec_t alias xm_exec_t;
+
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config };
-+allow virsh_t self:process { getcap getsched setcap signal };
++allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c0798d7..d74f323 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 33%{?dist}
+Release: 34%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
%endif
%changelog
+* Fri Jul 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-34
+- More fixes for postfix policy
+- Allow virsh_t setsched
+- Add mcelog_log_t type for mcelog log file
+- Add virt_ptynode attribute
+
* Mon Jul 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-33
- Add l2tpd policy
- Fixes for abrt
More information about the scm-commits
mailing list