[selinux-policy/f15] - Allow jabberd_router_t to read system state - Rename oracledb_port to oracle_port - Allow rgmanage

Miroslav Grepl mgrepl at fedoraproject.org
Wed Jul 20 13:52:07 UTC 2011 

commit b98c65e9353439608e8094519a7879bbc685d0d2
Author: Miroslav <mgrepl at redhat.com>
Date:   Wed Jul 20 15:51:47 2011 +0200

    - Allow jabberd_router_t to read system state
    - Rename oracledb_port to oracle_port
    - Allow rgmanager executes init script files in initrc_t domain which ensure proper transitions
    - screen wants to manage sock file in screen home dirs
    - Make screen working with confined users
    - Allow gssd to search access on the directory /proc/fs/nfsd

 policy-F15.patch    |   92 ++++++++++++++++++++++++++++++++++----------------
 selinux-policy.spec |   10 +++++-
 2 files changed, 71 insertions(+), 31 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 6f4279d..e9679b2 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -8927,29 +8927,46 @@ index 1f2cde4..7227631 100644
  #
  # /usr
 diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index 320df26..0e4ead0 100644
+index 320df26..0def31c 100644
 --- a/policy/modules/apps/screen.if
 +++ b/policy/modules/apps/screen.if
-@@ -64,6 +64,10 @@ template(`screen_role_template',`
+@@ -50,7 +50,7 @@ template(`screen_role_template',`
+ 	allow $1_screen_t self:udp_socket create_socket_perms;
+ 	# Internal screen networking
+ 	allow $1_screen_t self:fd use;
+-	allow $1_screen_t self:unix_stream_socket create_socket_perms;
++	allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
+ 	allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+ 
+ 	manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+@@ -61,9 +61,15 @@ template(`screen_role_template',`
+ 	# Create fifo
+ 	manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+ 	manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
++	manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
  	files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
  
  	allow $1_screen_t screen_home_t:dir list_dir_perms;
 +	manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
 +	manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
++	manage_sock_files_pattern($1_screen_t, screen_home_t, screen_home_t)
 +	userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
 +	userdom_admin_home_dir_filetrans($1_screen_t, screen_home_t, dir)
  	read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
  	read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
  
-@@ -73,6 +77,7 @@ template(`screen_role_template',`
+@@ -71,8 +77,10 @@ template(`screen_role_template',`
+ 
+ 	domtrans_pattern($3, screen_exec_t, $1_screen_t)
  	allow $3 $1_screen_t:process { signal sigchld };
++	dontaudit $3 $1_screen_t:unix_stream_socket { read write };
  	allow $1_screen_t $3:process signal;
  
 +	manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
  	manage_dirs_pattern($3, screen_home_t, screen_home_t)
  	manage_files_pattern($3, screen_home_t, screen_home_t)
  	manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
-@@ -81,8 +86,6 @@ template(`screen_role_template',`
+@@ -81,8 +89,6 @@ template(`screen_role_template',`
  	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
  
  	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -8958,7 +8975,7 @@ index 320df26..0e4ead0 100644
  	manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
  
  	kernel_read_system_state($1_screen_t)
-@@ -112,6 +115,7 @@ template(`screen_role_template',`
+@@ -112,6 +118,7 @@ template(`screen_role_template',`
  	# for SSP
  	dev_read_urand($1_screen_t)
  
@@ -11343,7 +11360,7 @@ index 5a07a43..096bc60 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..323326b 100644
+index 0757523..c0ccec7 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11484,7 +11501,7 @@ index 0757523..323326b 100644
 -network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
 +network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
  network_port(ntp, udp,123,s0)
-+network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
  network_port(ocsp, tcp,9080,s0)
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 +network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
@@ -19603,7 +19620,7 @@ index 6480167..2d45594 100644
 +	dontaudit $1 httpd_tmp_t:file { read write };
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..99516fc 100644
+index 3136c6a..c98badf 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
 @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -20031,7 +20048,7 @@ index 3136c6a..99516fc 100644
 +	corenet_tcp_connect_firebird_port(httpd_t)
 +	corenet_tcp_connect_mssql_port(httpd_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_t)
-+	corenet_tcp_connect_oracledb_port(httpd_t)
++	corenet_tcp_connect_oracle_port(httpd_t)
 +	corenet_sendrecv_oracledb_client_packets(httpd_t)
 +')
 +
@@ -20285,7 +20302,7 @@ index 3136c6a..99516fc 100644
 +	corenet_tcp_connect_firebird_port(httpd_php_t)
 +	corenet_tcp_connect_mssql_port(httpd_php_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_php_t)
-+	corenet_tcp_connect_oracledb_port(httpd_php_t)
++	corenet_tcp_connect_oracle_port(httpd_php_t)
 +	corenet_sendrecv_oracledb_client_packets(httpd_php_t)
  ')
  
@@ -20352,7 +20369,7 @@ index 3136c6a..99516fc 100644
 +	corenet_tcp_connect_firebird_port(httpd_suexec_t)
 +	corenet_tcp_connect_mssql_port(httpd_suexec_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
-+	corenet_tcp_connect_oracledb_port(httpd_suexec_t)
++	corenet_tcp_connect_oracle_port(httpd_suexec_t)
 +	corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
 +')
 +
@@ -20435,7 +20452,7 @@ index 3136c6a..99516fc 100644
 +	corenet_tcp_connect_firebird_port(httpd_sys_script_t)
 +	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
 +	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-+	corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
++	corenet_tcp_connect_oracle_port(httpd_sys_script_t)
 +	corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
 +')
 +
@@ -30288,7 +30305,7 @@ index 9878499..9167dc9 100644
  	domain_system_change_exemption($1)
  	role_transition $2 jabberd_initrc_exec_t system_r;
 diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..e141bc5 100644
+index da2127e..10197f7 100644
 --- a/policy/modules/services/jabber.te
 +++ b/policy/modules/services/jabber.te
 @@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0)
@@ -30312,7 +30329,7 @@ index da2127e..e141bc5 100644
  type jabberd_log_t;
  logging_log_file(jabberd_log_t)
  
-@@ -21,74 +27,91 @@ files_type(jabberd_var_lib_t)
+@@ -21,74 +27,93 @@ files_type(jabberd_var_lib_t)
  type jabberd_var_run_t;
  files_pid_file(jabberd_var_run_t)
  
@@ -30361,30 +30378,32 @@ index da2127e..e141bc5 100644
 -dev_read_sysfs(jabberd_t)
 -# For SSL
 -dev_read_rand(jabberd_t)
++kernel_read_system_state(jabberd_router_t)
+ 
+-domain_use_interactive_fds(jabberd_t)
 +corenet_tcp_bind_jabber_client_port(jabberd_router_t)
 +corenet_tcp_bind_jabber_router_port(jabberd_router_t)
 +corenet_tcp_connect_jabber_router_port(jabberd_router_t)
 +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
 +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
  
--domain_use_interactive_fds(jabberd_t)
-+fs_getattr_all_fs(jabberd_router_t)
- 
 -files_read_etc_files(jabberd_t)
 -files_read_etc_runtime_files(jabberd_t)
++fs_getattr_all_fs(jabberd_router_t)
++
 +miscfiles_read_certs(jabberd_router_t)
- 
--fs_getattr_all_fs(jabberd_t)
--fs_search_auto_mountpoints(jabberd_t)
++
 +optional_policy(`
 +        kerberos_use(jabberd_router_t)
 +')
  
--logging_send_syslog_msg(jabberd_t)
+-fs_getattr_all_fs(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
 +optional_policy(`
 +       nis_use_ypbind(jabberd_router_t)
 +')
-+
+ 
+-logging_send_syslog_msg(jabberd_t)
 +#####################################
 +#
 +# Local policy for other jabberd components
@@ -40477,7 +40496,7 @@ index 7dc38d1..9c2c963 100644
 +	admin_pattern($1, rgmanager_var_run_t)
 +')
 diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..56ecadc 100644
+index 00fa514..0f49245 100644
 --- a/policy/modules/services/rgmanager.te
 +++ b/policy/modules/services/rgmanager.te
 @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -40537,7 +40556,7 @@ index 00fa514..56ecadc 100644
  
  # need to write to /dev/misc/dlm-control
  dev_rw_dlm_control(rgmanager_t)
-@@ -78,18 +82,22 @@ domain_read_all_domains_state(rgmanager_t)
+@@ -78,29 +82,35 @@ domain_read_all_domains_state(rgmanager_t)
  domain_getattr_all_domains(rgmanager_t)
  domain_dontaudit_ptrace_all_domains(rgmanager_t)
  
@@ -40562,7 +40581,12 @@ index 00fa514..56ecadc 100644
  
  # needed by resources scripts
  auth_read_all_files_except_shadow(rgmanager_t)
-@@ -100,7 +108,7 @@ logging_send_syslog_msg(rgmanager_t)
+ auth_dontaudit_getattr_shadow(rgmanager_t)
+ auth_use_nsswitch(rgmanager_t)
+ 
++init_domtrans_script(rgmanager_t)
++
+ logging_send_syslog_msg(rgmanager_t)
  
  miscfiles_read_localization(rgmanager_t)
  
@@ -40571,7 +40595,7 @@ index 00fa514..56ecadc 100644
  
  tunable_policy(`rgmanager_can_network_connect',`
  	corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +126,14 @@ optional_policy(`
+@@ -118,6 +128,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40586,7 +40610,7 @@ index 00fa514..56ecadc 100644
  	fstools_domtrans(rgmanager_t)
  ')
  
-@@ -140,6 +156,15 @@ optional_policy(`
+@@ -140,6 +158,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41684,7 +41708,7 @@ index cda37bb..484e552 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 8e1ab72..eaa8036 100644
+index 8e1ab72..56d70e5 100644
 --- a/policy/modules/services/rpc.te
 +++ b/policy/modules/services/rpc.te
 @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -41790,7 +41814,15 @@ index 8e1ab72..eaa8036 100644
  
  manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -210,14 +228,14 @@ auth_manage_cache(gssd_t)
+@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t)
+ fs_list_rpc(gssd_t)
+ fs_rw_rpc_sockets(gssd_t)
+ fs_read_rpc_files(gssd_t)
++fs_search_nfsd_fs(gssd_t)
+ 
+ fs_list_inotifyfs(gssd_t)
+ files_list_tmp(gssd_t)
+@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t)
  
  miscfiles_read_generic_certs(gssd_t)
  
@@ -41807,7 +41839,7 @@ index 8e1ab72..eaa8036 100644
  ')
  
  optional_policy(`
-@@ -229,6 +247,10 @@ optional_policy(`
+@@ -229,6 +248,10 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d74f323..ba9ac82 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 34%{?dist}
+Release: 35%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,14 @@ exit 0
 %endif
 
 %changelog
+* Wed Jul 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-35
+- Allow jabberd_router_t to read system state
+- Rename oracledb_port to oracle_port
+- Allow rgmanager executes init script files in initrc_t domain which ensure proper transitions
+- screen wants to manage sock file in screen home dirs
+- Make screen working with confined users
+- Allow gssd to search access on the directory /proc/fs/nfsd
+
 * Fri Jul 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-34
 - More fixes for postfix policy
 - Allow virsh_t setsched

More information about the scm-commits mailing list