[selinux-policy/f15] - Allow jabberd_router_t to read system state - Rename oracledb_port to oracle_port - Allow rgmanage
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jul 20 13:52:07 UTC 2011
commit b98c65e9353439608e8094519a7879bbc685d0d2
Author: Miroslav <mgrepl at redhat.com>
Date: Wed Jul 20 15:51:47 2011 +0200
- Allow jabberd_router_t to read system state
- Rename oracledb_port to oracle_port
- Allow rgmanager executes init script files in initrc_t domain which ensure proper transitions
- screen wants to manage sock file in screen home dirs
- Make screen working with confined users
- Allow gssd to search access on the directory /proc/fs/nfsd
policy-F15.patch | 92 ++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 10 +++++-
2 files changed, 71 insertions(+), 31 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 6f4279d..e9679b2 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -8927,29 +8927,46 @@ index 1f2cde4..7227631 100644
#
# /usr
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index 320df26..0e4ead0 100644
+index 320df26..0def31c 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
-@@ -64,6 +64,10 @@ template(`screen_role_template',`
+@@ -50,7 +50,7 @@ template(`screen_role_template',`
+ allow $1_screen_t self:udp_socket create_socket_perms;
+ # Internal screen networking
+ allow $1_screen_t self:fd use;
+- allow $1_screen_t self:unix_stream_socket create_socket_perms;
++ allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
+ allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+@@ -61,9 +61,15 @@ template(`screen_role_template',`
+ # Create fifo
+ manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+ manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
++ manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
allow $1_screen_t screen_home_t:dir list_dir_perms;
+ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
+ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
++ manage_sock_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+ userdom_admin_home_dir_filetrans($1_screen_t, screen_home_t, dir)
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-@@ -73,6 +77,7 @@ template(`screen_role_template',`
+@@ -71,8 +77,10 @@ template(`screen_role_template',`
+
+ domtrans_pattern($3, screen_exec_t, $1_screen_t)
allow $3 $1_screen_t:process { signal sigchld };
++ dontaudit $3 $1_screen_t:unix_stream_socket { read write };
allow $1_screen_t $3:process signal;
+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
manage_files_pattern($3, screen_home_t, screen_home_t)
manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
-@@ -81,8 +86,6 @@ template(`screen_role_template',`
+@@ -81,8 +89,6 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -8958,7 +8975,7 @@ index 320df26..0e4ead0 100644
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
kernel_read_system_state($1_screen_t)
-@@ -112,6 +115,7 @@ template(`screen_role_template',`
+@@ -112,6 +118,7 @@ template(`screen_role_template',`
# for SSP
dev_read_urand($1_screen_t)
@@ -11343,7 +11360,7 @@ index 5a07a43..096bc60 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..323326b 100644
+index 0757523..c0ccec7 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11484,7 +11501,7 @@ index 0757523..323326b 100644
-network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
+network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
-+network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
@@ -19603,7 +19620,7 @@ index 6480167..2d45594 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..99516fc 100644
+index 3136c6a..c98badf 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -20031,7 +20048,7 @@ index 3136c6a..99516fc 100644
+ corenet_tcp_connect_firebird_port(httpd_t)
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
-+ corenet_tcp_connect_oracledb_port(httpd_t)
++ corenet_tcp_connect_oracle_port(httpd_t)
+ corenet_sendrecv_oracledb_client_packets(httpd_t)
+')
+
@@ -20285,7 +20302,7 @@ index 3136c6a..99516fc 100644
+ corenet_tcp_connect_firebird_port(httpd_php_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
-+ corenet_tcp_connect_oracledb_port(httpd_php_t)
++ corenet_tcp_connect_oracle_port(httpd_php_t)
+ corenet_sendrecv_oracledb_client_packets(httpd_php_t)
')
@@ -20352,7 +20369,7 @@ index 3136c6a..99516fc 100644
+ corenet_tcp_connect_firebird_port(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
-+ corenet_tcp_connect_oracledb_port(httpd_suexec_t)
++ corenet_tcp_connect_oracle_port(httpd_suexec_t)
+ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
+')
+
@@ -20435,7 +20452,7 @@ index 3136c6a..99516fc 100644
+ corenet_tcp_connect_firebird_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-+ corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
++ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
+ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
+')
+
@@ -30288,7 +30305,7 @@ index 9878499..9167dc9 100644
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..e141bc5 100644
+index da2127e..10197f7 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0)
@@ -30312,7 +30329,7 @@ index da2127e..e141bc5 100644
type jabberd_log_t;
logging_log_file(jabberd_log_t)
-@@ -21,74 +27,91 @@ files_type(jabberd_var_lib_t)
+@@ -21,74 +27,93 @@ files_type(jabberd_var_lib_t)
type jabberd_var_run_t;
files_pid_file(jabberd_var_run_t)
@@ -30361,30 +30378,32 @@ index da2127e..e141bc5 100644
-dev_read_sysfs(jabberd_t)
-# For SSL
-dev_read_rand(jabberd_t)
++kernel_read_system_state(jabberd_router_t)
+
+-domain_use_interactive_fds(jabberd_t)
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
--domain_use_interactive_fds(jabberd_t)
-+fs_getattr_all_fs(jabberd_router_t)
-
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
++fs_getattr_all_fs(jabberd_router_t)
++
+miscfiles_read_certs(jabberd_router_t)
-
--fs_getattr_all_fs(jabberd_t)
--fs_search_auto_mountpoints(jabberd_t)
++
+optional_policy(`
+ kerberos_use(jabberd_router_t)
+')
--logging_send_syslog_msg(jabberd_t)
+-fs_getattr_all_fs(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
+optional_policy(`
+ nis_use_ypbind(jabberd_router_t)
+')
-+
+
+-logging_send_syslog_msg(jabberd_t)
+#####################################
+#
+# Local policy for other jabberd components
@@ -40477,7 +40496,7 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..56ecadc 100644
+index 00fa514..0f49245 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -40537,7 +40556,7 @@ index 00fa514..56ecadc 100644
# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
-@@ -78,18 +82,22 @@ domain_read_all_domains_state(rgmanager_t)
+@@ -78,29 +82,35 @@ domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
domain_dontaudit_ptrace_all_domains(rgmanager_t)
@@ -40562,7 +40581,12 @@ index 00fa514..56ecadc 100644
# needed by resources scripts
auth_read_all_files_except_shadow(rgmanager_t)
-@@ -100,7 +108,7 @@ logging_send_syslog_msg(rgmanager_t)
+ auth_dontaudit_getattr_shadow(rgmanager_t)
+ auth_use_nsswitch(rgmanager_t)
+
++init_domtrans_script(rgmanager_t)
++
+ logging_send_syslog_msg(rgmanager_t)
miscfiles_read_localization(rgmanager_t)
@@ -40571,7 +40595,7 @@ index 00fa514..56ecadc 100644
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
-@@ -118,6 +126,14 @@ optional_policy(`
+@@ -118,6 +128,14 @@ optional_policy(`
')
optional_policy(`
@@ -40586,7 +40610,7 @@ index 00fa514..56ecadc 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +156,15 @@ optional_policy(`
+@@ -140,6 +158,15 @@ optional_policy(`
')
optional_policy(`
@@ -41684,7 +41708,7 @@ index cda37bb..484e552 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index 8e1ab72..eaa8036 100644
+index 8e1ab72..56d70e5 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -41790,7 +41814,15 @@ index 8e1ab72..eaa8036 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -210,14 +228,14 @@ auth_manage_cache(gssd_t)
+@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t)
+ fs_list_rpc(gssd_t)
+ fs_rw_rpc_sockets(gssd_t)
+ fs_read_rpc_files(gssd_t)
++fs_search_nfsd_fs(gssd_t)
+
+ fs_list_inotifyfs(gssd_t)
+ files_list_tmp(gssd_t)
+@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -41807,7 +41839,7 @@ index 8e1ab72..eaa8036 100644
')
optional_policy(`
-@@ -229,6 +247,10 @@ optional_policy(`
+@@ -229,6 +248,10 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d74f323..ba9ac82 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 34%{?dist}
+Release: 35%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,14 @@ exit 0
%endif
%changelog
+* Wed Jul 20 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-35
+- Allow jabberd_router_t to read system state
+- Rename oracledb_port to oracle_port
+- Allow rgmanager executes init script files in initrc_t domain which ensure proper transitions
+- screen wants to manage sock file in screen home dirs
+- Make screen working with confined users
+- Allow gssd to search access on the directory /proc/fs/nfsd
+
* Fri Jul 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-34
- More fixes for postfix policy
- Allow virsh_t setsched
More information about the scm-commits
mailing list