[selinux-policy/f15] - Add label for /var/lock/ppp - Fixes for colord policy - Allow sys_chroot for postfix domains
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 2 14:55:51 UTC 2011
commit 7868ff51f9ed8085324109c1fe51623ee2ea0c9b
Author: Miroslav Grepl <mgrepl at avalanche15.(none)>
Date: Thu Jun 2 16:56:25 2011 +0200
- Add label for /var/lock/ppp
- Fixes for colord policy
- Allow sys_chroot for postfix domains
policy-F15.patch | 366 ++++++++++++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 7 +-
2 files changed, 308 insertions(+), 65 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index a7734b1..214d01b 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -2634,10 +2634,62 @@ index 74354da..0852738 100644
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 81fb26f..cd18ca8 100644
+index 81fb26f..fa853d7 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
-@@ -285,6 +285,9 @@ interface(`usermanage_run_useradd',`
+@@ -73,6 +73,25 @@ interface(`usermanage_domtrans_groupadd',`
+
+ ########################################
+ ## <summary>
++## Check access to the groupadd executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`usermanage_access_check_groupadd',`
++ gen_require(`
++ type groupadd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 groupadd_exec_t:file { getattr_file_perms audit_access };
++')
++
++########################################
++## <summary>
+ ## Execute groupadd in the groupadd domain, and
+ ## allow the specified role the groupadd domain.
+ ## </summary>
+@@ -170,6 +189,25 @@ interface(`usermanage_run_passwd',`
+
+ ########################################
+ ## <summary>
++## Check access to the passwd executable
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`usermanage_access_check_passwd',`
++ gen_require(`
++ type passwd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 passwd_exec_t:file { getattr_file_perms audit_access };
++')
++
++########################################
++## <summary>
+ ## Execute password admin functions in
+ ## the admin passwd domain.
+ ## </summary>
+@@ -285,6 +323,9 @@ interface(`usermanage_run_useradd',`
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
@@ -2647,6 +2699,32 @@ index 81fb26f..cd18ca8 100644
seutil_run_semanage(useradd_t, $2)
optional_policy(`
+@@ -294,6 +335,25 @@ interface(`usermanage_run_useradd',`
+
+ ########################################
+ ## <summary>
++## Check access to the useradd executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`usermanage_access_check_useradd',`
++ gen_require(`
++ type useradd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 useradd_exec_t:file { getattr_file_perms audit_access };
++')
++
++########################################
++## <summary>
+ ## Read the crack database.
+ ## </summary>
+ ## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 441cf22..73e9eba 100644
--- a/policy/modules/admin/usermanage.te
@@ -7886,10 +7964,10 @@ index 0000000..6caef63
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644
-index 0000000..0fedd57
+index 0000000..3b6af20
--- /dev/null
+++ b/policy/modules/apps/sandbox.if
-@@ -0,0 +1,305 @@
+@@ -0,0 +1,341 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -8125,6 +8203,42 @@ index 0000000..0fedd57
+
+########################################
+## <summary>
++## Delete sandbox symbolic links
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`sandbox_delete_lnk_files',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++## <summary>
++## Delete sandbox fifo files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`sandbox_delete_pipes',`
++ gen_require(`
++ type sandbox_file_t;
++ ')
++
++ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
++')
++
++########################################
++## <summary>
+## Delete sandbox sock files
+## </summary>
+## <param name="domain">
@@ -8162,7 +8276,7 @@ index 0000000..0fedd57
+
+########################################
+## <summary>
-+## allow domain to delete sandbox files
++## Delete sandbox directories
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13648,10 +13762,38 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..6d0cc0b 100644
+index dfe361a..8617d89 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
-@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
+@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
+
+ ########################################
+ ## <summary>
++## Get attributes of cgroup files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_getattr_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ getattr_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_tmpfs($1)
++ dev_search_sysfs($1)
++')
++
++########################################
++## <summary>
+ ## Search cgroup directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',`
')
search_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -13683,7 +13825,7 @@ index dfe361a..6d0cc0b 100644
## list cgroup directories.
## </summary>
## <param name="domain">
-@@ -665,9 +685,29 @@ interface(`fs_list_cgroup_dirs', `
+@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', `
')
list_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -13713,7 +13855,7 @@ index dfe361a..6d0cc0b 100644
########################################
## <summary>
## Delete cgroup directories.
-@@ -684,6 +724,7 @@ interface(`fs_delete_cgroup_dirs', `
+@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', `
')
delete_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -13721,7 +13863,7 @@ index dfe361a..6d0cc0b 100644
dev_search_sysfs($1)
')
-@@ -704,6 +745,7 @@ interface(`fs_manage_cgroup_dirs',`
+@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',`
')
manage_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -13729,7 +13871,7 @@ index dfe361a..6d0cc0b 100644
dev_search_sysfs($1)
')
-@@ -724,6 +766,7 @@ interface(`fs_read_cgroup_files',`
+@@ -724,6 +787,7 @@ interface(`fs_read_cgroup_files',`
')
read_files_pattern($1, cgroup_t, cgroup_t)
@@ -13737,7 +13879,7 @@ index dfe361a..6d0cc0b 100644
dev_search_sysfs($1)
')
-@@ -743,6 +786,7 @@ interface(`fs_write_cgroup_files', `
+@@ -743,6 +807,7 @@ interface(`fs_write_cgroup_files', `
')
write_files_pattern($1, cgroup_t, cgroup_t)
@@ -13745,7 +13887,7 @@ index dfe361a..6d0cc0b 100644
dev_search_sysfs($1)
')
-@@ -763,6 +807,7 @@ interface(`fs_rw_cgroup_files',`
+@@ -763,6 +828,7 @@ interface(`fs_rw_cgroup_files',`
')
rw_files_pattern($1, cgroup_t, cgroup_t)
@@ -13753,7 +13895,7 @@ index dfe361a..6d0cc0b 100644
dev_search_sysfs($1)
')
-@@ -803,6 +848,7 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +869,7 @@ interface(`fs_manage_cgroup_files',`
')
manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -13761,7 +13903,34 @@ index dfe361a..6d0cc0b 100644
dev_search_sysfs($1)
')
-@@ -1052,6 +1098,24 @@ interface(`fs_list_noxattr_fs',`
+@@ -1032,6 +1099,26 @@ interface(`fs_getattr_noxattr_fs',`
+ allow $1 noxattrfs:filesystem getattr;
+ ')
+
++#######################################
++## <summary>
++## Dontaudit Get the attributes of filesystems that
++## do not have extended attribute support.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_dontaudit_getattr_noxattr_fs',`
++ gen_require(`
++ attribute noxattrfs;
++ ')
++
++ dontaudit $1 noxattrfs:filesystem getattr;
++')
++
+ ########################################
+ ## <summary>
+ ## Read all noxattrfs directories.
+@@ -1052,6 +1139,24 @@ interface(`fs_list_noxattr_fs',`
########################################
## <summary>
@@ -13786,7 +13955,7 @@ index dfe361a..6d0cc0b 100644
## Create, read, write, and delete all noxattrfs directories.
## </summary>
## <param name="domain">
-@@ -1088,6 +1152,42 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1088,6 +1193,42 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
@@ -13829,7 +13998,7 @@ index dfe361a..6d0cc0b 100644
## Dont audit attempts to write to noxattrfs files.
## </summary>
## <param name="domain">
-@@ -1227,6 +1327,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1227,6 +1368,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -13872,7 +14041,7 @@ index dfe361a..6d0cc0b 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1241,7 +1377,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1241,7 +1418,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -13881,7 +14050,7 @@ index dfe361a..6d0cc0b 100644
')
########################################
-@@ -1504,6 +1640,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1681,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -13907,7 +14076,7 @@ index dfe361a..6d0cc0b 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1659,6 +1814,25 @@ interface(`fs_search_dos',`
+@@ -1659,6 +1855,25 @@ interface(`fs_search_dos',`
########################################
## <summary>
@@ -13933,7 +14102,7 @@ index dfe361a..6d0cc0b 100644
## Create, read, write, and delete dirs
## on a DOS filesystem.
## </summary>
-@@ -1774,6 +1948,24 @@ interface(`fs_unmount_fusefs',`
+@@ -1774,6 +1989,24 @@ interface(`fs_unmount_fusefs',`
########################################
## <summary>
@@ -13958,7 +14127,7 @@ index dfe361a..6d0cc0b 100644
## Search directories
## on a FUSEFS filesystem.
## </summary>
-@@ -1892,6 +2084,26 @@ interface(`fs_manage_fusefs_files',`
+@@ -1892,6 +2125,26 @@ interface(`fs_manage_fusefs_files',`
########################################
## <summary>
@@ -13985,7 +14154,7 @@ index dfe361a..6d0cc0b 100644
## Do not audit attempts to create,
## read, write, and delete files
## on a FUSEFS filesystem.
-@@ -1931,7 +2143,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +2184,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -14013,7 +14182,7 @@ index dfe361a..6d0cc0b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,6 +2177,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +2218,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -14055,7 +14224,7 @@ index dfe361a..6d0cc0b 100644
########################################
## <summary>
-@@ -1999,6 +2265,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2306,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -14063,7 +14232,7 @@ index dfe361a..6d0cc0b 100644
')
########################################
-@@ -2331,6 +2598,7 @@ interface(`fs_read_nfs_files',`
+@@ -2331,6 +2639,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -14071,7 +14240,7 @@ index dfe361a..6d0cc0b 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2369,6 +2637,7 @@ interface(`fs_write_nfs_files',`
+@@ -2369,6 +2678,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -14079,7 +14248,7 @@ index dfe361a..6d0cc0b 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2395,6 +2664,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2705,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -14105,7 +14274,7 @@ index dfe361a..6d0cc0b 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2435,6 +2723,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2435,6 +2764,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -14148,7 +14317,7 @@ index dfe361a..6d0cc0b 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2449,7 +2773,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2814,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -14157,7 +14326,7 @@ index dfe361a..6d0cc0b 100644
')
########################################
-@@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +3002,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
## <summary>
@@ -14182,7 +14351,7 @@ index dfe361a..6d0cc0b 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2653,6 +2995,25 @@ interface(`fs_read_removable_symlinks',`
+@@ -2653,6 +3036,25 @@ interface(`fs_read_removable_symlinks',`
read_lnk_files_pattern($1, removable_t, removable_t)
')
@@ -14208,7 +14377,7 @@ index dfe361a..6d0cc0b 100644
########################################
## <summary>
## Read and write block nodes on removable filesystems.
-@@ -2779,6 +3140,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2779,6 +3181,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -14216,7 +14385,7 @@ index dfe361a..6d0cc0b 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -2819,6 +3181,7 @@ interface(`fs_manage_nfs_files',`
+@@ -2819,6 +3222,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -14224,7 +14393,7 @@ index dfe361a..6d0cc0b 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2845,7 +3208,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3249,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -14233,7 +14402,7 @@ index dfe361a..6d0cc0b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2859,6 +3222,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -2859,6 +3263,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -14241,7 +14410,7 @@ index dfe361a..6d0cc0b 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3772,6 +4136,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3772,6 +4177,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -14284,7 +14453,7 @@ index dfe361a..6d0cc0b 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -3989,6 +4389,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3989,6 +4430,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -14309,7 +14478,7 @@ index dfe361a..6d0cc0b 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4271,6 +4689,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4730,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -14318,7 +14487,7 @@ index dfe361a..6d0cc0b 100644
')
########################################
-@@ -4317,7 +4737,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4317,7 +4778,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -14327,7 +14496,7 @@ index dfe361a..6d0cc0b 100644
## Example attributes:
## </p>
## <ul>
-@@ -4681,3 +5101,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5142,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -23044,10 +23213,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..c151fe6
+index 0000000..67db20a
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,120 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -23121,10 +23290,13 @@ index 0000000..c151fe6
+files_read_etc_files(colord_t)
+files_read_usr_files(colord_t)
+
++fs_getattr_all_fs(colord_t)
+fs_search_all(colord_t)
++fs_list_noxattr_fs(colord_t)
+fs_read_noxattr_fs_files(colord_t)
+
+storage_getattr_fixed_disk_dev(colord_t)
++storage_getattr_removable_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
@@ -23137,11 +23309,11 @@ index 0000000..c151fe6
+userdom_read_inherited_user_home_content_files(colord_t)
+
+tunable_policy(`use_nfs_home_dirs',`
-+ fs_read_nfs_files(colord_t)
++ fs_read_nfs_files(colord_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
-+ fs_read_cifs_files(colord_t)
++ fs_read_cifs_files(colord_t)
+')
+
+optional_policy(`
@@ -26639,7 +26811,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..778b174 100644
+index cbe14e4..ce42295 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -26759,7 +26931,7 @@ index cbe14e4..778b174 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -249,23 +273,40 @@ optional_policy(`
+@@ -249,23 +273,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -26774,8 +26946,6 @@ index cbe14e4..778b174 100644
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
- allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
-
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
+
+append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
@@ -26784,8 +26954,12 @@ index cbe14e4..778b174 100644
+manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t)
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+
-+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+ allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
++read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
++dovecot_stream_connect(dovecot_deliver_t)
+
++can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
+
kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)
@@ -26802,7 +26976,7 @@ index cbe14e4..778b174 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -301,5 +342,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +344,15 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -32306,7 +32480,7 @@ index 256166a..15daf47 100644
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..3d7edf0 100644
+index 343cee3..4238760 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -32465,7 +32639,37 @@ index 343cee3..3d7edf0 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -474,7 +511,8 @@ interface(`mta_write_config',`
+@@ -438,6 +475,29 @@ interface(`mta_sendmail_exec',`
+
+ ########################################
+ ## <summary>
++<<<<<<< HEAD
++=======
++## Check whether sendmail executable
++## files are executable.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_sendmail_access_check',`
++ gen_require(`
++ type sendmail_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ allow $1 sendmail_exec_t:file { getattr_file_perms audit_access };
++')
++
++########################################
++## <summary>
++>>>>>>> 884c081... Extend audit_access interfaces to allow get attributes.
+ ## Read mail server configuration.
+ ## </summary>
+ ## <param name="domain">
+@@ -474,7 +534,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -32475,7 +32679,15 @@ index 343cee3..3d7edf0 100644
')
########################################
-@@ -552,7 +590,7 @@ interface(`mta_rw_aliases',`
+@@ -494,6 +555,7 @@ interface(`mta_read_aliases',`
+
+ files_search_etc($1)
+ allow $1 etc_aliases_t:file read_file_perms;
++ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -552,7 +614,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -32484,7 +32696,7 @@ index 343cee3..3d7edf0 100644
')
#######################################
-@@ -646,8 +684,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +708,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -32495,7 +32707,7 @@ index 343cee3..3d7edf0 100644
')
#######################################
-@@ -697,8 +735,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +759,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -32506,7 +32718,7 @@ index 343cee3..3d7edf0 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +876,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +900,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -32515,7 +32727,7 @@ index 343cee3..3d7edf0 100644
')
########################################
-@@ -899,3 +937,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +961,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -36477,14 +36689,14 @@ index 55e62d2..6082184 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..f064487 100644
+index 46bee12..b90c902 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
-+ allow postfix_$1_t self:capability sys_nice;
++ allow postfix_$1_t self:capability { sys_nice sys_chroot };
dontaudit postfix_$1_t self:capability sys_tty_config;
- allow postfix_$1_t self:process { signal_perms setpgid };
+ allow postfix_$1_t self:process { signal_perms setpgid setsched };
@@ -36508,6 +36720,15 @@ index 46bee12..f064487 100644
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
+@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',`
+ type postfix_$1_tmp_t;
+ files_tmp_file(postfix_$1_tmp_t)
+
+- allow postfix_$1_t self:capability { setuid setgid dac_override };
++ allow postfix_$1_t $self:capability { setuid setgid sys_chroot dac_override };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
@@ -165,6 +167,8 @@ template(`postfix_user_domain_template',`
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
@@ -37344,6 +37565,18 @@ index ad15fde..6f55445 100644
')
allow $1 postgrey_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
+index 2d82c6d..a41b55f 100644
+--- a/policy/modules/services/ppp.fc
++++ b/policy/modules/services/ppp.fc
+@@ -34,5 +34,7 @@
+ # Fix pptp sockets
+ /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
+
++/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
++
+ /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+ /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index b524673..9d90fb3 100644
--- a/policy/modules/services/ppp.if
@@ -37983,7 +38216,7 @@ index 2855a44..0456b11 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..ebb9b4d 100644
+index 64c5f95..c65b6ce 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -38098,7 +38331,7 @@ index 64c5f95..ebb9b4d 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +264,8 @@ optional_policy(`
+@@ -231,3 +264,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -38106,6 +38339,7 @@ index 64c5f95..ebb9b4d 100644
+optional_policy(`
+ usermanage_domtrans_groupadd(puppetmaster_t)
+ usermanage_domtrans_useradd(puppetmaster_t)
++ usermanage_access_check_passwd(puppetmaster_t)
+')
diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
index d4a7750..705196e 100644
@@ -56157,10 +56391,10 @@ index 0000000..4dfe28c
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..2b6d19b
+index 0000000..bdca6ab
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,190 @@
+@@ -0,0 +1,194 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -56326,6 +56560,8 @@ index 0000000..2b6d19b
+ sandbox_list(systemd_tmpfiles_t)
+ sandbox_delete_dirs(systemd_tmpfiles_t)
+ sandbox_delete_files(systemd_tmpfiles_t)
++ sandbox_delete_lnk_files(systemd_tmpfiles_t)
++ sandbox_delete_pipes(systemd_tmpfiles_t)
+ sandbox_delete_sock_files(systemd_tmpfiles_t)
+ sandbox_setattr_dirs(systemd_tmpfiles_t)
+')
@@ -56344,6 +56580,8 @@ index 0000000..2b6d19b
+
+files_read_etc_files(systemd_notify_t)
+
++fs_getattr_cgroup_files(systemd_notify_t)
++
+auth_use_nsswitch(systemd_notify_t)
+
+miscfiles_read_localization(systemd_notify_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5ea380b..5113d4a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 26%{?dist}
+Release: 27%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
%endif
%changelog
+* Thu Jun 2 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-27
+- Add label for /var/lock/ppp
+- Fixes for colord policy
+- Allow sys_chroot for postfix domains
+
* Fri May 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-26
- Add label for dev/ati/card*
- Allowe secadm to manage selinux config files
More information about the scm-commits
mailing list