[selinux-policy/f15] - Fix /var/lock labeling issue
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jun 10 07:41:51 UTC 2011
commit b345d7aad6f784a47cd0c661a2fe419ffa365714
Author: Miroslav Grepl <mgrepl at avalanche15.(none)>
Date: Fri Jun 10 09:42:31 2011 +0200
- Fix /var/lock labeling issue
policy-F15.patch | 148 +++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 15 +++--
2 files changed, 100 insertions(+), 63 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index ceac83d..784c2f5 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -218,7 +218,7 @@ index 4705ab6..262b5ba 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index 358ce7c..e5dc022 100644
+index 358ce7c..5da1cd0 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,20 @@ gen_levels(1,mcs_num_cats)
@@ -231,7 +231,7 @@ index 358ce7c..e5dc022 100644
mlsconstrain file { write setattr append unlink link rename }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
-+ (( h1 dom h2 ) or
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain dir { search read ioctl lock }
@@ -32532,7 +32532,7 @@ index 256166a..15daf47 100644
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..4238760 100644
+index 343cee3..7de6f4d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -32691,12 +32691,10 @@ index 343cee3..4238760 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -438,6 +475,29 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +475,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
-+<<<<<<< HEAD
-+=======
+## Check whether sendmail executable
+## files are executable.
+## </summary>
@@ -32717,11 +32715,10 @@ index 343cee3..4238760 100644
+
+########################################
+## <summary>
-+>>>>>>> 884c081... Extend audit_access interfaces to allow get attributes.
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -474,7 +534,8 @@ interface(`mta_write_config',`
+@@ -474,7 +531,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -32731,7 +32728,7 @@ index 343cee3..4238760 100644
')
########################################
-@@ -494,6 +555,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +552,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -32739,7 +32736,7 @@ index 343cee3..4238760 100644
')
########################################
-@@ -552,7 +614,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +611,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -32748,7 +32745,7 @@ index 343cee3..4238760 100644
')
#######################################
-@@ -646,8 +708,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +705,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -32759,7 +32756,7 @@ index 343cee3..4238760 100644
')
#######################################
-@@ -697,8 +759,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +756,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -32770,7 +32767,7 @@ index 343cee3..4238760 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +900,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +897,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -32779,7 +32776,7 @@ index 343cee3..4238760 100644
')
########################################
-@@ -899,3 +961,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +958,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -34576,10 +34573,18 @@ index c61adc8..666425b 100644
')
diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te
-index ff962dd..3cf3fe3 100644
+index ff962dd..c856c64 100644
--- a/policy/modules/services/nut.te
+++ b/policy/modules/services/nut.te
-@@ -47,7 +47,7 @@ kernel_read_kernel_sysctls(nut_upsd_t)
+@@ -29,6 +29,7 @@ files_pid_file(nut_var_run_t)
+ #
+
+ allow nut_upsd_t self:capability { setgid setuid dac_override };
++allow nut_upsd_t self:process signal_perms;
+
+ allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
+@@ -47,7 +48,7 @@ kernel_read_kernel_sysctls(nut_upsd_t)
corenet_tcp_bind_ups_port(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
@@ -34588,7 +34593,7 @@ index ff962dd..3cf3fe3 100644
files_read_usr_files(nut_upsd_t)
-@@ -133,6 +133,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+@@ -133,6 +134,7 @@ kernel_read_kernel_sysctls(nut_upsdrvctl_t)
# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
@@ -35197,11 +35202,11 @@ index 0000000..9ef0492
+')
diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
new file mode 100644
-index 0000000..efa9336
+index 0000000..c695d1d
--- /dev/null
+++ b/policy/modules/services/passenger.te
@@ -0,0 +1,76 @@
-+policy_module(passanger, 1.0.0)
++policy_module(passenger, 1.0.0)
+
+########################################
+#
@@ -35230,7 +35235,7 @@ index 0000000..efa9336
+
+########################################
+#
-+# passanger local policy
++# passenger local policy
+#
+
+allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
@@ -35707,10 +35712,10 @@ index 0000000..6403c17
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..cdd0339
+index 0000000..10d0949
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,301 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -35777,7 +35782,7 @@ index 0000000..cdd0339
+# piranha-gui local policy
+#
+
-+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
++allow piranha_web_t self:capability { dac_override setuid sys_nice kill setgid };
+allow piranha_web_t self:process { getsched setsched signal signull ptrace };
+allow piranha_web_t self:rawip_socket create_socket_perms;
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
@@ -35820,6 +35825,8 @@ index 0000000..cdd0339
+
+files_read_usr_files(piranha_web_t)
+
++libs_exec_ldconfig(piranha_web_t)
++
+optional_policy(`
+ consoletype_exec(piranha_web_t)
+')
@@ -37068,7 +37075,7 @@ index 46bee12..b90c902 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..745830e 100644
+index 06e37d4..fedaa96 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -37258,7 +37265,15 @@ index 06e37d4..745830e 100644
########################################
#
# Postfix map local policy
-@@ -390,8 +429,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+@@ -372,6 +411,7 @@ optional_policy(`
+ # Postfix pickup local policy
+ #
+
++allow postfix_pickup_t self:fifo_file rw_fifo_file_perms;
+ allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
+ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
+@@ -390,8 +430,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
# Postfix pipe local policy
#
@@ -37268,7 +37283,7 @@ index 06e37d4..745830e 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +440,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +441,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -37277,7 +37292,7 @@ index 06e37d4..745830e 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +461,7 @@ optional_policy(`
+@@ -420,6 +462,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -37285,7 +37300,7 @@ index 06e37d4..745830e 100644
')
optional_policy(`
-@@ -436,6 +478,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,6 +479,9 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -37295,7 +37310,7 @@ index 06e37d4..745830e 100644
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -507,6 +552,8 @@ optional_policy(`
+@@ -507,6 +553,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -37304,7 +37319,7 @@ index 06e37d4..745830e 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +566,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +567,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -37313,7 +37328,7 @@ index 06e37d4..745830e 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +586,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +587,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -37322,7 +37337,7 @@ index 06e37d4..745830e 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +635,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +636,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -37339,7 +37354,7 @@ index 06e37d4..745830e 100644
')
optional_policy(`
-@@ -611,8 +664,8 @@ optional_policy(`
+@@ -611,8 +665,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -37349,7 +37364,7 @@ index 06e37d4..745830e 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +683,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +684,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -48829,14 +48844,18 @@ index d77e631..4776863 100644
#
interface(`zabbix_append_log',`
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index c26ecf5..b906c48 100644
+index c26ecf5..ad41551 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
-@@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t)
+@@ -25,12 +25,14 @@ files_pid_file(zabbix_var_run_t)
+ # zabbix local policy
#
- allow zabbix_t self:capability { setuid setgid };
+-allow zabbix_t self:capability { setuid setgid };
-allow zabbix_t self:fifo_file rw_file_perms;
++allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
++allow zabbix_t self:process setsched;
++allow zabbix_t self:sem create_sem_perms;
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
@@ -48846,6 +48865,19 @@ index c26ecf5..b906c48 100644
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+@@ -39,8 +41,12 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+ files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+
++kernel_read_kernel_sysctls(zabbix_t)
++
+ files_read_etc_files(zabbix_t)
+
++auth_use_nsswitch(zabbix_t)
++
+ miscfiles_read_localization(zabbix_t)
+
+ optional_policy(`
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644
index 0000000..28cd477
@@ -55197,7 +55229,7 @@ index 170e2c7..e29a4eb 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..4eb4bae 100644
+index 7ed9819..df3c078 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -55436,17 +55468,17 @@ index 7ed9819..4eb4bae 100644
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--
--allow semanage_t policy_config_t:file rw_file_perms;
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--allow semanage_t semanage_tmp_t:dir manage_dir_perms;
--allow semanage_t semanage_tmp_t:file manage_file_perms;
--files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-allow semanage_t policy_config_t:file rw_file_perms;
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
@@ -55475,11 +55507,11 @@ index 7ed9819..4eb4bae 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
+-locallogin_use_fds(semanage_t)
+-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
@@ -55498,7 +55530,7 @@ index 7ed9819..4eb4bae 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +496,69 @@ ifdef(`distro_debian',`
+@@ -487,118 +496,72 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@@ -55569,45 +55601,47 @@ index 7ed9819..4eb4bae 100644
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-term_use_all_ttys(setfiles_t)
-term_use_all_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
--# this is to satisfy the assertion:
--auth_relabelto_shadow(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
+-
-init_use_fds(setfiles_t)
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
--
--miscfiles_read_localization(setfiles_t)
+########################################
+#
+# Setfiles local policy
+#
--seutil_libselinux_linked(setfiles_t)
+-miscfiles_read_localization(setfiles_t)
+seutil_setfiles(setfiles_t)
+# During boot in Rawhide
+term_use_generic_ptys(setfiles_t)
--userdom_use_all_users_fds(setfiles_t)
--# for config files in a home directory
--userdom_read_user_home_content_files(setfiles_t)
+-seutil_libselinux_linked(setfiles_t)
+seutil_setfiles(setfiles_mac_t)
+allow setfiles_mac_t self:capability2 mac_admin;
+kernel_relabelto_unlabeled(setfiles_mac_t)
+-userdom_use_all_users_fds(setfiles_t)
+-# for config files in a home directory
+-userdom_read_user_home_content_files(setfiles_t)
++# needs to be able to read symlinks to make restorecon on symlink working
++files_read_all_symlinks(setfiles_t)
+
-ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 126b2a0..3b81eb0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 28%{?dist}
+Release: 29%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -189,7 +189,7 @@ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
selinuxenabled; \
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
fixfiles -C ${FILE_CONTEXT}.pre restore; \
- restorecon -R /root /var/log /var/run 2> /dev/null; \
+ restorecon -R /root /var/log /var/lock /var/run 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi;
@@ -330,9 +330,9 @@ SELinux Reference policy targeted base module.
packages=`cat /usr/share/selinux/targeted/modules.lst`
if [ $1 -eq 1 ]; then
%loadpolicy targeted $packages
- restorecon -R /root /var/log /var/run 2> /dev/null
+ restorecon -R /root /var/log /var/lock /var/run 2> /dev/null
else
- semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null
+ semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger 2>/dev/null
%loadpolicy targeted $packages
%relabel targeted
fi
@@ -388,7 +388,7 @@ semanage -S minimum -i - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
-restorecon -R /root /var/log /var/run 2> /dev/null
+restorecon -R /root /var/log /var/lock /var/run 2> /dev/null
else
%relabel minimum
fi
@@ -457,7 +457,7 @@ packages=`cat /usr/share/selinux/mls/modules.lst`
%loadpolicy mls $packages
if [ $1 -eq 1 ]; then
- restorecon -R /root /var/log /var/run 2> /dev/null
+ restorecon -R /root /var/log /var/lock /var/run 2> /dev/null
else
%relabel mls
fi
@@ -471,6 +471,9 @@ exit 0
%endif
%changelog
+* Fri Jun 10 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-29
+- Fix /var/lock labeling issue
+
* Mon Jun 6 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-28
- Allow ssh to execute systemctl
- fail2ban fixes related to /tmp directory
More information about the scm-commits
mailing list