[selinux-policy/f15] - Fixes for zarafa policy - Other fixes for fail2ban - Allow keyring to drop capabilities - Allow co
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jun 14 08:56:39 UTC 2011
commit ce063e2ba5069286f42e56ca39dc7502ab6055f1
Author: Miroslav Grepl <mgrepl at avalanche15.(none)>
Date: Tue Jun 14 10:57:18 2011 +0200
- Fixes for zarafa policy
- Other fixes for fail2ban
- Allow keyring to drop capabilities
- Allow cobblerd to send syslog messages
- Allow xserver to read/write the xserver_misk device
- ppp also installs /var/log/ppp and /var/run/ppp directories
* remove filetrans rules
- fix for pppd_lock
- Allow fail2ban run ldconfig
- Allow lvm to read/write pipes inherited from login programs
policy-F15.patch | 281 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 14 +++-
2 files changed, 194 insertions(+), 101 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 784c2f5..7f7af25 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -4629,7 +4629,7 @@ index f5afe78..4c9bd12 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..43eb452 100644
+index 2505654..f90ecb3 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
@@ -4807,7 +4807,7 @@ index 2505654..43eb452 100644
+#
+
+allow gkeyringd_domain self:capability ipc_lock;
-+allow gkeyringd_domain self:process { getcap getsched signal };
++allow gkeyringd_domain self:process { getcap getsched setcap signal };
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
@@ -19198,7 +19198,7 @@ index 6480167..2d45594 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..eb95112 100644
+index 3136c6a..99516fc 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -19836,11 +19836,12 @@ index 3136c6a..eb95112 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +808,11 @@ optional_policy(`
+@@ -603,6 +808,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
+optional_policy(`
++ zarafa_manage_lib_files(httpd_t)
+ zarafa_stream_connect_server(httpd_t)
+ zarafa_search_config(httpd_t)
+')
@@ -19848,7 +19849,7 @@ index 3136c6a..eb95112 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +828,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +829,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -19859,7 +19860,7 @@ index 3136c6a..eb95112 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +868,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +869,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -19903,7 +19904,7 @@ index 3136c6a..eb95112 100644
')
########################################
-@@ -685,6 +901,8 @@ optional_policy(`
+@@ -685,6 +902,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -19912,7 +19913,7 @@ index 3136c6a..eb95112 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +917,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +918,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -19938,7 +19939,7 @@ index 3136c6a..eb95112 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +963,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +964,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -19971,7 +19972,7 @@ index 3136c6a..eb95112 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1010,25 @@ optional_policy(`
+@@ -769,6 +1011,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -19997,7 +19998,7 @@ index 3136c6a..eb95112 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1049,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1050,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -20015,7 +20016,7 @@ index 3136c6a..eb95112 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1068,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1069,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -20072,7 +20073,7 @@ index 3136c6a..eb95112 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1119,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1120,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -20103,7 +20104,7 @@ index 3136c6a..eb95112 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1154,20 @@ optional_policy(`
+@@ -842,10 +1155,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -20124,7 +20125,7 @@ index 3136c6a..eb95112 100644
')
########################################
-@@ -891,11 +1213,21 @@ optional_policy(`
+@@ -891,11 +1214,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -22906,7 +22907,7 @@ index 293e08d..24f7736 100644
+ ')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..8fde016 100644
+index 0258b48..3bd47ee 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -23006,7 +23007,7 @@ index 0258b48..8fde016 100644
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
-@@ -65,26 +107,75 @@ corenet_tcp_bind_generic_node(cobblerd_t)
+@@ -65,26 +107,77 @@ corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
@@ -23040,6 +23041,8 @@ index 0258b48..8fde016 100644
+init_dontaudit_read_all_script_files(cobblerd_t)
+
+term_use_console(cobblerd_t)
++
++logging_send_syslog_msg(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
@@ -23084,7 +23087,7 @@ index 0258b48..8fde016 100644
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
-@@ -95,6 +186,10 @@ optional_policy(`
+@@ -95,6 +188,10 @@ optional_policy(`
')
optional_policy(`
@@ -23095,7 +23098,7 @@ index 0258b48..8fde016 100644
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
-@@ -106,16 +201,28 @@ optional_policy(`
+@@ -106,16 +203,28 @@ optional_policy(`
')
optional_policy(`
@@ -23127,7 +23130,7 @@ index 0258b48..8fde016 100644
')
########################################
-@@ -124,5 +231,6 @@ optional_policy(`
+@@ -124,5 +233,6 @@ optional_policy(`
#
apache_content_template(cobbler)
@@ -27469,7 +27472,7 @@ index f590a1f..b895afb 100644
allow $1 fail2ban_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..d4884eb 100644
+index 2a69e5e..c756d2a 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,15 @@ files_type(fail2ban_var_lib_t)
@@ -27518,7 +27521,7 @@ index 2a69e5e..d4884eb 100644
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +103,9 @@ optional_policy(`
+@@ -94,5 +103,13 @@ optional_policy(`
')
optional_policy(`
@@ -27528,6 +27531,10 @@ index 2a69e5e..d4884eb 100644
+optional_policy(`
iptables_domtrans(fail2ban_t)
')
++
++optional_policy(`
++ libs_exec_ldconfig(fail2ban_t)
++')
diff --git a/policy/modules/services/fetchmail.if b/policy/modules/services/fetchmail.if
index 6537214..7d64c0a 100644
--- a/policy/modules/services/fetchmail.if
@@ -37638,7 +37645,7 @@ index ad15fde..6f55445 100644
allow $1 postgrey_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
-index 2d82c6d..a41b55f 100644
+index 2d82c6d..352032a 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -34,5 +34,7 @@
@@ -37648,7 +37655,8 @@ index 2d82c6d..a41b55f 100644
+/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
+
/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
- /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
++/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index b524673..9d90fb3 100644
--- a/policy/modules/services/ppp.if
@@ -37741,7 +37749,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..74e0984 100644
+index 2af42e7..802ec48 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -37779,7 +37787,7 @@ index 2af42e7..74e0984 100644
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
-@@ -84,11 +84,11 @@ allow pppd_t self:packet_socket create_socket_perms;
+@@ -84,28 +84,28 @@ allow pppd_t self:packet_socket create_socket_perms;
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
@@ -37793,7 +37801,17 @@ index 2af42e7..74e0984 100644
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
# Automatically label newly created files under /etc/ppp with this type
-@@ -104,8 +104,9 @@ manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
+ filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
+
+-allow pppd_t pppd_lock_t:file manage_file_perms;
+-files_lock_filetrans(pppd_t, pppd_lock_t, file)
++manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
+
+-allow pppd_t pppd_log_t:file manage_file_perms;
++manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
+ logging_log_filetrans(pppd_t, pppd_log_t, file)
+
+ manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
@@ -37804,7 +37822,7 @@ index 2af42e7..74e0984 100644
allow pppd_t pptp_t:process signal;
-@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t)
+@@ -166,6 +166,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -37813,7 +37831,7 @@ index 2af42e7..74e0984 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -194,6 +197,8 @@ optional_policy(`
+@@ -194,6 +196,8 @@ optional_policy(`
optional_policy(`
mta_send_mail(pppd_t)
@@ -37822,7 +37840,7 @@ index 2af42e7..74e0984 100644
')
optional_policy(`
-@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,9 +247,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -47678,7 +47696,7 @@ index 130ced9..33c8170 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..125a426 100644
+index 6c01261..8bc77cc 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -48133,7 +48151,7 @@ index 6c01261..125a426 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -391,18 +543,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -391,38 +543,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -48157,7 +48175,9 @@ index 6c01261..125a426 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -411,18 +567,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
+ dev_getattr_xserver_misc_dev(xdm_t)
+ dev_setattr_xserver_misc_dev(xdm_t)
++dev_rw_xserver_misc(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -48185,7 +48205,7 @@ index 6c01261..125a426 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -433,9 +595,23 @@ files_list_mnt(xdm_t)
+@@ -433,9 +596,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -48209,7 +48229,7 @@ index 6c01261..125a426 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -444,28 +620,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -444,28 +621,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -48248,7 +48268,7 @@ index 6c01261..125a426 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -474,9 +658,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -474,9 +659,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -48279,7 +48299,7 @@ index 6c01261..125a426 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -492,6 +697,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -492,6 +698,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -48294,7 +48314,7 @@ index 6c01261..125a426 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -505,11 +718,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -505,11 +719,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -48316,7 +48336,7 @@ index 6c01261..125a426 100644
')
optional_policy(`
-@@ -517,7 +740,43 @@ optional_policy(`
+@@ -517,7 +741,43 @@ optional_policy(`
')
optional_policy(`
@@ -48361,7 +48381,7 @@ index 6c01261..125a426 100644
')
optional_policy(`
-@@ -527,6 +786,16 @@ optional_policy(`
+@@ -527,6 +787,16 @@ optional_policy(`
')
optional_policy(`
@@ -48378,7 +48398,7 @@ index 6c01261..125a426 100644
hostname_exec(xdm_t)
')
-@@ -544,28 +813,65 @@ optional_policy(`
+@@ -544,28 +814,65 @@ optional_policy(`
')
optional_policy(`
@@ -48453,7 +48473,7 @@ index 6c01261..125a426 100644
')
optional_policy(`
-@@ -577,6 +883,14 @@ optional_policy(`
+@@ -577,6 +884,14 @@ optional_policy(`
')
optional_policy(`
@@ -48468,7 +48488,7 @@ index 6c01261..125a426 100644
xfs_stream_connect(xdm_t)
')
-@@ -601,7 +915,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +916,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -48477,7 +48497,7 @@ index 6c01261..125a426 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -615,8 +929,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +930,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -48493,7 +48513,7 @@ index 6c01261..125a426 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +956,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +957,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -48515,7 +48535,7 @@ index 6c01261..125a426 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +976,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +977,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -48523,7 +48543,7 @@ index 6c01261..125a426 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -674,7 +1003,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +1004,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -48531,7 +48551,7 @@ index 6c01261..125a426 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -684,11 +1012,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1013,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -48549,7 +48569,7 @@ index 6c01261..125a426 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -699,8 +1033,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -48563,7 +48583,7 @@ index 6c01261..125a426 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1052,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1053,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -48572,7 +48592,7 @@ index 6c01261..125a426 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1059,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1060,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -48587,7 +48607,7 @@ index 6c01261..125a426 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1118,36 @@ optional_policy(`
+@@ -780,16 +1119,36 @@ optional_policy(`
')
optional_policy(`
@@ -48625,7 +48645,7 @@ index 6c01261..125a426 100644
unconfined_domtrans(xserver_t)
')
-@@ -798,6 +1156,10 @@ optional_policy(`
+@@ -798,6 +1157,10 @@ optional_policy(`
')
optional_policy(`
@@ -48636,7 +48656,7 @@ index 6c01261..125a426 100644
xfs_stream_connect(xserver_t)
')
-@@ -813,10 +1175,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1176,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -48650,7 +48670,7 @@ index 6c01261..125a426 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1186,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1187,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -48659,7 +48679,7 @@ index 6c01261..125a426 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -837,6 +1199,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1200,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -48669,7 +48689,7 @@ index 6c01261..125a426 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1209,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1210,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -48681,7 +48701,7 @@ index 6c01261..125a426 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1222,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1223,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -48698,7 +48718,7 @@ index 6c01261..125a426 100644
')
optional_policy(`
-@@ -864,6 +1237,10 @@ optional_policy(`
+@@ -864,6 +1238,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -48709,7 +48729,7 @@ index 6c01261..125a426 100644
########################################
#
# Rules common to all X window domains
-@@ -907,7 +1284,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1285,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -48718,7 +48738,7 @@ index 6c01261..125a426 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -961,11 +1338,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1339,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -48750,7 +48770,7 @@ index 6c01261..125a426 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -987,18 +1384,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1385,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -48880,10 +48900,10 @@ index c26ecf5..ad41551 100644
optional_policy(`
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644
-index 0000000..28cd477
+index 0000000..8d9a111
--- /dev/null
+++ b/policy/modules/services/zarafa.fc
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,34 @@
+
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
+
@@ -48901,13 +48921,14 @@ index 0000000..28cd477
+
+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+
-+/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
+
+/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
+/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
+/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
-+/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
++/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
+/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
+
+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
@@ -48919,10 +48940,10 @@ index 0000000..28cd477
+/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
new file mode 100644
-index 0000000..8a909f5
+index 0000000..7ee5092
--- /dev/null
+++ b/policy/modules/services/zarafa.if
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,141 @@
+## <summary>policy for zarafa services</summary>
+
+######################################
@@ -48964,10 +48985,8 @@ index 0000000..8a909f5
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
+ files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
-+ #stream_connect_pattern(zarafa_$1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
-+ #manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_log_t,zarafa_$1_log_t)
+ logging_log_filetrans(zarafa_$1_t,zarafa_$1_log_t,{ file })
+')
+
@@ -49045,12 +49064,33 @@ index 0000000..8a909f5
+ files_search_etc($1)
+ allow $1 zarafa_etc_t:dir search_dir_perms;
+')
++
++#####################################
++## <summary>
++## Allow the specified domain to manage
++## zarafa /var/lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zarafa_manage_lib_files',`
++ gen_require(`
++ type zarafa_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
-index 0000000..850b8b5
+index 0000000..0b1d997
--- /dev/null
+++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,153 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
@@ -49071,6 +49111,9 @@ index 0000000..850b8b5
+type zarafa_deliver_tmp_t;
+files_tmp_file(zarafa_deliver_tmp_t)
+
++type zarafa_indexer_tmp_t;
++files_tmp_file(zarafa_indexer_tmp_t)
++
+type zarafa_server_tmp_t;
+files_tmp_file(zarafa_server_tmp_t)
+
@@ -49085,6 +49128,18 @@ index 0000000..850b8b5
+
+permissive zarafa_indexer_t;
+
++#######################################
++#
++# zarafa-indexer local policy
++#
++
++manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
++manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
++files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
++
++manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
++manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
++
+########################################
+#
+# zarafa-deliver local policy
@@ -49094,8 +49149,6 @@ index 0000000..850b8b5
+manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+
-+#temporary
-+#allow zarafa_deliver_t port_t:tcp_socket name_bind;
+
+########################################
+#
@@ -49111,7 +49164,6 @@ index 0000000..850b8b5
+
+manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
-+files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
+
+stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
+
@@ -49192,11 +49244,6 @@ index 0000000..850b8b5
+auth_use_nsswitch(zarafa_domain)
+
+miscfiles_read_localization(zarafa_domain)
-+
-+# temporary rules
-+optional_policy(`
-+ apache_content_template(zarafa)
-+')
diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
index 6b87605..347f754 100644
--- a/policy/modules/services/zebra.if
@@ -49449,7 +49496,7 @@ index 2952cef..d845132 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..3e15a8c 100644
+index 42b4f0f..7910be0 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -49526,7 +49573,7 @@ index 42b4f0f..3e15a8c 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +170,45 @@ interface(`auth_login_pgm_domain',`
+@@ -151,13 +170,68 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -49574,7 +49621,30 @@ index 42b4f0f..3e15a8c 100644
')
')
-@@ -361,17 +417,18 @@ interface(`auth_domtrans_chk_passwd',`
+ ########################################
+ ## <summary>
++## Read and write a authlogin unnamed pipe.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`authlogin_rw_pipes',`
++ gen_require(`
++ attribute polydomain;
++ ')
++
++ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++## <summary>
+ ## Use the login program as an entry point program.
+ ## </summary>
+ ## <param name="domain">
+@@ -361,17 +435,18 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
kerberos_read_keytab($1)
@@ -49595,7 +49665,7 @@ index 42b4f0f..3e15a8c 100644
')
########################################
-@@ -418,6 +475,25 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +493,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -49621,7 +49691,7 @@ index 42b4f0f..3e15a8c 100644
')
########################################
-@@ -694,7 +770,7 @@ interface(`auth_relabel_shadow',`
+@@ -694,7 +788,7 @@ interface(`auth_relabel_shadow',`
')
files_search_etc($1)
@@ -49630,7 +49700,7 @@ index 42b4f0f..3e15a8c 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -733,7 +809,47 @@ interface(`auth_rw_faillog',`
+@@ -733,7 +827,47 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -49679,7 +49749,7 @@ index 42b4f0f..3e15a8c 100644
')
#######################################
-@@ -874,6 +990,46 @@ interface(`auth_exec_pam',`
+@@ -874,6 +1008,46 @@ interface(`auth_exec_pam',`
########################################
## <summary>
@@ -49726,7 +49796,7 @@ index 42b4f0f..3e15a8c 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -896,6 +1052,26 @@ interface(`auth_manage_var_auth',`
+@@ -896,6 +1070,26 @@ interface(`auth_manage_var_auth',`
########################################
## <summary>
@@ -49753,7 +49823,7 @@ index 42b4f0f..3e15a8c 100644
## Read PAM PID files.
## </summary>
## <param name="domain">
-@@ -1093,6 +1269,24 @@ interface(`auth_delete_pam_console_data',`
+@@ -1093,6 +1287,24 @@ interface(`auth_delete_pam_console_data',`
########################################
## <summary>
@@ -49778,7 +49848,7 @@ index 42b4f0f..3e15a8c 100644
## Read all directories on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1326,6 +1520,25 @@ interface(`auth_setattr_login_records',`
+@@ -1326,6 +1538,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -49804,7 +49874,7 @@ index 42b4f0f..3e15a8c 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1500,28 +1713,36 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1731,36 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -49848,7 +49918,7 @@ index 42b4f0f..3e15a8c 100644
optional_policy(`
kerberos_use($1)
')
-@@ -1531,7 +1752,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1770,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -52348,7 +52418,7 @@ index 5c94dfe..59bfb17 100644
########################################
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index a3fdcb3..3240adf 100644
+index a3fdcb3..9322675 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -13,9 +13,6 @@ role system_r types iptables_t;
@@ -52417,15 +52487,16 @@ index a3fdcb3..3240adf 100644
logging_send_syslog_msg(iptables_t)
-@@ -90,6 +99,7 @@ userdom_use_all_users_fds(iptables_t)
+@@ -90,6 +99,8 @@ userdom_use_all_users_fds(iptables_t)
optional_policy(`
fail2ban_append_log(iptables_t)
+ fail2ban_dontaudit_leaks(iptables_t)
++ fail2ban_rw_inherited_tmp_files(iptables_t)
')
optional_policy(`
-@@ -112,6 +122,7 @@ optional_policy(`
+@@ -112,6 +123,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -52433,7 +52504,7 @@ index a3fdcb3..3240adf 100644
')
optional_policy(`
-@@ -124,6 +135,8 @@ optional_policy(`
+@@ -124,6 +136,8 @@ optional_policy(`
optional_policy(`
shorewall_rw_lib_files(iptables_t)
@@ -53550,7 +53621,7 @@ index 58bc27f..c3fe956 100644
+ allow $1 lvm_t:process signull;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..612ad99 100644
+index a0a0ebf..2b53ee6 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -53680,15 +53751,25 @@ index a0a0ebf..612ad99 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -300,6 +322,7 @@ seutil_search_default_contexts(lvm_t)
+@@ -292,6 +314,8 @@ init_read_script_state(lvm_t)
+
+ logging_send_syslog_msg(lvm_t)
+
++authlogin_rw_pipes(lvm_t)
++
+ miscfiles_read_localization(lvm_t)
+
+ seutil_read_config(lvm_t)
+@@ -300,6 +324,8 @@ seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
userdom_use_user_terminals(lvm_t)
+userdom_rw_semaphores(lvm_t)
++userdom_search_user_home_dirs(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -311,6 +334,11 @@ ifdef(`distro_redhat',`
+@@ -311,6 +337,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -53700,7 +53781,7 @@ index a0a0ebf..612ad99 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,14 +359,26 @@ optional_policy(`
+@@ -331,14 +362,26 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 3b81eb0..0eb5397 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 29%{?dist}
+Release: 30%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,18 @@ exit 0
%endif
%changelog
+* Tue Jun 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-30
+- Fixes for zarafa policy
+- Other fixes for fail2ban
+- Allow keyring to drop capabilities
+- Allow cobblerd to send syslog messages
+- Allow xserver to read/write the xserver_misk device
+- ppp also installs /var/log/ppp and /var/run/ppp directories
+ * remove filetrans rules
+- fix for pppd_lock
+- Allow fail2ban run ldconfig
+- Allow lvm to read/write pipes inherited from login programs
+
* Fri Jun 10 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-29
- Fix /var/lock labeling issue
More information about the scm-commits
mailing list