[selinux-policy] - Add policykit fixes from Tim Waugh - dontaudit sandbox domains sandbox_file_t:dir mounton - Add ne
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Mar 10 11:46:26 UTC 2011
commit 8d54634624e6425164fb1941b0d0d5d4eac0bfee
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Mar 10 12:46:20 2011 +0000
- Add policykit fixes from Tim Waugh
- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
policy-F15.patch | 167 +++++++++++++++++++++++++++++++++------------------
selinux-policy.spec | 9 +++-
2 files changed, 116 insertions(+), 60 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index d97462d..faca7cc 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -2354,7 +2354,7 @@ index d5aaf0e..689b2fd 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..9b0f49e 100644
+index 6a5004b..b6ede9a 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -2365,7 +2365,7 @@ index 6a5004b..9b0f49e 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -25,8 +26,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -25,11 +26,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
@@ -2377,7 +2377,12 @@ index 6a5004b..9b0f49e 100644
files_getattr_all_dirs(tmpreaper_t)
files_getattr_all_files(tmpreaper_t)
-@@ -38,7 +42,9 @@ logging_send_syslog_msg(tmpreaper_t)
++mcs_file_read_all(tmpreaper_t)
++mcs_file_write_all(tmpreaper_t)
+ mls_file_read_all_levels(tmpreaper_t)
+ mls_file_write_all_levels(tmpreaper_t)
+
+@@ -38,7 +44,9 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -2388,7 +2393,7 @@ index 6a5004b..9b0f49e 100644
ifdef(`distro_redhat',`
userdom_list_user_home_content(tmpreaper_t)
-@@ -52,7 +58,9 @@ optional_policy(`
+@@ -52,7 +60,9 @@ optional_policy(`
')
optional_policy(`
@@ -2398,7 +2403,7 @@ index 6a5004b..9b0f49e 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,6 +74,14 @@ optional_policy(`
+@@ -66,6 +76,14 @@ optional_policy(`
')
optional_policy(`
@@ -7628,10 +7633,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..2280381
+index 0000000..f2201d7
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,474 @@
+@@ -0,0 +1,476 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -7768,6 +7773,7 @@ index 0000000..2280381
+manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++dontaudit sandbox_domain sandbox_file_t:dir mounton;
+
+gen_require(`
+ type usr_t, lib_t, locale_t;
@@ -7849,6 +7855,7 @@ index 0000000..2280381
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
++fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
@@ -12702,7 +12709,7 @@ index a9b8982..57c4a6a 100644
+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 3723150..bde6daa 100644
+index 3723150..d6d1dbe 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -12714,20 +12721,30 @@ index 3723150..bde6daa 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -203,6 +205,8 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',`
type fixed_disk_device_t;
')
+ allow $1 self:capability mknod;
+
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
++ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
dev_add_entry_generic_dirs($1)
')
+
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 3994e57..43aa641 100644
+index 3994e57..a1923fe 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -18,6 +18,7 @@
+@@ -6,6 +6,7 @@
+ /dev/console -c gen_context(system_u:object_r:console_device_t,s0)
+ /dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/hpilo/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
+ /dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
+@@ -18,6 +19,7 @@
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -12735,7 +12752,7 @@ index 3994e57..43aa641 100644
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -40,3 +41,5 @@ ifdef(`distro_gentoo',`
+@@ -40,3 +42,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@@ -20408,13 +20425,14 @@ index 0258b48..8fde016 100644
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
new file mode 100644
-index 0000000..7a01ff6
+index 0000000..0a83e88
--- /dev/null
+++ b/policy/modules/services/colord.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,5 @@
+
+/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+
++/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
new file mode 100644
@@ -20466,10 +20484,10 @@ index 0000000..38cb883
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..0ecb72e
+index 0000000..173e56f
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,78 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -20509,6 +20527,7 @@ index 0000000..0ecb72e
+
+corenet_udp_bind_generic_node(colord_t)
+corenet_udp_bind_ipp_port(colord_t)
++corenet_tcp_connect_ipp_port(colord_t)
+
+dev_read_raw_memory(colord_t)
+dev_write_raw_memory(colord_t)
@@ -20519,6 +20538,8 @@ index 0000000..0ecb72e
+dev_read_urand(colord_t)
+dev_list_sysfs(colord_t)
+dev_read_generic_usb_dev(colord_t)
++storage_read_scsi_generic(colord_t)
++storage_write_scsi_generic(colord_t)
+
+domain_use_interactive_fds(colord_t)
+
@@ -20536,6 +20557,13 @@ index 0000000..0ecb72e
+')
+
+optional_policy(`
++ policykit_dbus_chat(colord_t)
++ policykit_domtrans_auth(colord_t)
++ policykit_read_lib(colord_t)
++ policykit_read_reload(colord_t)
++')
++
++optional_policy(`
+ udev_read_db(colord_t)
+')
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
@@ -22048,7 +22076,7 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..2f38c31 100644
+index 0d5711c..cee56c8 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -22073,7 +22101,18 @@ index 0d5711c..2f38c31 100644
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
-@@ -76,7 +75,7 @@ template(`dbus_role_template',`
+@@ -62,8 +61,9 @@ template(`dbus_role_template',`
+ # Local policy
+ #
+
++ dontaudit $1_dbusd_t self:capability sys_resource;
+ allow $1_dbusd_t self:process { getattr sigkill signal };
+- dontaudit $1_dbusd_t self:process ptrace;
++ dontaudit $1_dbusd_t self:process { ptrace setrlimit };
+ allow $1_dbusd_t self:file { getattr read write };
+ allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+ allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+@@ -76,7 +76,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
@@ -22082,7 +22121,7 @@ index 0d5711c..2f38c31 100644
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-@@ -88,14 +87,16 @@ template(`dbus_role_template',`
+@@ -88,14 +88,16 @@ template(`dbus_role_template',`
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
@@ -22102,7 +22141,7 @@ index 0d5711c..2f38c31 100644
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
-@@ -116,7 +117,7 @@ template(`dbus_role_template',`
+@@ -116,7 +118,7 @@ template(`dbus_role_template',`
dev_read_urand($1_dbusd_t)
@@ -22111,7 +22150,7 @@ index 0d5711c..2f38c31 100644
domain_read_all_domains_state($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
-@@ -149,17 +150,25 @@ template(`dbus_role_template',`
+@@ -149,17 +151,25 @@ template(`dbus_role_template',`
term_use_all_terms($1_dbusd_t)
@@ -22139,7 +22178,7 @@ index 0d5711c..2f38c31 100644
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
-@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -22152,7 +22191,7 @@ index 0d5711c..2f38c31 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -197,6 +208,34 @@ interface(`dbus_system_bus_client',`
+@@ -197,6 +209,34 @@ interface(`dbus_system_bus_client',`
#######################################
## <summary>
@@ -22187,7 +22226,7 @@ index 0d5711c..2f38c31 100644
## Template for creating connections to
## a user DBUS.
## </summary>
-@@ -217,6 +256,8 @@ interface(`dbus_session_bus_client',`
+@@ -217,6 +257,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
@@ -22196,7 +22235,7 @@ index 0d5711c..2f38c31 100644
')
########################################
-@@ -431,14 +472,28 @@ interface(`dbus_system_domain',`
+@@ -431,14 +473,28 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -22226,7 +22265,7 @@ index 0d5711c..2f38c31 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +552,23 @@ interface(`dbus_unconfined',`
+@@ -497,3 +553,23 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -22251,17 +22290,17 @@ index 0d5711c..2f38c31 100644
+')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 86d09b4..1c0dd9b 100644
+index 86d09b4..8e05351 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
-@@ -33,6 +33,7 @@ files_tmp_file(system_dbusd_tmp_t)
-
- type system_dbusd_var_lib_t;
- files_type(system_dbusd_var_lib_t)
-+init_sock_file(system_dbusd_var_lib_t)
+@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
++init_sock_file(system_dbusd_var_run_t)
+
+ ifdef(`enable_mcs',`
+ init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -39577,7 +39616,7 @@ index 22adaca..d9913e0 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..f5c37de 100644
+index 2dad3c8..d060ae4 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -39716,7 +39755,7 @@ index 2dad3c8..f5c37de 100644
seutil_read_config(ssh_t)
-@@ -169,14 +176,18 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -169,14 +176,19 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -39725,6 +39764,7 @@ index 2dad3c8..f5c37de 100644
userdom_read_user_tmp_files(ssh_t)
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
++userdom_read_home_certs(ssh_t)
tunable_policy(`allow_ssh_keysign',`
- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
@@ -39740,7 +39780,7 @@ index 2dad3c8..f5c37de 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +207,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +208,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -39756,7 +39796,7 @@ index 2dad3c8..f5c37de 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +225,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +226,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -39765,7 +39805,7 @@ index 2dad3c8..f5c37de 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +248,43 @@ optional_policy(`
+@@ -232,33 +249,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -39818,7 +39858,7 @@ index 2dad3c8..f5c37de 100644
')
optional_policy(`
-@@ -266,11 +292,24 @@ optional_policy(`
+@@ -266,11 +293,24 @@ optional_policy(`
')
optional_policy(`
@@ -39844,7 +39884,7 @@ index 2dad3c8..f5c37de 100644
')
optional_policy(`
-@@ -284,6 +323,11 @@ optional_policy(`
+@@ -284,6 +324,11 @@ optional_policy(`
')
optional_policy(`
@@ -39856,7 +39896,7 @@ index 2dad3c8..f5c37de 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +336,26 @@ optional_policy(`
+@@ -292,26 +337,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -39902,7 +39942,7 @@ index 2dad3c8..f5c37de 100644
') dnl endif TODO
########################################
-@@ -324,12 +368,15 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,12 +369,15 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -39919,7 +39959,7 @@ index 2dad3c8..f5c37de 100644
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +400,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,7 +401,7 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -45028,7 +45068,7 @@ index 88df85d..2fa3974 100644
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 2952cef..4485fd5 100644
+index 2952cef..d845132 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -10,6 +10,7 @@
@@ -45051,12 +45091,12 @@ index 2952cef..4485fd5 100644
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
-+/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
++/var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..e6b751b 100644
+index 42b4f0f..75cee4d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -45124,15 +45164,16 @@ index 42b4f0f..e6b751b 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -141,6 +158,7 @@ interface(`auth_login_pgm_domain',`
+@@ -141,6 +158,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
++ auth_manage_faillog($1)
+ auth_manage_pam_pid($1)
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +169,45 @@ interface(`auth_login_pgm_domain',`
+@@ -151,8 +170,45 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -45180,7 +45221,7 @@ index 42b4f0f..e6b751b 100644
')
')
-@@ -365,13 +420,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -365,13 +421,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -45197,7 +45238,7 @@ index 42b4f0f..e6b751b 100644
')
########################################
-@@ -418,6 +475,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +476,7 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -45205,7 +45246,7 @@ index 42b4f0f..e6b751b 100644
')
########################################
-@@ -694,7 +752,7 @@ interface(`auth_relabel_shadow',`
+@@ -694,7 +753,7 @@ interface(`auth_relabel_shadow',`
')
files_search_etc($1)
@@ -45214,7 +45255,7 @@ index 42b4f0f..e6b751b 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -736,6 +794,43 @@ interface(`auth_rw_faillog',`
+@@ -736,6 +795,45 @@ interface(`auth_rw_faillog',`
allow $1 faillog_t:file rw_file_perms;
')
@@ -45252,13 +45293,15 @@ index 42b4f0f..e6b751b 100644
+ ')
+
+ logging_search_logs($1)
++ files_search_pids($1)
++ allow $1 faillog_t:dir manage_dir_perms;
+ allow $1 faillog_t:file manage_file_perms;
+')
+
#######################################
## <summary>
## Read the last logins log.
-@@ -874,6 +969,46 @@ interface(`auth_exec_pam',`
+@@ -874,6 +972,46 @@ interface(`auth_exec_pam',`
########################################
## <summary>
@@ -45305,7 +45348,7 @@ index 42b4f0f..e6b751b 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
-@@ -896,6 +1031,26 @@ interface(`auth_manage_var_auth',`
+@@ -896,6 +1034,26 @@ interface(`auth_manage_var_auth',`
########################################
## <summary>
@@ -45332,7 +45375,7 @@ index 42b4f0f..e6b751b 100644
## Read PAM PID files.
## </summary>
## <param name="domain">
-@@ -1093,6 +1248,24 @@ interface(`auth_delete_pam_console_data',`
+@@ -1093,6 +1251,24 @@ interface(`auth_delete_pam_console_data',`
########################################
## <summary>
@@ -45357,7 +45400,7 @@ index 42b4f0f..e6b751b 100644
## Read all directories on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
-@@ -1326,6 +1499,25 @@ interface(`auth_setattr_login_records',`
+@@ -1326,6 +1502,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@@ -45383,7 +45426,7 @@ index 42b4f0f..e6b751b 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1500,28 +1692,36 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1695,36 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -45427,7 +45470,7 @@ index 42b4f0f..e6b751b 100644
optional_policy(`
kerberos_use($1)
')
-@@ -1531,7 +1731,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1734,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -51291,10 +51334,10 @@ index 0000000..1d17a7b
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..23d4b0c
+index 0000000..17f7ea8
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,138 @@
+@@ -0,0 +1,144 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -51397,6 +51440,11 @@ index 0000000..23d4b0c
+
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
++mcs_file_read_all(systemd_tmpfiles_t)
++mcs_file_write_all(systemd_tmpfiles_t)
++mls_file_read_all_levels(systemd_tmpfiles_t)
++mls_file_write_all_levels(systemd_tmpfiles_t)
++
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
+
@@ -51409,6 +51457,7 @@ index 0000000..23d4b0c
+')
+
+optional_policy(`
++ rpm_read_db(systemd_tmpfiles_t)
+ rpm_delete_db(systemd_tmpfiles_t)
+')
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b92e206..d1db3f9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,13 @@ exit 0
%endif
%changelog
+* Thu Mar 10 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-2
+- Add policykit fixes from Tim Waugh
+- dontaudit sandbox domains sandbox_file_t:dir mounton
+- Add new dontaudit rules for sysadm_dbusd_t
+- Change label for /var/run/faillock
+ * other fixes which relate with this change
+
* Tue Mar 8 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-1
- Update to upstream
- Fixes for telepathy
More information about the scm-commits
mailing list