[selinux-policy/f13/master] - Add support for a new cluster service - foghorn - Add /var/spool/audit support for new version of
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 25 09:59:33 UTC 2011
commit 49c044653e97a47c806b24042e7aaaaf663f02e6
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 25 10:59:46 2011 +0000
- Add support for a new cluster service - foghorn
- Add /var/spool/audit support for new version of audit
- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
- sssd wants to read .k5login file in users homedir
- Add support for vdsm
- Allow syslogd setrlimit, sys_nice
- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
policy-F13.patch | 334 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 11 ++-
2 files changed, 269 insertions(+), 76 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 7efbf39..e72ea26 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -9748,6 +9748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+
+/usr/local/Brother/(.*/)?inf/brprintconf.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/(.*/)?inf/setup.* -- gen_context(system_u:object_r:bin_t,s0)
+Binary files nsaserefpolicy/policy/modules/kernel/.corecommands.fc.swp and serefpolicy-3.7.19/policy/modules/kernel/.corecommands.fc.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.19/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if 2010-10-08 09:10:25.000000000 +0000
@@ -21810,7 +21811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
tunable_policy(`fcron_crond', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.19/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2010-04-13 18:44:36.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/cups.fc 2010-05-28 07:42:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/cups.fc 2011-03-17 09:51:02.274851002 +0000
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -21844,8 +21845,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
- /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -26131,7 +26133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-03-16 13:57:42.672107002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-03-25 08:29:07.333630001 +0000
@@ -74,7 +74,7 @@
')
@@ -26187,7 +26189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
########################################
## <summary>
## Create a derived type for kerberos keytab
-@@ -374,3 +397,22 @@
+@@ -374,3 +397,41 @@
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -26210,6 +26212,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+
+ files_tmp_filetrans($1, krb5_host_rcache_t, file)
+')
++
++########################################
++## <summary>
++## read kerberos homedir content (.k5login)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`kerberos_read_home_content',`
++ gen_require(`
++ type krb5_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.19/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2011-03-16 13:51:14.123107002 +0000
@@ -35064,16 +35085,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.7.19/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/remotelogin.te 2011-03-16 13:26:33.488107001 +0000
-@@ -50,6 +50,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/remotelogin.te 2011-03-18 14:13:40.122630000 +0000
+@@ -50,6 +50,8 @@
fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
++term_setattr_all_ptys(remote_login_t)
+term_use_all_ptys(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
-@@ -88,6 +89,7 @@
+@@ -88,6 +90,7 @@
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
@@ -35485,12 +35507,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.19/policy/modules/services/rhcs.fc
--- nsaserefpolicy/policy/modules/services/rhcs.fc 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2010-09-16 15:00:39.000000000 +0000
-@@ -0,0 +1,26 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.fc 2011-03-18 14:46:37.941630000 +0000
+@@ -0,0 +1,27 @@
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
@@ -35977,8 +36000,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te
--- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-02-17 10:04:32.623796000 +0000
-@@ -0,0 +1,265 @@
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-03-18 14:46:13.492630000 +0000
+@@ -0,0 +1,281 @@
+
+policy_module(rhcs,1.1.0)
+
@@ -36009,6 +36032,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+type fenced_lock_t;
+files_lock_file(fenced_lock_t)
+
++rhcs_domain_template(foghorn)
++permissive foghorn_t;
++
+rhcs_domain_template(gfs_controld)
+
+rhcs_domain_template(groupd)
@@ -36114,6 +36140,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
+
+######################################
+#
++# foghorn local policy
++#
++
++allow foghorn_t self:process { signal };
++
++files_read_etc_files(foghorn_t)
++
++optional_policy(`
++ dbus_connect_system_bus(foghorn_t)
++ ')
++
++######################################
++#
+# gfs_controld local policy
+#
+
@@ -39113,7 +39152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2011-03-08 14:16:27.328413001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2011-03-18 14:50:44.915630000 +0000
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -39202,15 +39241,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
-+ corenet_sendrecv_ssh_server_packets($1_t)
-+ # -R qualifier
corenet_sendrecv_ssh_server_packets($1_t)
++ # -R qualifier
++ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
fs_dontaudit_getattr_all_fs($1_t)
-@@ -234,17 +239,18 @@
+@@ -234,21 +239,27 @@
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
@@ -39231,7 +39270,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow checking users mail at login
mta_getattr_spool($1_t)
-@@ -265,9 +271,16 @@
+
++ tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs($1_t)
++ fs_manage_fusefs_files($1_t)
++ ')
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1_t)
+ fs_read_nfs_symlinks($1_t)
+@@ -265,9 +276,16 @@
optional_policy(`
files_read_var_lib_symlinks($1_t)
@@ -39249,7 +39297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
-@@ -290,6 +303,7 @@
+@@ -290,6 +308,7 @@
## User domain for the role
## </summary>
## </param>
@@ -39257,7 +39305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
#
template(`ssh_role_template',`
gen_require(`
-@@ -327,7 +341,7 @@
+@@ -327,7 +346,7 @@
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -39266,7 +39314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +352,7 @@
+@@ -338,6 +357,7 @@
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -39274,7 +39322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
##############################
#
-@@ -359,7 +374,7 @@
+@@ -359,7 +379,7 @@
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -39283,7 +39331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -388,6 +403,7 @@
+@@ -388,6 +408,7 @@
logging_send_syslog_msg($1_ssh_agent_t)
miscfiles_read_localization($1_ssh_agent_t)
@@ -39291,7 +39339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
seutil_dontaudit_read_config($1_ssh_agent_t)
-@@ -395,10 +411,8 @@
+@@ -395,10 +416,8 @@
userdom_use_user_terminals($1_ssh_agent_t)
# for the transition back to normal privs upon exec
@@ -39303,7 +39351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -475,7 +489,7 @@
+@@ -475,7 +494,7 @@
type sshd_t;
')
@@ -39312,7 +39360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
## <summary>
-@@ -492,7 +506,7 @@
+@@ -492,7 +511,7 @@
type sshd_t;
')
@@ -39321,7 +39369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
-@@ -582,6 +596,25 @@
+@@ -582,6 +601,25 @@
domtrans_pattern($1, sshd_exec_t, sshd_t)
')
@@ -39347,7 +39395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
########################################
## <summary>
## Execute the ssh client in the caller domain.
-@@ -616,7 +649,7 @@
+@@ -616,7 +654,7 @@
type sshd_key_t;
')
@@ -39356,7 +39404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
files_search_pids($1)
')
-@@ -678,6 +711,32 @@
+@@ -678,6 +716,32 @@
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -39389,7 +39437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
########################################
## <summary>
## Read ssh server keys
-@@ -693,7 +752,51 @@
+@@ -693,7 +757,51 @@
type sshd_key_t;
')
@@ -39442,7 +39490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
#######################################
-@@ -714,3 +817,67 @@
+@@ -714,3 +822,67 @@
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -39512,7 +39560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-03-16 12:45:02.432107002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-03-18 14:51:36.890630000 +0000
@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -39603,7 +39651,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -201,54 +205,6 @@
+@@ -180,6 +184,11 @@
+ allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+ ')
+
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(ssh_t)
++ fs_manage_fusefs_files(ssh_t)
++ ')
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(ssh_t)
+ fs_manage_nfs_files(ssh_t)
+@@ -201,54 +210,6 @@
xserver_domtrans_xauth(ssh_t)
')
@@ -39658,7 +39718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
##############################
#
# ssh_keysign_t local policy
-@@ -282,36 +238,39 @@
+@@ -282,36 +243,39 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -39707,7 +39767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -319,10 +278,27 @@
+@@ -319,10 +283,27 @@
')
optional_policy(`
@@ -39735,7 +39795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +309,18 @@
+@@ -333,10 +314,18 @@
')
optional_policy(`
@@ -39755,7 +39815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
-@@ -368,6 +352,7 @@
+@@ -368,6 +357,7 @@
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -39763,7 +39823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-@@ -376,6 +361,10 @@
+@@ -376,6 +366,10 @@
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
@@ -39774,7 +39834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -384,6 +373,7 @@
+@@ -384,6 +378,7 @@
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
@@ -39782,7 +39842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
domain_use_interactive_fds(ssh_keygen_t)
-@@ -397,6 +387,11 @@
+@@ -397,6 +392,11 @@
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -39838,7 +39898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
sssd_initrc_domtrans($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.19/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2011-03-01 12:58:07.985556649 +0000
++++ serefpolicy-3.7.19/policy/modules/services/sssd.te 2011-03-25 08:31:03.587630001 +0000
@@ -29,9 +29,12 @@
#
# sssd local policy
@@ -39884,10 +39944,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
-@@ -89,3 +102,11 @@
+@@ -88,4 +101,25 @@
+
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
- ')
++ kerberos_read_home_content(sssd_t)
++')
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
@@ -39896,6 +39958,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
+optional_policy(`
+ ldap_stream_connect(sssd_t)
+')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(sssd_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(sssd_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_read_fusefs_files(sssd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.19/policy/modules/services/sysstat.te
--- nsaserefpolicy/policy/modules/services/sysstat.te 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/sysstat.te 2010-07-27 13:46:39.000000000 +0000
@@ -40577,7 +40651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2011-03-01 12:46:03.926380019 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2011-03-25 08:50:01.013630001 +0000
@@ -1,4 +1,5 @@
-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
@@ -40585,7 +40659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-@@ -12,18 +13,19 @@
+@@ -12,18 +13,22 @@
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -40607,10 +40681,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
++# support for vdsm
++# bug 685061
++/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-09-23 10:59:31.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2011-03-17 10:41:54.513325002 +0000
@@ -21,6 +21,8 @@
type $1_t, virt_domain;
domain_type($1_t)
@@ -40772,7 +40849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -516,3 +562,50 @@
+@@ -516,3 +562,86 @@
virt_manage_log($1)
')
@@ -40822,6 +40899,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+ type virtd_t;
+ ')
+ dontaudit $1 virtd_t:fifo_file write;
++')
++
++######################################
++## <summary>
++## Send a sigkill to virtual machines
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_kill_svirt',`
++ gen_require(`
++ attribute virt_domain;
++ ')
++
++ allow $1 virt_domain:process sigkill;
++')
++
++######################################
++## <summary>
++## Send a signal to virtual machines
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_signal_svirt',`
++ gen_require(`
++ attribute virt_domain;
++ ')
++
++ allow $1 virt_domain:process signal;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-04-13 18:44:37.000000000 +0000
@@ -44141,7 +44254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-02-17 09:49:30.499796002 +0000
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-03-25 08:48:15.759630001 +0000
@@ -1,5 +1,5 @@
-policy_module(init, 1.14.2)
@@ -44588,7 +44701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -798,11 +950,19 @@
+@@ -798,11 +950,26 @@
')
optional_policy(`
@@ -44606,10 +44719,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
unconfined_domain(initrc_t)
+ domain_role_change_exemption(initrc_t)
++
++ # bug 685061
++ mcs_file_read_all(initrc_t)
++ mcs_file_write_all(initrc_t)
++ mcs_socket_write_all_levels(initrc_t)
++ mcs_killall(initrc_t)
++ mcs_ptrace_all(initrc_t)
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +972,25 @@
+@@ -812,6 +979,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -44635,7 +44755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +1016,35 @@
+@@ -837,3 +1023,35 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -44808,7 +44928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-08-10 15:44:19.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2011-03-25 08:41:51.030630001 +0000
@@ -73,7 +73,7 @@
#
@@ -44845,7 +44965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -186,7 +190,9 @@
+@@ -186,13 +190,17 @@
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
@@ -44856,7 +44976,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -225,7 +231,6 @@
+ allow ipsec_mgmt_t self:key_socket create_socket_perms;
+ allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+
++allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
++
+ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
+ files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
+
+@@ -225,7 +233,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -44864,7 +44992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -258,7 +263,13 @@
+@@ -258,7 +265,13 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -44879,7 +45007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -270,19 +281,25 @@
+@@ -270,19 +283,25 @@
files_read_usr_files(ipsec_mgmt_t)
files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
files_dontaudit_getattr_default_files(ipsec_mgmt_t)
@@ -44893,9 +45021,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
term_use_console(ipsec_mgmt_t)
-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
+term_use_all_terms(ipsec_mgmt_t)
-+
-+auth_dontaudit_read_login_records(ipsec_mgmt_t)
++auth_dontaudit_read_login_records(ipsec_mgmt_t)
++
+init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
@@ -44906,7 +45034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
logging_send_syslog_msg(ipsec_mgmt_t)
miscfiles_read_localization(ipsec_mgmt_t)
-@@ -291,15 +308,38 @@
+@@ -291,15 +310,38 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
@@ -44945,7 +45073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -386,6 +426,8 @@
+@@ -386,6 +428,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -44954,7 +45082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +454,7 @@
+@@ -412,6 +456,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -44962,7 +45090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +466,4 @@
+@@ -423,3 +468,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
@@ -45570,7 +45698,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.19/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/logging.fc 2011-01-03 09:28:54.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/logging.fc 2011-03-25 08:35:24.361630001 +0000
+@@ -1,4 +1,4 @@
+-/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
++/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
+ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -17,6 +17,10 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -45582,7 +45716,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -54,18 +58,24 @@
+@@ -37,13 +41,14 @@
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
++/var/log/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+-/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+
+ ifndef(`distro_gentoo',`
+ /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+@@ -54,18 +59,25 @@
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -45597,17 +45747,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+-/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
- /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
+-/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
-+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+
++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -45713,8 +45866,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.19/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/logging.te 2010-08-18 11:16:17.000000000 +0000
-@@ -61,6 +61,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/logging.te 2011-03-25 09:50:43.190630001 +0000
+@@ -20,6 +20,11 @@
+ files_security_file(auditd_log_t)
+ files_security_mountpoint(auditd_log_t)
+
++type audit_spool_t;
++files_type(audit_spool_t)
++files_security_file(audit_spool_t)
++files_security_mountpoint(audit_spool_t)
++
+ type auditd_t;
+ type auditd_exec_t;
+ init_daemon_domain(auditd_t, auditd_exec_t)
+@@ -61,6 +66,7 @@
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -45722,7 +45887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -180,6 +181,8 @@
+@@ -180,6 +186,8 @@
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -45731,7 +45896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
-@@ -235,7 +238,12 @@
+@@ -235,7 +243,12 @@
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
@@ -45744,7 +45909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(audisp_t)
-@@ -245,6 +253,10 @@
+@@ -245,6 +258,10 @@
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -45755,7 +45920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
-@@ -252,6 +264,9 @@
+@@ -252,8 +269,15 @@
# Audit remote logger local policy
#
@@ -45764,8 +45929,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
allow audisp_remote_t self:tcp_socket create_socket_perms;
++manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
++manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
++files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
++
corenet_all_recvfrom_unlabeled(audisp_remote_t)
-@@ -266,6 +281,15 @@
+ corenet_all_recvfrom_netlabel(audisp_remote_t)
+ corenet_tcp_sendrecv_generic_if(audisp_remote_t)
+@@ -266,6 +290,15 @@
files_read_etc_files(audisp_remote_t)
@@ -45781,7 +45952,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(audisp_remote_t)
miscfiles_read_localization(audisp_remote_t)
-@@ -372,8 +396,10 @@
+@@ -339,10 +372,10 @@
+ # chown fsetid for syslog-ng
+ # sys_admin for the integrated klog of syslog-ng and metalog
+ # cjp: why net_admin!
+-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
++allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
+ dontaudit syslogd_t self:capability sys_tty_config;
+ # setpgid for metalog
+-allow syslogd_t self:process { signal_perms setpgid };
++allow syslogd_t self:process { setrlimit signal_perms setpgid };
+ # receive messages to be logged
+ allow syslogd_t self:unix_dgram_socket create_socket_perms;
+ allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -372,8 +405,10 @@
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)
@@ -45794,7 +45978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-@@ -491,6 +517,10 @@
+@@ -491,6 +526,10 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f951f3..d1c2f4e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 101%{?dist}
+Release: 102%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,15 @@ exit 0
%endif
%changelog
+* Fri Mar 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-102
+- Add support for a new cluster service - foghorn
+- Add /var/spool/audit support for new version of audit
+- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
+- sssd wants to read .k5login file in users homedir
+- Add support for vdsm
+- Allow syslogd setrlimit, sys_nice
+- ipsec_mgmt_t wants to cause ipsec_t to dump core, needs to be allowed
+
* Wed Mar 16 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-101
- Fixes for sandbox/seunshare policy
- Add matahari policy
More information about the scm-commits
mailing list