[selinux-policy/f14/master] - Allow aisexec domtrans to corosync domain - Allow kadmind setsched - Allow mailman to read/write
Miroslav Grepl
mgrepl at fedoraproject.org
Tue May 10 10:53:20 UTC 2011
commit 51be3241e2bec707c016d7849bcf86481a96ed81
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue May 10 12:54:59 2011 +0000
- Allow aisexec domtrans to corosync domain
- Allow kadmind setsched
- Allow mailman to read/write postfix master pipes
- Remove remote_login_tmp_t and allow remote_login to create and manage user tmp files
- Allow spamd to send mail
- Allow sshd getcap
- Add tgtd_var_run_t type
- Allow vnstatd to read system state
policy-F14.patch | 264 ++++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 12 ++-
2 files changed, 219 insertions(+), 57 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index db755c2..21d24af 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -3740,7 +3740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.9.7/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2010-10-12 20:42:51.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/gnome.te 2011-03-18 16:33:37.244630000 +0000
++++ serefpolicy-3.9.7/policy/modules/apps/gnome.te 2011-05-09 17:54:19.836771000 +0000
@@ -6,11 +6,24 @@
#
@@ -3793,7 +3793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
##############################
#
# Local Policy
-@@ -75,3 +100,91 @@
+@@ -75,3 +100,93 @@
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -3866,6 +3866,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
+files_read_etc_files(gnomesystemmm_t)
+files_read_usr_files(gnomesystemmm_t)
+
++fs_getattr_xattr_fs(gnomesystemmm_t)
++
+miscfiles_read_localization(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
@@ -5124,8 +5126,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespace.te serefpolicy-3.9.7/policy/modules/apps/namespace.te
--- nsaserefpolicy/policy/modules/apps/namespace.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/apps/namespace.te 2011-02-25 17:40:39.232542296 +0000
-@@ -0,0 +1,38 @@
++++ serefpolicy-3.9.7/policy/modules/apps/namespace.te 2011-04-27 08:06:00.240000005 +0000
+@@ -0,0 +1,40 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -5157,6 +5159,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespac
+files_read_etc_files(namespace_init_t)
+files_polyinstantiate_all(namespace_init_t)
+
++auth_use_nsswitch(namespace_init_t)
++
+miscfiles_read_localization(namespace_init_t)
+
+userdom_manage_user_home_content_dirs(namespace_init_t)
@@ -14590,6 +14594,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide
#
interface(`aide_run',`
gen_require(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.te serefpolicy-3.9.7/policy/modules/services/aide.te
+--- nsaserefpolicy/policy/modules/services/aide.te 2010-10-12 20:42:49.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/aide.te 2011-04-26 10:43:50.248000004 +0000
+@@ -32,8 +32,14 @@
+ logging_log_filetrans(aide_t, aide_log_t, file)
+
+ files_read_all_files(aide_t)
++files_read_boot_symlinks(aide_t)
++
++mls_file_read_to_clearance(aide_t)
++mls_file_write_to_clearance(aide_t)
+
+ logging_send_audit_msgs(aide_t)
++# AIDE can be configured to log to syslog
++logging_send_syslog_msg(aide_t)
+
+ seutil_use_newrole_fds(aide_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.9.7/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/aisexec.if 2011-02-25 17:40:39.594533386 +0000
@@ -14607,7 +14629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
interface(`aisexec_domtrans',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.9.7/policy/modules/services/aisexec.te
--- nsaserefpolicy/policy/modules/services/aisexec.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/aisexec.te 2011-02-25 17:40:39.602533189 +0000
++++ serefpolicy-3.9.7/policy/modules/services/aisexec.te 2011-04-27 08:06:36.993000004 +0000
@@ -32,7 +32,7 @@
# aisexec local policy
#
@@ -14617,7 +14639,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
allow aisexec_t self:process { setrlimit setsched signal };
allow aisexec_t self:fifo_file rw_fifo_file_perms;
allow aisexec_t self:sem create_sem_perms;
-@@ -81,6 +81,9 @@
+@@ -81,11 +81,18 @@
miscfiles_read_localization(aisexec_t)
@@ -14627,6 +14649,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
optional_policy(`
ccs_stream_connect(aisexec_t)
')
+
+ optional_policy(`
++ corosync_domtrans(aisexec_t)
++')
++
++optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ajaxterm.fc serefpolicy-3.9.7/policy/modules/services/ajaxterm.fc
--- nsaserefpolicy/policy/modules/services/ajaxterm.fc 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/ajaxterm.fc 2011-02-25 17:40:39.604533140 +0000
@@ -20541,7 +20572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
snmp_stream_connect(cyrus_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.9.7/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/dbus.if 2011-02-25 17:40:39.814527971 +0000
++++ serefpolicy-3.9.7/policy/modules/services/dbus.if 2011-05-09 19:33:49.199771000 +0000
@@ -41,9 +41,9 @@
template(`dbus_role_template',`
gen_require(`
@@ -20642,7 +20673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -431,14 +441,27 @@
+@@ -431,14 +441,28 @@
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -20652,6 +20683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
dbus_connect_system_bus($1)
+ init_stream_connect($1)
++ init_use_fds($1)
+
ps_process_pattern(system_dbusd_t, $1)
@@ -20671,7 +20703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +520,22 @@
+@@ -497,3 +521,22 @@
typeattribute $1 dbusd_unconfined;
')
@@ -24809,7 +24841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.9.7/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/kerberos.te 2011-03-25 08:27:15.309630001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/kerberos.te 2011-04-26 10:31:21.790000005 +0000
@@ -6,9 +6,9 @@
#
@@ -24851,6 +24883,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
# types for KDC principal file(s)
type krb5kdc_principal_t;
+@@ -80,7 +80,7 @@
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+ dontaudit kadmind_t self:capability sys_tty_config;
+-allow kadmind_t self:process { setfscreate signal_perms };
++allow kadmind_t self:process { setfscreate setsched signal_perms };
+ allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow kadmind_t self:unix_dgram_socket { connect create write };
+ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -93,9 +93,9 @@
dontaudit kadmind_t krb5_conf_t:file write;
@@ -25588,7 +25629,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
files_read_var_lib_symlinks(mailman_$1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.9.7/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/mailman.te 2011-02-25 17:40:40.126520291 +0000
++++ serefpolicy-3.9.7/policy/modules/services/mailman.te 2011-04-26 09:55:44.715000005 +0000
@@ -61,14 +61,18 @@
# Mailman mail local policy
#
@@ -25610,7 +25651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
files_search_spool(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,6 +85,10 @@
+@@ -81,11 +85,16 @@
')
optional_policy(`
@@ -25621,7 +25662,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
cron_read_pipes(mailman_mail_t)
')
-@@ -104,6 +112,8 @@
+ optional_policy(`
+ postfix_search_spool(mailman_mail_t)
++ postfix_rw_master_pipes(mailman_mail_t)
+ ')
+
+ ########################################
+@@ -104,6 +113,8 @@
kernel_read_proc_symlinks(mailman_queue_t)
@@ -25630,7 +25677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
-@@ -125,4 +135,4 @@
+@@ -125,4 +136,4 @@
optional_policy(`
su_exec(mailman_queue_t)
@@ -31474,7 +31521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.9.7/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/postfix.te 2011-02-25 17:40:40.390513793 +0000
++++ serefpolicy-3.9.7/policy/modules/services/postfix.te 2011-05-02 10:17:02.194000005 +0000
@@ -5,6 +5,14 @@
# Declarations
#
@@ -31698,7 +31745,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -519,7 +563,7 @@
+@@ -507,6 +551,8 @@
+ # Postfix qmgr local policy
+ #
+
++allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms;
++
+ stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+ rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
+@@ -519,7 +565,7 @@
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -31707,7 +31763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +583,7 @@
+@@ -539,7 +585,7 @@
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -31716,7 +31772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +632,16 @@
+@@ -588,10 +634,16 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -31733,7 +31789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -611,8 +661,8 @@
+@@ -611,8 +663,8 @@
# Postfix virtual local policy
#
@@ -31743,7 +31799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +680,8 @@
+@@ -630,3 +682,8 @@
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -34241,8 +34297,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.9.7/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/remotelogin.te 2011-03-18 14:14:10.428630000 +0000
-@@ -49,6 +49,8 @@
++++ serefpolicy-3.9.7/policy/modules/services/remotelogin.te 2011-05-09 19:22:41.903771002 +0000
+@@ -10,9 +10,6 @@
+ auth_login_pgm_domain(remote_login_t)
+ auth_login_entry_type(remote_login_t)
+
+-type remote_login_tmp_t;
+-files_tmp_file(remote_login_tmp_t)
+-
+ ########################################
+ #
+ # Remote login remote policy
+@@ -34,10 +31,6 @@
+ allow remote_login_t self:msg { send receive };
+ allow remote_login_t self:key write;
+
+-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+-
+ kernel_read_system_state(remote_login_t)
+ kernel_read_kernel_sysctls(remote_login_t)
+
+@@ -49,6 +42,8 @@
fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
@@ -34251,15 +34328,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
-@@ -87,6 +89,7 @@
+@@ -87,6 +82,10 @@
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
-+userdom_rw_user_tmp_files(remote_login_t)
++userdom_manage_user_tmp_dirs(remote_login_t)
++userdom_manage_user_tmp_files(remote_login_t)
++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
++userdom_use_user_ptys(remote_login_t)
# Search for mail spool file.
mta_getattr_spool(remote_login_t)
-@@ -114,7 +117,6 @@
+@@ -114,7 +113,6 @@
')
optional_policy(`
@@ -37197,7 +37277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.9.7/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/spamassassin.te 2011-03-25 10:21:53.251630001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/spamassassin.te 2011-05-10 08:30:04.924771002 +0000
@@ -6,54 +6,93 @@
#
@@ -37586,6 +37666,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
')
optional_policy(`
+@@ -446,6 +542,7 @@
+ optional_policy(`
+ sendmail_stub(spamd_t)
+ mta_read_config(spamd_t)
++ mta_send_mail(spamd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.9.7/policy/modules/services/squid.if
--- nsaserefpolicy/policy/modules/services/squid.if 2010-10-12 20:42:49.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/squid.if 2011-02-25 17:40:40.556509706 +0000
@@ -37678,7 +37766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.9.7/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-10-12 20:42:48.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/ssh.if 2011-04-04 15:42:53.154000001 +0000
++++ serefpolicy-3.9.7/policy/modules/services/ssh.if 2011-04-26 09:30:24.640000005 +0000
@@ -32,10 +32,10 @@
## </param>
#
@@ -37755,7 +37843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
-+ allow $1_t self:process { signal getsched setsched setrlimit setexec };
++ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
@@ -38819,6 +38907,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.fc serefpolicy-3.9.7/policy/modules/services/tgtd.fc
+--- nsaserefpolicy/policy/modules/services/tgtd.fc 2010-10-12 20:42:48.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/services/tgtd.fc 2011-04-20 13:49:55.422000005 +0000
+@@ -1,3 +1,4 @@
+ /etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
+ /usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+ /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
++/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.9.7/policy/modules/services/tgtd.if
--- nsaserefpolicy/policy/modules/services/tgtd.if 2010-10-12 20:42:48.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/services/tgtd.if 2011-02-25 17:40:40.614508278 +0000
@@ -38869,8 +38965,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.9.7/policy/modules/services/tgtd.te
--- nsaserefpolicy/policy/modules/services/tgtd.te 2010-10-12 20:42:49.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/tgtd.te 2011-02-25 17:40:40.614508278 +0000
-@@ -29,7 +29,7 @@
++++ serefpolicy-3.9.7/policy/modules/services/tgtd.te 2011-04-20 13:49:39.062000005 +0000
+@@ -21,6 +21,9 @@
+ type tgtd_var_lib_t;
+ files_type(tgtd_var_lib_t)
+
++type tgtd_var_run_t;
++files_pid_file(tgtd_var_run_t)
++
+ ########################################
+ #
+ # TGTD personal policy.
+@@ -29,7 +32,7 @@
allow tgtd_t self:capability sys_resource;
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -38879,7 +38985,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd
allow tgtd_t self:shm create_shm_perms;
allow tgtd_t self:sem create_sem_perms;
allow tgtd_t self:tcp_socket create_stream_socket_perms;
-@@ -57,10 +57,18 @@
+@@ -46,6 +49,11 @@
+ manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
+ files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
+
++manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
++files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
++
+ kernel_read_fs_sysctls(tgtd_t)
+
+ corenet_all_recvfrom_netlabel(tgtd_t)
+@@ -57,10 +65,18 @@
corenet_tcp_bind_iscsi_port(tgtd_t)
corenet_sendrecv_iscsi_server_packets(tgtd_t)
@@ -40677,8 +40795,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vnst
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vnstatd.te serefpolicy-3.9.7/policy/modules/services/vnstatd.te
--- nsaserefpolicy/policy/modules/services/vnstatd.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/services/vnstatd.te 2011-02-25 17:40:40.710505916 +0000
-@@ -0,0 +1,72 @@
++++ serefpolicy-3.9.7/policy/modules/services/vnstatd.te 2011-05-02 10:06:58.698000005 +0000
+@@ -0,0 +1,77 @@
+policy_module(vnstatd, 1.0.0)
+
+########################################
@@ -40719,10 +40837,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vnst
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+
++kernel_read_network_state(vnstatd_t)
++kernel_read_system_state(vnstatd_t)
++
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
++fs_getattr_xattr_fs(vnstatd_t)
++
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
@@ -44592,7 +44715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.9.7/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/init.te 2011-02-25 17:40:40.826503061 +0000
++++ serefpolicy-3.9.7/policy/modules/system/init.te 2011-04-20 13:49:07.390000005 +0000
@@ -16,6 +16,34 @@
## </desc>
gen_tunable(init_upstart, false)
@@ -44967,7 +45090,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +546,7 @@
+@@ -374,12 +540,14 @@
+ term_reset_tty_labels(initrc_t)
+
+ auth_rw_login_records(initrc_t)
++auth_manage_faillog(initrc_t)
+ auth_setattr_login_records(initrc_t)
+ auth_rw_lastlog(initrc_t)
+ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@@ -44975,7 +45105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
-@@ -394,13 +561,14 @@
+@@ -394,13 +562,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -44991,7 +45121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +641,7 @@
+@@ -473,7 +642,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -45000,7 +45130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +687,19 @@
+@@ -519,6 +688,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -45020,7 +45150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -526,10 +707,17 @@
+@@ -526,10 +708,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -45038,7 +45168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -544,6 +732,39 @@
+@@ -544,6 +733,39 @@
')
')
@@ -45078,7 +45208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +777,8 @@
+@@ -556,6 +778,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -45087,7 +45217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -572,6 +795,7 @@
+@@ -572,6 +796,7 @@
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -45095,7 +45225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -584,6 +808,11 @@
+@@ -584,6 +809,11 @@
')
optional_policy(`
@@ -45107,7 +45237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +829,9 @@
+@@ -600,6 +830,9 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -45117,7 +45247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +933,13 @@
+@@ -701,7 +934,13 @@
')
optional_policy(`
@@ -45131,7 +45261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +962,10 @@
+@@ -724,6 +963,10 @@
')
optional_policy(`
@@ -45142,7 +45272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +987,10 @@
+@@ -745,6 +988,10 @@
')
optional_policy(`
@@ -45153,7 +45283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +1012,6 @@
+@@ -766,8 +1013,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -45162,7 +45292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -776,14 +1020,21 @@
+@@ -776,14 +1021,21 @@
')
optional_policy(`
@@ -45184,7 +45314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1056,19 @@
+@@ -805,11 +1057,19 @@
')
optional_policy(`
@@ -45205,7 +45335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1078,25 @@
+@@ -819,6 +1079,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -45231,7 +45361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -844,3 +1122,59 @@
+@@ -844,3 +1123,59 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -47622,6 +47752,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_user_terminals(showmount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.9.7/policy/modules/system/netlabel.te
+--- nsaserefpolicy/policy/modules/system/netlabel.te 2010-10-12 20:42:50.000000000 +0000
++++ serefpolicy-3.9.7/policy/modules/system/netlabel.te 2011-04-27 14:04:16.761000004 +0000
+@@ -8,6 +8,7 @@
+ type netlabel_mgmt_t;
+ type netlabel_mgmt_exec_t;
+ application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
++init_system_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+ role system_r types netlabel_mgmt_t;
+
+ ########################################
+@@ -25,4 +26,6 @@
+
+ seutil_use_newrole_fds(netlabel_mgmt_t)
+
++term_use_all_terms(netlabel_mgmt_t)
++
+ userdom_use_user_terminals(netlabel_mgmt_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.fc serefpolicy-3.9.7/policy/modules/system/raid.fc
--- nsaserefpolicy/policy/modules/system/raid.fc 2010-10-12 20:42:50.000000000 +0000
+++ serefpolicy-3.9.7/policy/modules/system/raid.fc 2011-02-25 17:40:40.923500672 +0000
@@ -49454,7 +49602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.9.7/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-10-12 20:42:50.000000000 +0000
-+++ serefpolicy-3.9.7/policy/modules/system/udev.te 2011-04-11 08:34:05.273000002 +0000
++++ serefpolicy-3.9.7/policy/modules/system/udev.te 2011-04-26 09:58:05.420000003 +0000
@@ -37,6 +37,8 @@
#
@@ -49529,7 +49677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
')
optional_policy(`
-@@ -233,6 +248,10 @@
+@@ -233,6 +248,14 @@
')
optional_policy(`
@@ -49537,10 +49685,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
+')
+
+optional_policy(`
++ gpsd_domtrans(udev_t)
++')
++
++optional_policy(`
lvm_domtrans(udev_t)
')
-@@ -259,6 +278,10 @@
+@@ -259,6 +282,10 @@
')
optional_policy(`
@@ -49551,7 +49703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +296,11 @@
+@@ -273,6 +300,11 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e600b26..f858eba 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 40%{?dist}
+Release: 41%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,16 @@ exit 0
%endif
%changelog
+* Tue May 10 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-41
+- Allow aisexec domtrans to corosync domain
+- Allow kadmind setsched
+- Allow mailman to read/write postfix master pipes
+- Remove remote_login_tmp_t and allow remote_login to create and manage user tmp files
+- Allow spamd to send mail
+- Allow sshd getcap
+- Add tgtd_var_run_t type
+- Allow vnstatd to read system state
+
* Tue Apr 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-40
- Add support for AEOLUS project
- Fixes for asterisk and setroubleshoot domains
More information about the scm-commits
mailing list