[selinux-policy] Allow logrotate setuid and setgid since logrotate is supposed to do it Fixes for thumb policy by gri

Tue Oct 4 14:50:55 UTC 2011

commit f1bc73d0ef3c84dc88514c335cadb9d7ebd16673
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Tue Oct 4 10:50:39 2011 -0400

    Allow logrotate setuid and setgid since logrotate is supposed to do it
    Fixes for thumb policy by grift
    Add new nfsd ports
    Added fix to allow confined apps to execmod on chrome
    Add labeling for additional vdsm directories
    Allow Exim and Dovecot SASL
    Add label for /var/run/nmbd
    Add fixes to make virsh and xen working together
    Colord executes ls
    /var/spool/cron  is now labeled as user_cron_spool_t

 execmem.patch         |  379 +++++++++++++++++++++++++++++++++++++++++++++++++
 modules-mls.conf      |   14 --
 modules-targeted.conf |   14 --
 policy-F16.patch      |   16 ++-
 selinux-policy.spec   |   26 +++-
 thumb.patch           |    2 +-
 6 files changed, 417 insertions(+), 34 deletions(-)
---

diff --git a/execmem.patch b/execmem.patch
new file mode 100644
index 0000000..82343be
--- /dev/null
+++ b/execmem.patch
@@ -0,0 +1,379 @@
+diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
+index 8d3c1d8..a7b1b65 100644
+--- a/policy/modules/admin/rpm.te
++++ b/policy/modules/admin/rpm.te
+@@ -416,14 +416,6 @@ optional_policy(`
+ 	unconfined_domain_noaudit(rpm_script_t)
+ 	unconfined_domtrans(rpm_script_t)
+ 	unconfined_execmem_domtrans(rpm_script_t)
+-
+-	optional_policy(`
+-		java_domtrans_unconfined(rpm_script_t)
+-	')
+-
+-	optional_policy(`
+-		mono_domtrans(rpm_script_t)
+-	')
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
+index 6f3570a..70c661e 100644
+--- a/policy/modules/apps/execmem.fc
++++ b/policy/modules/apps/execmem.fc
+@@ -46,3 +46,48 @@ ifdef(`distro_gentoo',`
+ /opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++#
++# /opt
++#
++/opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/MATLAB.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++#
++# /usr
++#
++/usr/Aptana[^/]*/AptanaStudio	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/fastjar	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/frysk		--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gappletviewer	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gij		--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gjarsigner	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gkeytool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/grmic		--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/grmiregistry	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/jv-convert	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/octave-[^/]*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/lib(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera(/.*)?/opera --	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera(/.*)?/works --	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/ibm(/.*)?/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++
++ifdef(`distro_redhat',`
++/usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++')
++/usr/bin/mono.*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
+index e23f640..a78bec0 100644
+--- a/policy/modules/apps/execmem.if
++++ b/policy/modules/apps/execmem.if
+@@ -129,4 +129,3 @@ interface(`execmem_execmod',`
+ 
+ 	allow $1 execmem_exec_t:file execmod;
+ ')
+-
+diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
+index a7d37e2..fd8450f 100644
+--- a/policy/modules/apps/execmem.te
++++ b/policy/modules/apps/execmem.te
+@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0)
+ #
+ # Declarations
+ #
++attribute execmem_type;
+ 
+-type execmem_exec_t alias unconfined_execmem_exec_t;
++type execmem_exec_t;
++typealias execmem_exec_t alias { unconfined_execmem_exec_t mono_exec_t java_exec_t };
+ application_executable_file(execmem_exec_t)
+ 
++allow execmem_type self:process { execmem execstack };
++files_execmod_tmp(execmem_type)
++execmem_execmod(execmem_type)
++
++optional_policy(`
++	gnome_read_usr_config(execmem_type)
++')
++	
++optional_policy(`
++	mozilla_execmod_user_home_files(execmem_type)
++')
++
++optional_policy(`
++	nsplugin_rw_shm(execmem_type)
++	nsplugin_rw_semaphores(execmem_type)
++')
+diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
+index d1b1280..f93103b 100644
+--- a/policy/modules/apps/mozilla.te
++++ b/policy/modules/apps/mozilla.te
+@@ -273,10 +273,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_domtrans(mozilla_t)
+-')
+-
+-optional_policy(`
+ 	lpd_domtrans_lpr(mozilla_t)
+ ')
+ 
+@@ -456,7 +452,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_exec(mozilla_plugin_t)
++	execmem_exec(mozilla_plugin_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
+index ccc15ab..9d0e298 100644
+--- a/policy/modules/apps/podsleuth.te
++++ b/policy/modules/apps/podsleuth.te
+@@ -85,5 +85,5 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_exec(podsleuth_t)
++	execmem_exec(podsleuth_t)
+ ')
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index bfabe3f..fbbce55 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -268,10 +268,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(staff_r, staff_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(staff_r, staff_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 7cd6d4f..e120bbc 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -524,10 +524,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(sysadm_r, sysadm_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(sysadm_r, sysadm_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index fcc8949..6f1425f 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -337,10 +337,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_run_unconfined(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+ 	kerberos_filetrans_named_content(unconfined_t)
+ ')
+ 
+@@ -361,13 +357,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_role_template(unconfined, unconfined_r, unconfined_t)
+-	unconfined_domain_noaudit(unconfined_mono_t)
+-	role system_r types unconfined_mono_t;
+-')
+-
+-
+-optional_policy(`
+ 	mozilla_role_plugin(unconfined_r)
+ 
+ 	tunable_policy(`unconfined_mozilla_plugin_transition', `
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index e5a8559..68013b7 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -148,10 +148,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(user_r, user_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(user_r, user_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
+index 1cd57fd..a1db79d 100644
+--- a/policy/modules/roles/xguest.te
++++ b/policy/modules/roles/xguest.te
+@@ -107,14 +107,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+-	mono_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+ 	mozilla_run_plugin(xguest_usertype, xguest_r)
+ ')
+ 
+diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
+index 1442451..add9ada 100644
+--- a/policy/modules/services/boinc.te
++++ b/policy/modules/services/boinc.te
+@@ -168,5 +168,5 @@ miscfiles_read_fonts(boinc_project_t)
+ miscfiles_read_localization(boinc_project_t)
+ 
+ optional_policy(`
+-	java_exec(boinc_project_t)
++	execmem_exec(boinc_project_t)
+ ')
+diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
+index 86ea0ba..a2c41fd 100644
+--- a/policy/modules/services/cron.te
++++ b/policy/modules/services/cron.te
+@@ -299,10 +299,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_domtrans(crond_t)
+-')
+-
+-optional_policy(`
+ 	amanda_search_var_lib(crond_t)
+ ')
+ 
+@@ -553,10 +549,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_domtrans(system_cronjob_t)
+-')
+-
+-optional_policy(`
+ 	mrtg_append_create_logs(system_cronjob_t)
+ ')
+ 
+@@ -709,11 +701,6 @@ tunable_policy(`fcron_crond',`
+ 	allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+ 
+-# need a per-role version of this:
+-#optional_policy(`
+-#	mono_domtrans(cronjob_t)
+-#')
+-
+ optional_policy(`
+ 	nis_use_ypbind(cronjob_t)
+ ')
+diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
+index 1e40c00..ae34382 100644
+--- a/policy/modules/services/hadoop.if
++++ b/policy/modules/services/hadoop.if
+@@ -127,7 +127,7 @@ template(`hadoop_domain_template',`
+ 
+ 	hadoop_exec_config(hadoop_$1_t)
+ 
+-	java_exec(hadoop_$1_t)
++	execmem_exec(hadoop_$1_t)
+ 
+ 	kerberos_use(hadoop_$1_t)
+ 
+diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
+index 3889dc9..32dc803 100644
+--- a/policy/modules/services/hadoop.te
++++ b/policy/modules/services/hadoop.te
+@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t)
+ 
+ userdom_use_inherited_user_terminals(hadoop_t)
+ 
+-java_exec(hadoop_t)
++execmem_exec(hadoop_t)
+ 
+ kerberos_use(hadoop_t)
+ 
+@@ -342,7 +342,7 @@ sysnet_read_config(zookeeper_t)
+ userdom_use_inherited_user_terminals(zookeeper_t)
+ userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+ 
+-java_exec(zookeeper_t)
++execmem_exec(zookeeper_t)
+ 
+ ########################################
+ #
+@@ -427,4 +427,4 @@ miscfiles_read_localization(zookeeper_server_t)
+ 
+ sysnet_read_config(zookeeper_server_t)
+ 
+-java_exec(zookeeper_server_t)
++execmem_exec(zookeeper_server_t)
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 60e0e2d..d14f2d6 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -1247,10 +1247,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_rw_shm(xserver_t)
+-')
+-
+-optional_policy(`
+ 	rhgb_rw_shm(xserver_t)
+ 	rhgb_rw_tmpfs_files(xserver_t)
+ ')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 53f3bfe..20dd3a0 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1190,10 +1190,6 @@ optional_policy(`
+ 		unconfined_dontaudit_rw_pipes(daemon)
+ 	')
+ 
+-	optional_policy(`
+-		mono_domtrans(initrc_t)
+-	')
+-
+ 	# Allow SELinux aware applications to request rpm_script_t execution
+ 	rpm_transition_script(initrc_t)
+ 	
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e7a65ae..a001ce9 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template', `
+ 	')
+ 
+ 	optional_policy(`
+-		java_role_template($1, $1_r, $1_t)
+-	')
+-
+-	optional_policy(`
+-		mono_role_template($1, $1_r, $1_t)
+-	')
+-
+-	optional_policy(`
+ 		mount_run_fusermount($1_t, $1_r)
+ 		mount_read_pid_files($1_t)
+ 	')
diff --git a/modules-mls.conf b/modules-mls.conf
index 9706ffb..28ac668 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -733,13 +733,6 @@ i18n_input = off
 # 
 jabber = module
 
-# Layer: apps
-# Module: java
-#
-# java executable
-# 
-java = module
-
 # Layer: admin
 # Module: kdump
 #
@@ -925,13 +918,6 @@ modutils = module
 # 
 mojomojo = module
 
-# Layer: apps
-# Module: mono
-#
-# mono executable
-# 
-mono = module
-
 # Layer: system
 # Module: mount
 #
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 35bbfa6..6930073 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -844,13 +844,6 @@ i18n_input = off
 jabber = module
 
 # Layer: apps
-# Module: java
-#
-# java executable
-# 
-java = module
-
-# Layer: apps
 # Module: execmem
 #
 # execmem executable
@@ -1071,13 +1064,6 @@ mojomojo = module
 # 
 modutils = module
 
-# Layer: apps
-# Module: mono
-#
-# mono executable
-# 
-mono = module
-
 # Layer: system
 # Module: mount
 #
diff --git a/policy-F16.patch b/policy-F16.patch
index 922b4d2..29e1ca4 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -66791,7 +66791,7 @@ index 808ba93..ed84884 100644
  
  ########################################
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..c76046b 100644
+index e5836d3..eae9427 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
 @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -66834,7 +66834,17 @@ index e5836d3..c76046b 100644
  ifdef(`hide_broken_symptoms',`
  	ifdef(`distro_gentoo',`
  		# leaked fds from portage
-@@ -131,6 +139,10 @@ optional_policy(`
+@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
+ 		')
+ 	')
+ 
++	dev_dontaudit_rw_lvm_control(ldconfig_t)
++	term_dontaudit_use_unallocated_ttys(ldconfig_t)
++
+ 	optional_policy(`
+ 		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+ 	')
+@@ -131,6 +142,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66845,7 +66855,7 @@ index e5836d3..c76046b 100644
  	puppet_rw_tmp(ldconfig_t)
  ')
  
-@@ -141,6 +153,3 @@ optional_policy(`
+@@ -141,6 +156,3 @@ optional_policy(`
  	rpm_manage_script_tmp_files(ldconfig_t)
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b772eb9..e2bc246 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 34.6%{?dist}
+Release: 36%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -214,7 +214,7 @@ fi;
 if [ -e /etc/selinux/%2/.rebuild ]; then \
    rm /etc/selinux/%2/.rebuild; \
    if [ %1 -ne 1 ]; then \
-	/usr/sbin/semodule -n -s %2 -r moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
+	/usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
    fi \
    /usr/sbin/semodule -B -s %2; \
 else \
@@ -240,6 +240,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %patch -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %install
 mkdir selinux_config
@@ -471,6 +472,27 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Oct 3 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-36
+- Allow logrotate setuid and setgid since logrotate is supposed to do it
+- Fixes for thumb policy by grift
+- Add new nfsd ports
+- Added fix to allow confined apps to execmod on chrome
+- Add labeling for additional vdsm directories
+- Allow Exim and Dovecot SASL
+- Add label for /var/run/nmbd
+- Add fixes to make virsh and xen working together
+- Colord executes ls
+- /var/spool/cron  is now labeled as user_cron_spool_t
+
+* Mon Oct 3 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-35
+- Stop complaining about leaked file descriptors during install
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-34.7
+- Remove java and mono module and merge into execmem
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-34.6
+- Fixes for thumb policy and passwd_file_t
+
 * Fri Sep 29 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-34.4
 - Fixes caused by the labeling of /etc/passwd
 - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
diff --git a/thumb.patch b/thumb.patch
index df9d9da..97ff409 100644
--- a/thumb.patch
+++ b/thumb.patch
@@ -6,7 +6,7 @@ index 1105ff5..620e17b 100644
  		rtkit_scheduled(unconfined_usertype)
  	')
  
-+	# Might remove later if this proves to be problematic, but would like to gather AVC's
++	# Might remove later if this proves to be problematic, but would like to gather AVCs
 +	optional_policy(`
 +		thumb_role(unconfined_r, unconfined_usertype)
 +	')
