[selinux-policy] Allow logrotate setuid and setgid since logrotate is supposed to do it Fixes for thumb policy by gri
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Oct 4 14:50:55 UTC 2011
commit f1bc73d0ef3c84dc88514c335cadb9d7ebd16673
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Oct 4 10:50:39 2011 -0400
Allow logrotate setuid and setgid since logrotate is supposed to do it
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron is now labeled as user_cron_spool_t
execmem.patch | 379 +++++++++++++++++++++++++++++++++++++++++++++++++
modules-mls.conf | 14 --
modules-targeted.conf | 14 --
policy-F16.patch | 16 ++-
selinux-policy.spec | 26 +++-
thumb.patch | 2 +-
6 files changed, 417 insertions(+), 34 deletions(-)
---
diff --git a/execmem.patch b/execmem.patch
new file mode 100644
index 0000000..82343be
--- /dev/null
+++ b/execmem.patch
@@ -0,0 +1,379 @@
+diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
+index 8d3c1d8..a7b1b65 100644
+--- a/policy/modules/admin/rpm.te
++++ b/policy/modules/admin/rpm.te
+@@ -416,14 +416,6 @@ optional_policy(`
+ unconfined_domain_noaudit(rpm_script_t)
+ unconfined_domtrans(rpm_script_t)
+ unconfined_execmem_domtrans(rpm_script_t)
+-
+- optional_policy(`
+- java_domtrans_unconfined(rpm_script_t)
+- ')
+-
+- optional_policy(`
+- mono_domtrans(rpm_script_t)
+- ')
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
+index 6f3570a..70c661e 100644
+--- a/policy/modules/apps/execmem.fc
++++ b/policy/modules/apps/execmem.fc
+@@ -46,3 +46,48 @@ ifdef(`distro_gentoo',`
+ /opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++#
++# /opt
++#
++/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++#
++# /usr
++#
++/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/fastjar -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/frysk -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gappletviewer -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gij -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gjarsigner -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/gkeytool -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/grmic -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/grmiregistry -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/jv-convert -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
++
++ifdef(`distro_redhat',`
++/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:execmem_exec_t,s0)
++')
++/usr/bin/mono.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
+index e23f640..a78bec0 100644
+--- a/policy/modules/apps/execmem.if
++++ b/policy/modules/apps/execmem.if
+@@ -129,4 +129,3 @@ interface(`execmem_execmod',`
+
+ allow $1 execmem_exec_t:file execmod;
+ ')
+-
+diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
+index a7d37e2..fd8450f 100644
+--- a/policy/modules/apps/execmem.te
++++ b/policy/modules/apps/execmem.te
+@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0)
+ #
+ # Declarations
+ #
++attribute execmem_type;
+
+-type execmem_exec_t alias unconfined_execmem_exec_t;
++type execmem_exec_t;
++typealias execmem_exec_t alias { unconfined_execmem_exec_t mono_exec_t java_exec_t };
+ application_executable_file(execmem_exec_t)
+
++allow execmem_type self:process { execmem execstack };
++files_execmod_tmp(execmem_type)
++execmem_execmod(execmem_type)
++
++optional_policy(`
++ gnome_read_usr_config(execmem_type)
++')
++
++optional_policy(`
++ mozilla_execmod_user_home_files(execmem_type)
++')
++
++optional_policy(`
++ nsplugin_rw_shm(execmem_type)
++ nsplugin_rw_semaphores(execmem_type)
++')
+diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
+index d1b1280..f93103b 100644
+--- a/policy/modules/apps/mozilla.te
++++ b/policy/modules/apps/mozilla.te
+@@ -273,10 +273,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- java_domtrans(mozilla_t)
+-')
+-
+-optional_policy(`
+ lpd_domtrans_lpr(mozilla_t)
+ ')
+
+@@ -456,7 +452,7 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- java_exec(mozilla_plugin_t)
++ execmem_exec(mozilla_plugin_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
+index ccc15ab..9d0e298 100644
+--- a/policy/modules/apps/podsleuth.te
++++ b/policy/modules/apps/podsleuth.te
+@@ -85,5 +85,5 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mono_exec(podsleuth_t)
++ execmem_exec(podsleuth_t)
+ ')
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index bfabe3f..fbbce55 100644
+--- a/policy/modules/roles/staff.te
++++ b/policy/modules/roles/staff.te
+@@ -268,10 +268,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- java_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ lockdev_role(staff_r, staff_t)
+ ')
+
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 7cd6d4f..e120bbc 100644
+--- a/policy/modules/roles/sysadm.te
++++ b/policy/modules/roles/sysadm.te
+@@ -524,10 +524,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- java_role(sysadm_r, sysadm_t)
+- ')
+-
+- optional_policy(`
+ lockdev_role(sysadm_r, sysadm_t)
+ ')
+
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index fcc8949..6f1425f 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -337,10 +337,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- java_run_unconfined(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+ kerberos_filetrans_named_content(unconfined_t)
+ ')
+
+@@ -361,13 +357,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mono_role_template(unconfined, unconfined_r, unconfined_t)
+- unconfined_domain_noaudit(unconfined_mono_t)
+- role system_r types unconfined_mono_t;
+-')
+-
+-
+-optional_policy(`
+ mozilla_role_plugin(unconfined_r)
+
+ tunable_policy(`unconfined_mozilla_plugin_transition', `
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index e5a8559..68013b7 100644
+--- a/policy/modules/roles/unprivuser.te
++++ b/policy/modules/roles/unprivuser.te
+@@ -148,10 +148,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- java_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+ lockdev_role(user_r, user_t)
+ ')
+
+diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
+index 1cd57fd..a1db79d 100644
+--- a/policy/modules/roles/xguest.te
++++ b/policy/modules/roles/xguest.te
+@@ -107,14 +107,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- java_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+- mono_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+ mozilla_run_plugin(xguest_usertype, xguest_r)
+ ')
+
+diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
+index 1442451..add9ada 100644
+--- a/policy/modules/services/boinc.te
++++ b/policy/modules/services/boinc.te
+@@ -168,5 +168,5 @@ miscfiles_read_fonts(boinc_project_t)
+ miscfiles_read_localization(boinc_project_t)
+
+ optional_policy(`
+- java_exec(boinc_project_t)
++ execmem_exec(boinc_project_t)
+ ')
+diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
+index 86ea0ba..a2c41fd 100644
+--- a/policy/modules/services/cron.te
++++ b/policy/modules/services/cron.te
+@@ -299,10 +299,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mono_domtrans(crond_t)
+-')
+-
+-optional_policy(`
+ amanda_search_var_lib(crond_t)
+ ')
+
+@@ -553,10 +549,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mono_domtrans(system_cronjob_t)
+-')
+-
+-optional_policy(`
+ mrtg_append_create_logs(system_cronjob_t)
+ ')
+
+@@ -709,11 +701,6 @@ tunable_policy(`fcron_crond',`
+ allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+
+-# need a per-role version of this:
+-#optional_policy(`
+-# mono_domtrans(cronjob_t)
+-#')
+-
+ optional_policy(`
+ nis_use_ypbind(cronjob_t)
+ ')
+diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
+index 1e40c00..ae34382 100644
+--- a/policy/modules/services/hadoop.if
++++ b/policy/modules/services/hadoop.if
+@@ -127,7 +127,7 @@ template(`hadoop_domain_template',`
+
+ hadoop_exec_config(hadoop_$1_t)
+
+- java_exec(hadoop_$1_t)
++ execmem_exec(hadoop_$1_t)
+
+ kerberos_use(hadoop_$1_t)
+
+diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
+index 3889dc9..32dc803 100644
+--- a/policy/modules/services/hadoop.te
++++ b/policy/modules/services/hadoop.te
+@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t)
+
+ userdom_use_inherited_user_terminals(hadoop_t)
+
+-java_exec(hadoop_t)
++execmem_exec(hadoop_t)
+
+ kerberos_use(hadoop_t)
+
+@@ -342,7 +342,7 @@ sysnet_read_config(zookeeper_t)
+ userdom_use_inherited_user_terminals(zookeeper_t)
+ userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+
+-java_exec(zookeeper_t)
++execmem_exec(zookeeper_t)
+
+ ########################################
+ #
+@@ -427,4 +427,4 @@ miscfiles_read_localization(zookeeper_server_t)
+
+ sysnet_read_config(zookeeper_server_t)
+
+-java_exec(zookeeper_server_t)
++execmem_exec(zookeeper_server_t)
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 60e0e2d..d14f2d6 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -1247,10 +1247,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- mono_rw_shm(xserver_t)
+-')
+-
+-optional_policy(`
+ rhgb_rw_shm(xserver_t)
+ rhgb_rw_tmpfs_files(xserver_t)
+ ')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 53f3bfe..20dd3a0 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1190,10 +1190,6 @@ optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+ ')
+
+- optional_policy(`
+- mono_domtrans(initrc_t)
+- ')
+-
+ # Allow SELinux aware applications to request rpm_script_t execution
+ rpm_transition_script(initrc_t)
+
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e7a65ae..a001ce9 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template', `
+ ')
+
+ optional_policy(`
+- java_role_template($1, $1_r, $1_t)
+- ')
+-
+- optional_policy(`
+- mono_role_template($1, $1_r, $1_t)
+- ')
+-
+- optional_policy(`
+ mount_run_fusermount($1_t, $1_r)
+ mount_read_pid_files($1_t)
+ ')
diff --git a/modules-mls.conf b/modules-mls.conf
index 9706ffb..28ac668 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -733,13 +733,6 @@ i18n_input = off
#
jabber = module
-# Layer: apps
-# Module: java
-#
-# java executable
-#
-java = module
-
# Layer: admin
# Module: kdump
#
@@ -925,13 +918,6 @@ modutils = module
#
mojomojo = module
-# Layer: apps
-# Module: mono
-#
-# mono executable
-#
-mono = module
-
# Layer: system
# Module: mount
#
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 35bbfa6..6930073 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -844,13 +844,6 @@ i18n_input = off
jabber = module
# Layer: apps
-# Module: java
-#
-# java executable
-#
-java = module
-
-# Layer: apps
# Module: execmem
#
# execmem executable
@@ -1071,13 +1064,6 @@ mojomojo = module
#
modutils = module
-# Layer: apps
-# Module: mono
-#
-# mono executable
-#
-mono = module
-
# Layer: system
# Module: mount
#
diff --git a/policy-F16.patch b/policy-F16.patch
index 922b4d2..29e1ca4 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -66791,7 +66791,7 @@ index 808ba93..ed84884 100644
########################################
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..c76046b 100644
+index e5836d3..eae9427 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -66834,7 +66834,17 @@ index e5836d3..c76046b 100644
ifdef(`hide_broken_symptoms',`
ifdef(`distro_gentoo',`
# leaked fds from portage
-@@ -131,6 +139,10 @@ optional_policy(`
+@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
+ ')
+ ')
+
++ dev_dontaudit_rw_lvm_control(ldconfig_t)
++ term_dontaudit_use_unallocated_ttys(ldconfig_t)
++
+ optional_policy(`
+ unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+ ')
+@@ -131,6 +142,10 @@ optional_policy(`
')
optional_policy(`
@@ -66845,7 +66855,7 @@ index e5836d3..c76046b 100644
puppet_rw_tmp(ldconfig_t)
')
-@@ -141,6 +153,3 @@ optional_policy(`
+@@ -141,6 +156,3 @@ optional_policy(`
rpm_manage_script_tmp_files(ldconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b772eb9..e2bc246 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 34.6%{?dist}
+Release: 36%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -214,7 +214,7 @@ fi;
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
if [ %1 -ne 1 ]; then \
- /usr/sbin/semodule -n -s %2 -r moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
+ /usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
fi \
/usr/sbin/semodule -B -s %2; \
else \
@@ -240,6 +240,7 @@ Based off of reference policy: Checked out revision 2.20091117
%patch -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1
%install
mkdir selinux_config
@@ -471,6 +472,27 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Oct 3 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-36
+- Allow logrotate setuid and setgid since logrotate is supposed to do it
+- Fixes for thumb policy by grift
+- Add new nfsd ports
+- Added fix to allow confined apps to execmod on chrome
+- Add labeling for additional vdsm directories
+- Allow Exim and Dovecot SASL
+- Add label for /var/run/nmbd
+- Add fixes to make virsh and xen working together
+- Colord executes ls
+- /var/spool/cron is now labeled as user_cron_spool_t
+
+* Mon Oct 3 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-35
+- Stop complaining about leaked file descriptors during install
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-34.7
+- Remove java and mono module and merge into execmem
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-34.6
+- Fixes for thumb policy and passwd_file_t
+
* Fri Sep 29 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-34.4
- Fixes caused by the labeling of /etc/passwd
- Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
diff --git a/thumb.patch b/thumb.patch
index df9d9da..97ff409 100644
--- a/thumb.patch
+++ b/thumb.patch
@@ -6,7 +6,7 @@ index 1105ff5..620e17b 100644
rtkit_scheduled(unconfined_usertype)
')
-+ # Might remove later if this proves to be problematic, but would like to gather AVC's
++ # Might remove later if this proves to be problematic, but would like to gather AVCs
+ optional_policy(`
+ thumb_role(unconfined_r, unconfined_usertype)
+ ')
More information about the scm-commits
mailing list