[selinux-policy] Allow nmbd to manage sock file in /var/run/nmbd ricci_modservice send syslog msgs Stop transitioning
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Oct 5 21:14:08 UTC 2011
commit 859ba0c85a0c570f8a70c9cf73d6e3965ab8dfc4
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Oct 5 17:14:02 2011 -0400
Allow nmbd to manage sock file in /var/run/nmbd
ricci_modservice send syslog msgs
Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
Allow systemd_logind_t to manage /run/USER/dconf/user
booleans-targeted.conf | 8 ++-
passwd.patch | 91 ++++++++++++++++++++++-----------
policy-F16.patch | 130 ++++++++++++++++++++++++------------------------
selinux-policy.spec | 19 +++++++-
thumb.patch | 15 ------
5 files changed, 149 insertions(+), 114 deletions(-)
---
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 7457a4a..d564050 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,6 +1,6 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
-allow_execmem = true
+allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
@@ -8,7 +8,7 @@ allow_execmod = true
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftpd to read cifs directories.
#
@@ -210,6 +210,10 @@ allow_daemons_use_tty = false
#
allow_polyinstantiation = false
+# Allow confined domains to ptrace them selves
+#
+allow_ptrace = true
+
# Allow all domains to dump core
#
allow_daemons_dump_core = true
diff --git a/passwd.patch b/passwd.patch
index 8e496c6..7674222 100644
--- a/passwd.patch
+++ b/passwd.patch
@@ -12,10 +12,18 @@ index ef8bc09..ea06507 100644
miscfiles_read_localization(mcelog_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 4779a8d..c2ee43e 100644
+index 4779a8d..b8eac3e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -96,11 +96,12 @@ corecmd_check_exec_shell(chfn_t)
+@@ -89,6 +89,7 @@ fs_search_auto_mountpoints(chfn_t)
+ dev_read_urand(chfn_t)
+ dev_dontaudit_getattr_all(chfn_t)
+
++auth_manage_passwd(chfn_t)
+ auth_use_pam(chfn_t)
+
+ # allow checking if a shell is executable
+@@ -96,7 +97,6 @@ corecmd_check_exec_shell(chfn_t)
domain_use_interactive_fds(chfn_t)
@@ -23,13 +31,37 @@ index 4779a8d..c2ee43e 100644
files_read_etc_runtime_files(chfn_t)
files_dontaudit_search_var(chfn_t)
files_dontaudit_search_home(chfn_t)
+@@ -205,8 +205,8 @@ init_dontaudit_write_utmp(groupadd_t)
+
+ domain_use_interactive_fds(groupadd_t)
+
+-files_manage_etc_files(groupadd_t)
+ files_relabel_etc_files(groupadd_t)
++files_read_etc_files(groupadd_t)
+ files_read_etc_runtime_files(groupadd_t)
+ files_read_usr_symlinks(groupadd_t)
+
+@@ -221,9 +221,10 @@ miscfiles_read_localization(groupadd_t)
+ auth_domtrans_chk_passwd(groupadd_t)
+ auth_rw_lastlog(groupadd_t)
+ auth_use_nsswitch(groupadd_t)
++auth_manage_passwd(groupadd_t)
++auth_manage_shadow(groupadd_t)
+ # these may be unnecessary due to the above
+ # domtrans_chk_passwd() call.
+-auth_manage_shadow(groupadd_t)
+ auth_relabel_shadow(groupadd_t)
+ auth_etc_filetrans_shadow(groupadd_t)
-+auth_manage_passwd(chfn_t)
-+
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it. Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(chfn_t)
-@@ -310,13 +311,14 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
+@@ -296,6 +297,7 @@ selinux_compute_user_contexts(passwd_t)
+
+ term_use_all_inherited_terms(passwd_t)
+
++auth_manage_passwd(passwd_t)
+ auth_manage_shadow(passwd_t)
+ auth_relabel_shadow(passwd_t)
+ auth_etc_filetrans_shadow(passwd_t)
+@@ -310,7 +312,6 @@ corenet_tcp_connect_kerberos_password_port(passwd_t)
domain_use_interactive_fds(passwd_t)
files_read_etc_runtime_files(passwd_t)
@@ -37,15 +69,15 @@ index 4779a8d..c2ee43e 100644
files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)
+@@ -390,6 +391,7 @@ fs_search_auto_mountpoints(sysadm_passwd_t)
- term_search_ptys(passwd_t)
+ term_use_all_inherited_terms(sysadm_passwd_t)
-+auth_manage_passwd(passwd_t)
-+
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it. Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(passwd_t)
-@@ -402,12 +404,13 @@ files_read_usr_files(sysadm_passwd_t)
++auth_manage_passwd(sysadm_passwd_t)
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
+ auth_etc_filetrans_shadow(sysadm_passwd_t)
+@@ -402,7 +404,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -53,14 +85,7 @@ index 4779a8d..c2ee43e 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
- files_dontaudit_search_pids(sysadm_passwd_t)
-
-+auth_manage_passwd(sysadm_passwd_t)
-+
- # /usr/bin/passwd asks for w access to utmp, but it will operate
- # correctly without it. Do not audit write denials to utmp.
- init_dontaudit_rw_utmp(sysadm_passwd_t)
-@@ -461,7 +464,6 @@ domain_use_interactive_fds(useradd_t)
+@@ -461,7 +462,6 @@ domain_use_interactive_fds(useradd_t)
domain_read_all_domains_state(useradd_t)
domain_dontaudit_read_all_domains_state(useradd_t)
@@ -68,7 +93,7 @@ index 4779a8d..c2ee43e 100644
files_search_var_lib(useradd_t)
files_relabel_etc_files(useradd_t)
files_read_etc_runtime_files(useradd_t)
-@@ -488,6 +490,7 @@ auth_rw_faillog(useradd_t)
+@@ -488,6 +488,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -152,10 +177,10 @@ index 4f9a575..5fc3a55 100644
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 290f8c4..cd2909f 100644
+index 52df08a..7790f7e 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -881,6 +881,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
+@@ -882,6 +882,7 @@ fs_getattr_xattr_fs(svirt_lxc_domain)
fs_list_inotifyfs(svirt_lxc_domain)
fs_dontaudit_getattr_xattr_fs(svirt_lxc_domain)
@@ -164,19 +189,20 @@ index 290f8c4..cd2909f 100644
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 59742f4..51ca568 100644
+index 59742f4..904e39c 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -7,6 +7,7 @@
+@@ -7,6 +7,8 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/passwd.* -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f05a80f..c317b16 100644
+index f05a80f..4372e5d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -558,7 +558,6 @@ interface(`auth_domtrans_upd_passwd',`
@@ -216,7 +242,7 @@ index f05a80f..c317b16 100644
')
########################################
-@@ -1810,19 +1817,115 @@ interface(`auth_unconfined',`
+@@ -1810,19 +1817,118 @@ interface(`auth_unconfined',`
interface(`authlogin_filetrans_named_content',`
gen_require(`
type shadow_t;
@@ -333,6 +359,9 @@ index f05a80f..c317b16 100644
+ files_rw_etc_dirs($1)
+ allow $1 passwd_file_t:file manage_file_perms;
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
++ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ files_etc_filetrans($1, passwd_file_t, file, "group")
++ files_etc_filetrans($1, passwd_file_t, file, "group-")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index a53db2b..16e2e63 100644
diff --git a/policy-F16.patch b/policy-F16.patch
index 9591fd2..848fc92 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -11166,10 +11166,10 @@ index 0000000..b78aa77
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..73e7983
+index 0000000..fc5b449
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,123 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -11258,10 +11258,6 @@ index 0000000..73e7983
+
+userdom_use_inherited_user_ptys(thumb_t)
+
-+optional_policy(`
-+ dbus_dontaudit_session_bus_connect(thumb_t)
-+')
-+
+# optional_policy(`
+# gnome_read_gconf_home_files(thumb_t)
+# gnome_read_gstreamer_home_content(thumb_t)
@@ -13644,7 +13640,7 @@ index 6cf8784..935a96c 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..7139ab3 100644
+index f820f3b..60394ec 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -14044,11 +14040,13 @@ index f820f3b..7139ab3 100644
## </summary>
## </param>
#
-@@ -2932,7 +3168,7 @@ interface(`dev_dontaudit_write_mtrr',`
+@@ -2931,8 +3167,8 @@ interface(`dev_dontaudit_write_mtrr',`
+ type mtrr_device_t;
')
- dontaudit $1 mtrr_device_t:file write;
+- dontaudit $1 mtrr_device_t:file write;
- dontaudit $1 mtrr_device_t:chr_file write;
++ dontaudit $1 mtrr_device_t:file write_file_perms;
+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
')
@@ -21423,7 +21421,7 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..fcc8949
+index 0000000..e1113e0
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,503 @@
@@ -21530,7 +21528,7 @@ index 0000000..fcc8949
+init_domtrans_script(unconfined_t)
+init_telinit(unconfined_t)
+
-+libs_run_ldconfig(unconfined_t, unconfined_r)
++lib_filetrans_named_content(unconfined_t)
+
+logging_send_syslog_msg(unconfined_t)
+logging_run_auditctl(unconfined_t, unconfined_r)
@@ -37459,18 +37457,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..ab59945 100644
+index 4fde46b..86ba356 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -9,24 +9,31 @@ type gnomeclock_t;
- type gnomeclock_exec_t;
- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
-
-+systemd_systemctl_domain(gnomeclock)
-+
- ########################################
- #
- # gnomeclock local policy
+@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -37497,7 +37487,7 @@ index 4fde46b..ab59945 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +42,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -37531,25 +37521,6 @@ index 4fde46b..ab59945 100644
policykit_dbus_chat(gnomeclock_t)
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
- policykit_read_reload(gnomeclock_t)
- ')
-+
-+#######################################
-+#
-+# gnomeclock systemctl local policy
-+#
-+
-+files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t)
-+files_manage_etc_symlinks(gnomeclock_systemctl_t)
-+
-+miscfiles_read_localization(gnomeclock_systemctl_t)
-+
-+systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
-+
-+optional_policy(`
-+ ntp_read_unit_file(gnomeclock_systemctl_t)
-+ ntp_read_state(gnomeclock_systemctl_t)
-+')
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 7d97298..d6b2959 100644
--- a/policy/modules/services/gpm.if
@@ -52467,7 +52438,7 @@ index f7826f9..679d185 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..28d2775 100644
+index 33e72e8..7582159 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -52615,7 +52586,7 @@ index 33e72e8..28d2775 100644
miscfiles_read_localization(ricci_modrpm_t)
optional_policy(`
-@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t)
+@@ -394,10 +416,10 @@ files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
@@ -52623,8 +52594,12 @@ index 33e72e8..28d2775 100644
-
init_domtrans_script(ricci_modservice_t)
++logging_send_syslog_msg(ricci_modservice_t)
++
miscfiles_read_localization(ricci_modservice_t)
-@@ -405,6 +425,10 @@ optional_policy(`
+
+ optional_policy(`
+@@ -405,6 +427,10 @@ optional_policy(`
')
optional_policy(`
@@ -52635,7 +52610,7 @@ index 33e72e8..28d2775 100644
nscd_dontaudit_search_pid(ricci_modservice_t)
')
-@@ -444,22 +468,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,22 +470,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -52665,7 +52640,7 @@ index 33e72e8..28d2775 100644
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
corosync_stream_connect(ricci_modstorage_t)
-@@ -471,12 +495,24 @@ optional_policy(`
+@@ -471,12 +497,24 @@ optional_policy(`
')
optional_policy(`
@@ -53831,7 +53806,7 @@ index 82cb169..87d1eec 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..fed972d 100644
+index e30bb63..49941ec 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -53983,18 +53958,19 @@ index e30bb63..fed972d 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +487,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +487,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
-+files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file })
++manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
++files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +564,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +565,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -54012,7 +53988,7 @@ index e30bb63..fed972d 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +578,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +579,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -54033,7 +54009,7 @@ index e30bb63..fed972d 100644
########################################
#
-@@ -644,19 +656,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +657,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -54058,7 +54034,7 @@ index e30bb63..fed972d 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +691,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +692,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -54067,7 +54043,7 @@ index e30bb63..fed972d 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +706,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +707,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -54082,7 +54058,7 @@ index e30bb63..fed972d 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +726,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +727,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -54090,7 +54066,7 @@ index e30bb63..fed972d 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +771,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +772,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -54099,7 +54075,7 @@ index e30bb63..fed972d 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +825,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +826,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -54121,7 +54097,7 @@ index e30bb63..fed972d 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +853,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +854,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -54129,7 +54105,7 @@ index e30bb63..fed972d 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -863,6 +884,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +885,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -54142,7 +54118,7 @@ index e30bb63..fed972d 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +931,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +932,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -54151,7 +54127,7 @@ index e30bb63..fed972d 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +949,18 @@ optional_policy(`
+@@ -922,6 +950,18 @@ optional_policy(`
#
optional_policy(`
@@ -54170,7 +54146,7 @@ index e30bb63..fed972d 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +971,12 @@ optional_policy(`
+@@ -932,9 +972,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -67047,7 +67023,7 @@ index 560dc48..6673319 100644
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..ed84884 100644
+index 808ba93..8f5a243 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -207,6 +207,23 @@ interface(`libs_search_lib',`
@@ -67130,6 +67106,29 @@ index 808ba93..ed84884 100644
')
########################################
+@@ -534,3 +533,22 @@ interface(`lib_filetrans_shared_lib',`
+ interface(`files_lib_filetrans_shared_lib',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
++
++########################################
++## <summary>
++## Transition to lib named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lib_filetrans_named_content',`
++ gen_require(`
++ type ld_so_cache_t;
++ ')
++
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
++')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index e5836d3..eae9427 100644
--- a/policy/modules/system/libraries.te
@@ -71332,10 +71331,10 @@ index 0000000..46a3ec0
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..ff4814a
+index 0000000..3790267
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,369 @@
+@@ -0,0 +1,370 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -71471,6 +71470,7 @@ index 0000000..ff4814a
+optional_policy(`
+ # we label /run/user/$USER/dconf as config_home_t
+ gnome_manage_home_config_dirs(systemd_logind_t)
++ gnome_manage_home_config(systemd_logind_t)
+')
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7da84f2..47a95ab 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 36.1%{?dist}
+Release: 37%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -25,6 +25,10 @@ patch: policy-F16.patch
patch1: unconfined_permissive.patch
patch2: passwd.patch
patch3: thumb.patch
+patch4: execmem.patch
+patch5: userdomain.patch
+patch6: apache.patch
+patch7: ptrace.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -241,6 +245,10 @@ Based off of reference policy: Checked out revision 2.20091117
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1 -b .execmem
+%patch5 -p1 -b .userdomain
+%patch6 -p1 -b .apache
+#%patch7 -p1 -b .ptrace
%install
mkdir selinux_config
@@ -472,6 +480,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Oct 5 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-37
+- Allow nmbd to manage sock file in /var/run/nmbd
+- ricci_modservice send syslog msgs
+- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
+- Allow systemd_logind_t to manage /run/USER/dconf/user
+
+* Tue Oct 3 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-36.2
+- Make allow_ptrace remove all ptrace
+
* Tue Oct 3 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-36.1
- Fix missing patch from F16
diff --git a/thumb.patch b/thumb.patch
index 3f9217c..97ff409 100644
--- a/thumb.patch
+++ b/thumb.patch
@@ -14,18 +14,3 @@ index 1105ff5..620e17b 100644
optional_policy(`
setroubleshoot_dbus_chat(unconfined_usertype)
setroubleshoot_dbus_chat_fixit(unconfined_t)
-diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
-index 73e7983..fc5b449 100644
---- a/policy/modules/apps/thumb.te
-+++ b/policy/modules/apps/thumb.te
-@@ -86,10 +86,6 @@ userdom_write_user_tmp_files(thumb_t)
-
- userdom_use_inherited_user_ptys(thumb_t)
-
--optional_policy(`
-- dbus_dontaudit_session_bus_connect(thumb_t)
--')
--
- # optional_policy(`
- # gnome_read_gconf_home_files(thumb_t)
- # gnome_read_gstreamer_home_content(thumb_t)
More information about the scm-commits
mailing list