[selinux-policy/f16] +- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the dom +- Allow init proc
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 18 13:54:09 UTC 2011
commit ad94e395e380186620d7fb295f0cca776bf8d451
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Oct 18 15:53:59 2011 +0200
+- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the dom
+- Allow init process to setrlimit on itself
+- Take away transition rules for users executing ssh-keygen
+- Allow setroubleshoot_fixit_t to read /dev/urand
+- Allow sshd to relbale tunnel sockets
+- Allow fail2ban domtrans to shorewall in the same way as with iptables
+- Add support for lnk files in the /var/lib/sssd directory
+- Allow system mail to connect to courier-authdaemon over an unix stream socket
policy-F16.patch | 314 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 12 ++-
2 files changed, 223 insertions(+), 103 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 57b4a25..a39cbd1 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -852,7 +852,7 @@ index 5e062bc..3cbfffb 100644
+ modutils_read_module_deps(ddcprobe_t)
+')
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..9b39fcd 100644
+index 72bc6d8..1f55eba 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -19,6 +19,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
@@ -863,7 +863,7 @@ index 72bc6d8..9b39fcd 100644
kernel_read_kernel_sysctls(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
-@@ -47,7 +48,13 @@ logging_write_generic_logs(dmesg_t)
+@@ -47,7 +48,11 @@ logging_write_generic_logs(dmesg_t)
miscfiles_read_localization(dmesg_t)
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
@@ -871,8 +871,6 @@ index 72bc6d8..9b39fcd 100644
+userdom_use_inherited_user_terminals(dmesg_t)
+
+optional_policy(`
-+ abrt_cache_append(dmesg_t)
-+ abrt_rw_fifo_file(dmesg_t)
+ abrt_manage_pid_files(dmesg_t)
+')
@@ -1232,7 +1230,7 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..db17bbe 100644
+index 7090dae..98f0a2e 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
@@ -1294,6 +1292,15 @@ index 7090dae..db17bbe 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
+@@ -138,7 +139,7 @@ ifdef(`distro_debian', `
+ ')
+
+ optional_policy(`
+- abrt_cache_manage(logrotate_t)
++ abrt_manage_cache(logrotate_t)
+ ')
+
+ optional_policy(`
@@ -154,6 +155,10 @@ optional_policy(`
')
@@ -3364,6 +3371,14 @@ index bc00875..2efc0d7 100644
dbus_system_bus_client(smoltclient_t)
')
+diff --git a/policy/modules/admin/sosreport.fc b/policy/modules/admin/sosreport.fc
+index a40478e..050f521 100644
+--- a/policy/modules/admin/sosreport.fc
++++ b/policy/modules/admin/sosreport.fc
+@@ -1 +1,3 @@
+ /usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
++
++/.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
diff --git a/policy/modules/admin/sosreport.if b/policy/modules/admin/sosreport.if
index 94c01b5..f64bd93 100644
--- a/policy/modules/admin/sosreport.if
@@ -3378,11 +3393,21 @@ index 94c01b5..f64bd93 100644
########################################
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
-index fe1c377..557e37f 100644
+index fe1c377..bedbb9b 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
-@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
+@@ -74,13 +74,17 @@ files_read_all_symlinks(sosreport_t)
+ # for blkid.tab
+ files_manage_etc_runtime_files(sosreport_t)
+ files_etc_filetrans_etc_runtime(sosreport_t, file)
++files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
+
+ fs_getattr_all_fs(sosreport_t)
+ fs_list_inotifyfs(sosreport_t)
++storage_dontaudit_read_fixed_disk(sosreport_t)
++storage_dontaudit_read_removable_device(sosreport_t)
++
# some config files do not have configfile attribute
# sosreport needs to read various files on system
-auth_read_all_files_except_shadow(sosreport_t)
@@ -3390,7 +3415,7 @@ index fe1c377..557e37f 100644
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
-@@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t)
+@@ -92,13 +96,11 @@ logging_send_syslog_msg(sosreport_t)
miscfiles_read_localization(sosreport_t)
@@ -3400,7 +3425,12 @@ index fe1c377..557e37f 100644
sysnet_read_config(sosreport_t)
optional_policy(`
-@@ -110,6 +107,11 @@ optional_policy(`
+ abrt_manage_pid_files(sosreport_t)
++ abrt_manage_cache(sosreport_t)
+ ')
+
+ optional_policy(`
+@@ -110,6 +112,11 @@ optional_policy(`
')
optional_policy(`
@@ -15362,7 +15392,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..02cf550 100644
+index fae1ab1..b949cfb 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -15455,7 +15485,7 @@ index fae1ab1..02cf550 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,120 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,122 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -15487,6 +15517,8 @@ index fae1ab1..02cf550 100644
+ abrt_read_pid_files(domain)
+ abrt_read_state(domain)
+ abrt_signull(domain)
++ abrt_append_cache(domain)
++ abrt_rw_fifo_file(domain)
+')
+
+optional_policy(`
@@ -20261,7 +20293,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..bfabe3f 100644
+index 2be17d2..2c588ca 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -20314,7 +20346,7 @@ index 2be17d2..bfabe3f 100644
+')
+
+optional_policy(`
-+ abrt_cache_read(staff_t)
++ abrt_read_cache(staff_t)
+')
+
optional_policy(`
@@ -22216,7 +22248,7 @@ index 0000000..49f2c54
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..e5a8559 100644
+index e5bfdd4..50e49e6 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,93 @@ role user_r;
@@ -22234,7 +22266,7 @@ index e5bfdd4..e5a8559 100644
+')
+
+optional_policy(`
-+ abrt_cache_read(user_t)
++ abrt_read_cache(user_t)
+')
+
optional_policy(`
@@ -22597,7 +22629,7 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..bfb68b2 100644
+index 0b827c5..46e3aa9 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -22608,21 +22640,22 @@ index 0b827c5..bfb68b2 100644
ps_process_pattern($1, abrt_t)
')
-@@ -160,8 +161,44 @@ interface(`abrt_run_helper',`
+@@ -160,8 +161,7 @@ interface(`abrt_run_helper',`
########################################
## <summary>
-## Send and receive messages from
-## abrt over dbus.
+## Read abrt cache
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`abrt_cache_read',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -169,7 +169,45 @@ interface(`abrt_run_helper',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`abrt_cache_manage',`
++interface(`abrt_read_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
@@ -22641,21 +22674,30 @@ index 0b827c5..bfb68b2 100644
+## </summary>
+## </param>
+#
-+interface(`abrt_cache_append',`
++interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
-+ append_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++
++ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Manage abrt cache
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -253,6 +290,24 @@ interface(`abrt_manage_pid_files',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`abrt_manage_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+@@ -253,6 +291,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -22680,7 +22722,7 @@ index 0b827c5..bfb68b2 100644
#####################################
## <summary>
## All of the rules required to administrate
-@@ -286,18 +341,116 @@ interface(`abrt_admin',`
+@@ -286,18 +342,116 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -29885,7 +29927,7 @@ index 01d31f1..8e2754b 100644
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
-index 9971337..870265d 100644
+index 9971337..7481ccc 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -90,7 +90,7 @@ template(`courier_domain_template',`
@@ -29897,7 +29939,31 @@ index 9971337..870265d 100644
## <summary>
## Domain allowed to transition.
## </summary>
-@@ -109,7 +109,7 @@ interface(`courier_domtrans_authdaemon',`
+@@ -104,12 +104,31 @@ interface(`courier_domtrans_authdaemon',`
+ domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
+ ')
+
++#######################################
++## <summary>
++## Connect to courier-authdaemon over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`courier_stream_connect_authdaemon',`
++ gen_require(`
++ type courier_authdaemon_t, courier_spool_t;
++ ')
++
++ files_search_spool($1)
++ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
++')
++
+ ########################################
+ ## <summary>
## Execute the courier POP3 and IMAP server with
## a domain transition.
## </summary>
@@ -29906,7 +29972,7 @@ index 9971337..870265d 100644
## <summary>
## Domain allowed to transition.
## </summary>
-@@ -127,7 +127,7 @@ interface(`courier_domtrans_pop',`
+@@ -127,7 +146,7 @@ interface(`courier_domtrans_pop',`
## <summary>
## Read courier config files
## </summary>
@@ -29915,7 +29981,7 @@ index 9971337..870265d 100644
## <summary>
## Domain allowed access.
## </summary>
-@@ -138,6 +138,7 @@ interface(`courier_read_config',`
+@@ -138,6 +157,7 @@ interface(`courier_read_config',`
type courier_etc_t;
')
@@ -29923,7 +29989,7 @@ index 9971337..870265d 100644
read_files_pattern($1, courier_etc_t, courier_etc_t)
')
-@@ -146,7 +147,7 @@ interface(`courier_read_config',`
+@@ -146,7 +166,7 @@ interface(`courier_read_config',`
## Create, read, write, and delete courier
## spool directories.
## </summary>
@@ -29932,7 +29998,7 @@ index 9971337..870265d 100644
## <summary>
## Domain allowed access.
## </summary>
-@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
+@@ -157,6 +177,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
@@ -29940,7 +30006,7 @@ index 9971337..870265d 100644
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
-@@ -165,7 +167,7 @@ interface(`courier_manage_spool_dirs',`
+@@ -165,7 +186,7 @@ interface(`courier_manage_spool_dirs',`
## Create, read, write, and delete courier
## spool files.
## </summary>
@@ -29949,7 +30015,7 @@ index 9971337..870265d 100644
## <summary>
## Domain allowed access.
## </summary>
-@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
+@@ -176,6 +197,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
@@ -29957,7 +30023,7 @@ index 9971337..870265d 100644
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
-@@ -183,7 +186,7 @@ interface(`courier_manage_spool_files',`
+@@ -183,7 +205,7 @@ interface(`courier_manage_spool_files',`
## <summary>
## Read courier spool files.
## </summary>
@@ -29966,7 +30032,7 @@ index 9971337..870265d 100644
## <summary>
## Domain allowed access.
## </summary>
-@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
+@@ -194,6 +216,7 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
@@ -35673,7 +35739,7 @@ index f590a1f..338e5bf 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..35a2c0b 100644
+index 2a69e5e..2599f96 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
@@ -35727,7 +35793,7 @@ index 2a69e5e..35a2c0b 100644
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +107,34 @@ optional_policy(`
+@@ -94,5 +107,38 @@ optional_policy(`
')
optional_policy(`
@@ -35742,6 +35808,10 @@ index 2a69e5e..35a2c0b 100644
+ libs_exec_ldconfig(fail2ban_t)
+')
+
++optional_policy(`
++ shorewall_domtrans(fail2ban_t)
++')
++
+########################################
+#
+# fail2ban client local policy
@@ -37908,7 +37978,7 @@ index a627b34..c4cfc6d 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..b28c4f9 100644
+index 03742d8..d5795a5 100644
--- a/policy/modules/services/gpsd.te
+++ b/policy/modules/services/gpsd.te
@@ -24,8 +24,9 @@ files_pid_file(gpsd_var_run_t)
@@ -37923,7 +37993,7 @@ index 03742d8..b28c4f9 100644
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,14 +39,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+@@ -38,16 +39,24 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
@@ -37945,8 +38015,11 @@ index 03742d8..b28c4f9 100644
+
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
++term_use_usb_ttys(gpsd_t)
+
+ auth_use_nsswitch(gpsd_t)
-@@ -56,6 +64,12 @@ logging_send_syslog_msg(gpsd_t)
+@@ -56,6 +65,12 @@ logging_send_syslog_msg(gpsd_t)
miscfiles_read_localization(gpsd_t)
optional_policy(`
@@ -42958,7 +43031,7 @@ index 343cee3..fff3a52 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..4e45f74 100644
+index 64268e4..d46b314 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -43047,7 +43120,14 @@ index 64268e4..4e45f74 100644
')
optional_policy(`
-@@ -111,6 +116,8 @@ optional_policy(`
+@@ -108,9 +113,15 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ courier_stream_connect_authdaemon(system_mail_t)
++')
++
++optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -43056,7 +43136,7 @@ index 64268e4..4e45f74 100644
')
optional_policy(`
-@@ -124,12 +131,9 @@ optional_policy(`
+@@ -124,12 +135,9 @@ optional_policy(`
')
optional_policy(`
@@ -43071,7 +43151,7 @@ index 64268e4..4e45f74 100644
')
optional_policy(`
-@@ -146,6 +150,10 @@ optional_policy(`
+@@ -146,6 +154,10 @@ optional_policy(`
')
optional_policy(`
@@ -43082,7 +43162,7 @@ index 64268e4..4e45f74 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +166,13 @@ optional_policy(`
+@@ -158,22 +170,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -43108,7 +43188,7 @@ index 64268e4..4e45f74 100644
')
optional_policy(`
-@@ -189,9 +188,17 @@ optional_policy(`
+@@ -189,6 +192,10 @@ optional_policy(`
')
optional_policy(`
@@ -43119,13 +43199,6 @@ index 64268e4..4e45f74 100644
smartmon_read_tmp_files(system_mail_t)
')
-+optional_policy(`
-+ abrt_rw_fifo_file(mta_user_agent)
-+')
-+
- # should break this up among sections:
-
- optional_policy(`
@@ -199,15 +206,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -55301,7 +55374,7 @@ index bcdd16c..7c379a8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..79347e7 100644
+index 086cd5f..a181f01 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@@ -55381,15 +55454,19 @@ index 086cd5f..79347e7 100644
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
-@@ -152,6 +171,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -151,7 +170,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
++dev_read_sysfs(setroubleshoot_fixit_t)
++dev_read_urand(setroubleshoot_fixit_t)
++
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +184,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +187,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -56569,7 +56646,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..be6e1fa 100644
+index 22adaca..b13cd67 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -56682,7 +56759,7 @@ index 22adaca..be6e1fa 100644
+ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
-+ allow $1_t self:tun_socket create_socket_perms;
++ allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto };
# ssh agent connections:
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:shm create_shm_perms;
@@ -56822,7 +56899,7 @@ index 22adaca..be6e1fa 100644
- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $3 $1_ssh_agent_t:process sigchld;
+
-+ ssh_run_keygen($3,$2)
++ ssh_exec_keygen($3)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
@@ -56832,7 +56909,7 @@ index 22adaca..be6e1fa 100644
- allow $1 sshd_t:fifo_file { getattr read };
+ allow $1 sshd_t:fifo_file read_fifo_file_perms;
- ')
++')
+
+######################################
+## <summary>
@@ -56850,7 +56927,7 @@ index 22adaca..be6e1fa 100644
+ ')
+
+ allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
-+')
+ ')
+
########################################
## <summary>
@@ -56923,10 +57000,26 @@ index 22adaca..be6e1fa 100644
## Read ssh home directory content
## </summary>
## <param name="domain">
-@@ -680,6 +776,32 @@ interface(`ssh_domtrans_keygen',`
- domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
- ')
+@@ -682,6 +778,50 @@ interface(`ssh_domtrans_keygen',`
+ ########################################
+ ## <summary>
++## Execute the ssh key generator in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ssh_exec_keygen',`
++ gen_require(`
++ type ssh_keygen_exec_t;
++ ')
++
++ can_exec($1, ssh_keygen_exec_t)
++')
++
+#######################################
+## <summary>
+## Execute ssh-keygen in the iptables domain, and
@@ -56953,10 +57046,12 @@ index 22adaca..be6e1fa 100644
+ ssh_domtrans_keygen($1)
+')
+
- ########################################
- ## <summary>
++########################################
++## <summary>
## Read ssh server keys
-@@ -695,7 +817,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+ ## </summary>
+ ## <param name="domain">
+@@ -695,7 +835,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -56965,7 +57060,7 @@ index 22adaca..be6e1fa 100644
')
######################################
-@@ -735,3 +857,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +875,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -57543,7 +57638,7 @@ index 2dad3c8..02e70c9 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
')
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
-index 941380a..6dbfc01 100644
+index 941380a..ce8c972 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -5,9 +5,9 @@
@@ -57574,7 +57669,23 @@ index 941380a..6dbfc01 100644
')
########################################
-@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
+@@ -148,6 +148,7 @@ interface(`sssd_read_lib_files',`
+
+ files_search_var_lib($1)
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++ read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+
+ ########################################
+@@ -168,6 +169,7 @@ interface(`sssd_manage_lib_files',`
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++ manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+
+ ########################################
+@@ -225,21 +227,15 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
@@ -57600,7 +57711,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..7d5a298 100644
+index 8ffa257..bd55865 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -57617,16 +57728,18 @@ index 8ffa257..7d5a298 100644
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -39,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+@@ -38,8 +40,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
++manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,11 +50,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,11 +51,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -57643,7 +57756,7 @@ index 8ffa257..7d5a298 100644
domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
-@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t)
+@@ -60,6 +68,7 @@ domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
@@ -57651,7 +57764,7 @@ index 8ffa257..7d5a298 100644
fs_list_inotifyfs(sssd_t)
-@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t)
+@@ -69,7 +78,7 @@ seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
@@ -57660,7 +57773,7 @@ index 8ffa257..7d5a298 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +88,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -57673,7 +57786,7 @@ index 8ffa257..7d5a298 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +101,28 @@ optional_policy(`
+@@ -87,4 +102,28 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -59622,7 +59735,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..75d8556 100644
+index 3eca020..ea9593c 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -60166,7 +60279,7 @@ index 3eca020..75d8556 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +635,324 @@ optional_policy(`
+@@ -457,8 +635,325 @@ optional_policy(`
')
optional_policy(`
@@ -60306,6 +60419,7 @@ index 3eca020..75d8556 100644
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
+
++allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
+manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
@@ -60395,8 +60509,8 @@ index 3eca020..75d8556 100644
+manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-+rw_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+rw_blk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
+
+kernel_getattr_proc(svirt_lxc_domain)
@@ -65558,7 +65672,7 @@ index 94fd8dd..b5e5c70 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..f69ea00 100644
+index 29a9565..29930e4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -65754,7 +65868,7 @@ index 29a9565..f69ea00 100644
+
+tunable_policy(`init_systemd',`
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-+ allow init_t self:process { setsockcreate setfscreate };
++ allow init_t self:process { setsockcreate setfscreate setrlimit };
+ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -67643,12 +67757,12 @@ index e5836d3..eae9427 100644
- unconfined_domain(ldconfig_t)
-')
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
-index be6a81b..ddae53a 100644
+index be6a81b..9a27055 100644
--- a/policy/modules/system/locallogin.fc
+++ b/policy/modules/system/locallogin.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
-+/root/.\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
++/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
@@ -69271,7 +69385,7 @@ index 8b5c196..da41726 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..2e0bdd4 100644
+index 15832c7..b9e7b60 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
@@ -69451,20 +69565,16 @@ index 15832c7..2e0bdd4 100644
logging_send_syslog_msg(mount_t)
-@@ -126,6 +185,12 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +185,8 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
-+
-+optional_policy(`
-+ abrt_rw_fifo_file(mount_t)
-+')
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +202,28 @@ ifdef(`distro_ubuntu',`
')
')
@@ -69503,7 +69613,7 @@ index 15832c7..2e0bdd4 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +241,8 @@ optional_policy(`
+@@ -174,6 +237,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -69512,7 +69622,7 @@ index 15832c7..2e0bdd4 100644
')
optional_policy(`
-@@ -181,6 +250,28 @@ optional_policy(`
+@@ -181,6 +246,28 @@ optional_policy(`
')
optional_policy(`
@@ -69541,7 +69651,7 @@ index 15832c7..2e0bdd4 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +279,83 @@ optional_policy(`
+@@ -188,21 +275,83 @@ optional_policy(`
')
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 53c071e..336110a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 40%{?dist}
+Release: 41%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Oct 18 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-41
+- Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
+- Allow init process to setrlimit on itself
+- Take away transition rules for users executing ssh-keygen
+- Allow setroubleshoot_fixit_t to read /dev/urand
+- Allow sshd to relbale tunnel sockets
+- Allow fail2ban domtrans to shorewall in the same way as with iptables
+- Add support for lnk files in the /var/lib/sssd directory
+- Allow system mail to connect to courier-authdaemon over an unix stream socket
+
* Fri Oct 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-40
- Dontaudit access checks for all executables, gnome-shell is doing access(EXEC, X_OK)
- Make corosync to be able to relabelto cluster lib fies
More information about the scm-commits
mailing list