[selinux-policy/f16] - Add fixes for nova-stack policy

Miroslav Grepl mgrepl at fedoraproject.org
Tue Oct 18 21:27:27 UTC 2011 

commit 1ec0034fc45919a68a571f5d16cc9dc3da8cee30
Author: Miroslav <mgrepl at redhat.com>
Date:   Tue Oct 18 23:27:17 2011 +0200

    - Add fixes for nova-stack policy

 policy-F16.patch    |   72 +++++++++++++++++++++++++++++++++++++-------------
 selinux-policy.spec |    5 +++-
 2 files changed, 57 insertions(+), 20 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index a39cbd1..36e9c27 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3497,7 +3497,7 @@ index 7bddc02..2b59ed0 100644
 +
 +/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
 diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..bcc4481 100644
+index 975af1a..2aa37b4 100644
 --- a/policy/modules/admin/sudo.if
 +++ b/policy/modules/admin/sudo.if
 @@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -3579,6 +3579,29 @@ index 975af1a..bcc4481 100644
  
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_manage_nfs_files($1_sudo_t)
+@@ -177,3 +196,22 @@ interface(`sudo_sigchld',`
+ 
+ 	allow $1 sudodomain:process sigchld;
+ ')
++
++#######################################
++## <summary>
++##  Allow execute sudo in called domain.
++##  This interfaces is added for nova-stack policy.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`sudo_exec',`
++    gen_require(`
++        type sudo_exec_t;
++    ')
++
++	can_exec($1, sudo_exec_t)
++')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
 index 2731fa1..3443ba2 100644
 --- a/policy/modules/admin/sudo.te
@@ -13481,7 +13504,7 @@ index 4f3b542..cf422f4 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..740d4b1 100644
+index 99b71cb..30e6f47 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -11,11 +11,15 @@ attribute netif_type;
@@ -13584,13 +13607,14 @@ index 99b71cb..740d4b1 100644
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
  network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,14 +134,20 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,14 +134,21 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
  network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
  network_port(dict, tcp,2628,s0)
  network_port(distccd, tcp,3632,s0)
 +network_port(dogtag, tcp,7390,s0)
  network_port(dns, udp,53,s0, tcp,53,s0)
  network_port(epmap, tcp,135,s0, udp,135,s0)
++network_port(epmd, tcp,4369,s0, udp,4369,s0)
 +network_port(festival, tcp,1314,s0)
  network_port(fingerd, tcp,79,s0)
 +network_port(firebird, tcp,3050,s0, udp,3050,s0)
@@ -13605,7 +13629,7 @@ index 99b71cb..740d4b1 100644
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
  network_port(hadoop_datanode, tcp,50010,s0)
-@@ -115,11 +156,12 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -115,11 +157,12 @@ network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
  network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -13619,7 +13643,7 @@ index 99b71cb..740d4b1 100644
  network_port(ipmi, udp,623,s0, udp,664,s0)
  network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
  network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +171,25 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +172,25 @@ network_port(iscsi, tcp,3260,s0)
  network_port(isns, tcp,3205,s0, udp,3205,s0)
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
  network_port(jabber_interserver, tcp,5269,s0)
@@ -13648,7 +13672,7 @@ index 99b71cb..740d4b1 100644
  network_port(mpd, tcp,6600,s0)
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +199,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +200,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
  network_port(nessus, tcp,1241,s0)
  network_port(netport, tcp,3129,s0, udp,3129,s0)
  network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -13681,7 +13705,7 @@ index 99b71cb..740d4b1 100644
  network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
-@@ -179,30 +236,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,30 +237,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
  network_port(radius, udp,1645,s0, udp,1812,s0)
  network_port(radsec, tcp,2083,s0)
  network_port(razor, tcp,2703,s0)
@@ -13721,7 +13745,7 @@ index 99b71cb..740d4b1 100644
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
-@@ -215,7 +277,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +278,10 @@ network_port(uucpd, tcp,540,s0)
  network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -13729,8 +13753,11 @@ index 99b71cb..740d4b1 100644
 +network_port(vnc, tcp,5900-5999,s0)
  network_port(wccp, udp,2048,s0)
  network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
++network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +291,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+ network_port(xen, tcp,8002,s0)
+ network_port(xfs, tcp,7100,s0)
+@@ -229,6 +293,7 @@ network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
  network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -13738,7 +13765,7 @@ index 99b71cb..740d4b1 100644
  network_port(zope, tcp,8021,s0)
  
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
-@@ -238,6 +301,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +303,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
  portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -13751,7 +13778,7 @@ index 99b71cb..740d4b1 100644
  
  ########################################
  #
-@@ -282,9 +351,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +353,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -33974,10 +34001,10 @@ index 0000000..6fd8e9f
 +')
 diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
 new file mode 100644
-index 0000000..a5afe38
+index 0000000..ff2ba38
 --- /dev/null
 +++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,187 @@
+@@ -0,0 +1,188 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -34035,6 +34062,7 @@ index 0000000..a5afe38
 +allow dirsrv_t self:fifo_file rw_fifo_file_perms;
 +allow dirsrv_t self:sem create_sem_perms;
 +allow dirsrv_t self:tcp_socket create_stream_socket_perms;
++allow dirsrv_t self:netlink_route_socket r_netlink_socket_perms;
 +
 +manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
 +fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
@@ -37703,10 +37731,10 @@ index 0000000..3b1870a
 +
 diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
 new file mode 100644
-index 0000000..45b7469
+index 0000000..34385c9
 --- /dev/null
 +++ b/policy/modules/services/glance.te
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,105 @@
 +policy_module(glance, 1.0.0)
 +
 +########################################
@@ -37805,6 +37833,7 @@ index 0000000..45b7469
 +
 +corenet_tcp_bind_generic_node(glance_api_t)
 +corenet_tcp_bind_hplip_port(glance_api_t)
++corenet_tcp_connect_glance_registry_port(glance_api_t)
 +
 +dev_read_urand(glance_api_t)
 +
@@ -59139,7 +59168,7 @@ index 32a3c13..7baeb6f 100644
  
  optional_policy(`
 diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..c60a0e7 100644
+index 2124b6a..b944b61 100644
 --- a/policy/modules/services/virt.fc
 +++ b/policy/modules/services/virt.fc
 @@ -1,5 +1,6 @@
@@ -59151,7 +59180,7 @@ index 2124b6a..c60a0e7 100644
  HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
  
  /etc/libvirt		-d	gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,34 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,37 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
  /etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
  /etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
  
@@ -59189,6 +59218,9 @@ index 2124b6a..c60a0e7 100644
 +/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 +/var/lib/vdsm(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
++
++# support for nova-stack
++/usr/bin/nova-compute       --  gen_context(system_u:object_r:virtd_exec_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
 index 7c5d8d8..d711fd5 100644
 --- a/policy/modules/services/virt.if
@@ -71979,10 +72011,10 @@ index 0000000..f642930
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..3e5e632
+index 0000000..5c36a9d
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,371 @@
+@@ -0,0 +1,373 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -72097,6 +72129,8 @@ index 0000000..3e5e632
 +dbus_system_bus_client(systemd_logind_t)
 +
 +init_dbus_chat(systemd_logind_t)
++init_dbus_chat_script(systemd_logind_t)
++init_read_script_state(systemd_logind_t)
 +init_read_state(systemd_logind_t)
 +
 +logging_send_syslog_msg(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 336110a..19b507e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 41%{?dist}
+Release: 42%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Oct 18 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-42
+- Add fixes for nova-stack policy
+
 * Mon Oct 18 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-41
 - Allow svirt_lxc_domain to chr_file and blk_file devices if they are in the domain
 - Allow init process to setrlimit on itself

More information about the scm-commits mailing list