[selinux-policy/f15] - Fixes for systemd - Add FIPS suppport for dirsrv
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Oct 21 11:13:10 UTC 2011
commit 7f8bb18f2520c716601cf6ad4b0f939ab69d25ef
Author: Miroslav <mgrepl at redhat.com>
Date: Fri Oct 21 13:12:49 2011 +0200
- Fixes for systemd
- Add FIPS suppport for dirsrv
policy-F15.patch | 209 +++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 6 +-
2 files changed, 159 insertions(+), 56 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 1ccd846..49ebd04 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -10303,7 +10303,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..9856a93 100644
+index 34c9d01..56a3b80 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -10336,7 +10336,15 @@ index 34c9d01..9856a93 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -177,6 +177,8 @@ ifdef(`distro_gentoo',`
+@@ -166,6 +166,7 @@ ifdef(`distro_gentoo',`
+ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+@@ -177,6 +178,8 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -10345,7 +10353,7 @@ index 34c9d01..9856a93 100644
#
# /usr
#
-@@ -198,6 +200,7 @@ ifdef(`distro_gentoo',`
+@@ -198,6 +201,7 @@ ifdef(`distro_gentoo',`
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -10353,7 +10361,7 @@ index 34c9d01..9856a93 100644
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -232,6 +235,9 @@ ifdef(`distro_gentoo',`
+@@ -232,6 +236,9 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
@@ -10363,7 +10371,7 @@ index 34c9d01..9856a93 100644
/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -244,9 +250,13 @@ ifdef(`distro_gentoo',`
+@@ -244,9 +251,13 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -10377,7 +10385,7 @@ index 34c9d01..9856a93 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -283,6 +293,7 @@ ifdef(`distro_gentoo',`
+@@ -283,6 +294,7 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -10385,7 +10393,7 @@ index 34c9d01..9856a93 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -307,6 +318,7 @@ ifdef(`distro_redhat', `
+@@ -307,6 +319,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -10393,7 +10401,7 @@ index 34c9d01..9856a93 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +328,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +329,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -18560,7 +18568,7 @@ index c0f858d..d639ae0 100644
accountsd_manage_lib_files($1)
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..f6e570c 100644
+index 1632f10..5bc08d2 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
@@ -18572,7 +18580,7 @@ index 1632f10..f6e570c 100644
type accountsd_var_lib_t;
files_type(accountsd_var_lib_t)
-@@ -32,6 +34,7 @@ files_read_usr_files(accountsd_t)
+@@ -32,10 +34,12 @@ files_read_usr_files(accountsd_t)
files_read_mnt_files(accountsd_t)
fs_list_inotifyfs(accountsd_t)
@@ -18580,7 +18588,12 @@ index 1632f10..f6e570c 100644
fs_read_noxattr_fs_files(accountsd_t)
auth_use_nsswitch(accountsd_t)
-@@ -55,3 +58,8 @@ optional_policy(`
+ auth_read_shadow(accountsd_t)
++auth_read_login_records(accountsd_t)
+
+ miscfiles_read_localization(accountsd_t)
+
+@@ -55,3 +59,8 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
@@ -24635,10 +24648,36 @@ index 7d2cf85..92b621a 100644
optional_policy(`
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
-index 9971337..f081899 100644
+index 9971337..536e2d1 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
-@@ -138,6 +138,7 @@ interface(`courier_read_config',`
+@@ -104,6 +104,25 @@ interface(`courier_domtrans_authdaemon',`
+ domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
+ ')
+
++#######################################
++## <summary>
++## Connect to courier-authdaemon over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`courier_stream_connect_authdaemon',`
++ gen_require(`
++ type courier_authdaemon_t, courier_spool_t;
++ ')
++
++ files_search_spool($1)
++ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute the courier POP3 and IMAP server with
+@@ -138,6 +157,7 @@ interface(`courier_read_config',`
type courier_etc_t;
')
@@ -24646,7 +24685,7 @@ index 9971337..f081899 100644
read_files_pattern($1, courier_etc_t, courier_etc_t)
')
-@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',`
+@@ -157,6 +177,7 @@ interface(`courier_manage_spool_dirs',`
type courier_spool_t;
')
@@ -24654,7 +24693,7 @@ index 9971337..f081899 100644
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
')
-@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',`
+@@ -176,6 +197,7 @@ interface(`courier_manage_spool_files',`
type courier_spool_t;
')
@@ -24662,7 +24701,7 @@ index 9971337..f081899 100644
manage_files_pattern($1, courier_spool_t, courier_spool_t)
')
-@@ -194,6 +197,7 @@ interface(`courier_read_spool',`
+@@ -194,6 +216,7 @@ interface(`courier_read_spool',`
type courier_spool_t;
')
@@ -27532,10 +27571,10 @@ index 0000000..9d8f5de
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..1f4cf3b
+index 0000000..399dbdb
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,179 @@
+@@ -0,0 +1,186 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -27590,7 +27629,7 @@ index 0000000..1f4cf3b
+#
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
-+allow dirsrv_t self:fifo_file rw_fifo_file_perms;
++allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
@@ -27625,8 +27664,10 @@ index 0000000..1f4cf3b
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
++allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
+
+kernel_read_system_state(dirsrv_t)
++ernel_read_kernel_sysctls(dirsrv_t)
+
+corecmd_search_sbin(dirsrv_t)
+
@@ -27665,6 +27706,11 @@ index 0000000..1f4cf3b
+ kerberos_use(dirsrv_t)
+')
+
++# FIPS mode
++optional_policy(`
++ prelink_exec(dirsrv_t)
++')
++
+optional_policy(`
+ rpcbind_stream_connect(dirsrv_t)
+')
@@ -28730,7 +28776,7 @@ index f590a1f..26a6299 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..aae90fa 100644
+index 2a69e5e..284cdfd 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t)
@@ -28787,7 +28833,7 @@ index 2a69e5e..aae90fa 100644
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +110,36 @@ optional_policy(`
+@@ -94,5 +110,40 @@ optional_policy(`
')
optional_policy(`
@@ -28802,6 +28848,10 @@ index 2a69e5e..aae90fa 100644
+ libs_exec_ldconfig(fail2ban_t)
+')
+
++optional_policy(`
++ shorewall_domtrans(fail2ban_t)
++')
++
+########################################
+#
+# fail2ban client local policy
@@ -34407,7 +34457,7 @@ index 343cee3..5991e63 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..fe56f9b 100644
+index 64268e4..6a85cd6 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -34458,7 +34508,7 @@ index 64268e4..fe56f9b 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +87,28 @@ optional_policy(`
+@@ -92,25 +87,42 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -34488,7 +34538,12 @@ index 64268e4..fe56f9b 100644
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +117,8 @@ optional_policy(`
+
+ optional_policy(`
++ courier_stream_connect_authdaemon(system_mail_t)
++')
++
++optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -34497,7 +34552,7 @@ index 64268e4..fe56f9b 100644
')
optional_policy(`
-@@ -124,12 +132,9 @@ optional_policy(`
+@@ -124,12 +136,9 @@ optional_policy(`
')
optional_policy(`
@@ -34512,7 +34567,7 @@ index 64268e4..fe56f9b 100644
')
optional_policy(`
-@@ -146,6 +151,10 @@ optional_policy(`
+@@ -146,6 +155,10 @@ optional_policy(`
')
optional_policy(`
@@ -34523,7 +34578,7 @@ index 64268e4..fe56f9b 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +167,13 @@ optional_policy(`
+@@ -158,22 +171,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -34549,7 +34604,7 @@ index 64268e4..fe56f9b 100644
')
optional_policy(`
-@@ -189,6 +189,10 @@ optional_policy(`
+@@ -189,6 +193,10 @@ optional_policy(`
')
optional_policy(`
@@ -34560,7 +34615,7 @@ index 64268e4..fe56f9b 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +203,7 @@ optional_policy(`
+@@ -199,7 +207,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -34569,7 +34624,7 @@ index 64268e4..fe56f9b 100644
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +224,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +228,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -34579,7 +34634,7 @@ index 64268e4..fe56f9b 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +247,10 @@ optional_policy(`
+@@ -242,6 +251,10 @@ optional_policy(`
')
optional_policy(`
@@ -34590,7 +34645,7 @@ index 64268e4..fe56f9b 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,11 +258,20 @@ optional_policy(`
+@@ -249,11 +262,20 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -34611,7 +34666,7 @@ index 64268e4..fe56f9b 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +310,44 @@ optional_policy(`
+@@ -292,3 +314,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -46092,7 +46147,7 @@ index 2dad3c8..a24b7af 100644
optional_policy(`
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
-index 941380a..6dbfc01 100644
+index 941380a..ce8c972 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -5,9 +5,9 @@
@@ -46123,7 +46178,23 @@ index 941380a..6dbfc01 100644
')
########################################
-@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',`
+@@ -148,6 +148,7 @@ interface(`sssd_read_lib_files',`
+
+ files_search_var_lib($1)
+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++ read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+
+ ########################################
+@@ -168,6 +169,7 @@ interface(`sssd_manage_lib_files',`
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
++ manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+ ')
+
+ ########################################
+@@ -225,21 +227,15 @@ interface(`sssd_stream_connect',`
## The role to be allowed to manage the sssd domain.
## </summary>
## </param>
@@ -46149,7 +46220,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..f6ef6a9 100644
+index 8ffa257..22b6731 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -46166,16 +46237,18 @@ index 8ffa257..f6ef6a9 100644
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -39,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+@@ -38,8 +40,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
++manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,10 +50,15 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,10 +51,15 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -46191,7 +46264,7 @@ index 8ffa257..f6ef6a9 100644
dev_read_urand(sssd_t)
domain_read_all_domains_state(sssd_t)
-@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t)
+@@ -60,6 +68,7 @@ domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
@@ -46199,7 +46272,7 @@ index 8ffa257..f6ef6a9 100644
fs_list_inotifyfs(sssd_t)
-@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t)
+@@ -69,7 +78,7 @@ seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
@@ -46208,7 +46281,7 @@ index 8ffa257..f6ef6a9 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +88,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -46221,7 +46294,7 @@ index 8ffa257..f6ef6a9 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +101,28 @@ optional_policy(`
+@@ -87,4 +102,28 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -55918,7 +55991,7 @@ index 58bc27f..c3fe956 100644
+ allow $1 lvm_t:process signull;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..2b53ee6 100644
+index a0a0ebf..71df206 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -56078,7 +56151,7 @@ index a0a0ebf..2b53ee6 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -331,14 +362,26 @@ optional_policy(`
+@@ -331,14 +362,27 @@ optional_policy(`
')
optional_policy(`
@@ -56098,7 +56171,8 @@ index a0a0ebf..2b53ee6 100644
')
optional_policy(`
-+ systemd_passwd_agent_dev_template(lvm)
++ #systemd_passwd_agent_dev_template(lvm)
++ systemd_manage_passwd_run(lvm_t)
+')
+
+optional_policy(`
@@ -58625,7 +58699,7 @@ index df32316..0f71f92 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..c7476cb
+index 0000000..dade60b
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,14 @@
@@ -58640,15 +58714,15 @@ index 0000000..c7476cb
+/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
-+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
-+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
++/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
++/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..fe2a3fd
+index 0000000..8e06a02
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,322 @@
+@@ -0,0 +1,345 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -58943,6 +59017,29 @@ index 0000000..fe2a3fd
+
+######################################
+## <summary>
++## Send generic signals to systemd_passwd_agent processes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_manage_passwd_run',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ type systemd_passwd_var_run_t;
++ ')
++
++ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++
++ allow systemd_passwd_agent_t $1:process signull;
++ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
++')
++
++######################################
++## <summary>
+## Template for temporary sockets and files in /dev/.systemd/ask-password
+## which are used by systemd-passwd-agent
+## </summary>
@@ -58973,10 +59070,10 @@ index 0000000..fe2a3fd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..2437352
+index 0000000..48c24ba
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,225 @@
+@@ -0,0 +1,227 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -59032,9 +59129,11 @@ index 0000000..2437352
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
-+allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms;
-+dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
-+init_pid_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
++manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
+kernel_stream_connect(systemd_passwd_agent_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 41b7857..622da55 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 43%{?dist}
+Release: 44%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Fri Oct 21 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-44
+- Fixes for systemd
+- Add FIPS suppport for dirsrv
+
* Tue Oct 11 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-43
- Allow sa-update to update rules
- Allow sa-update to read spamd tmp file
More information about the scm-commits
mailing list