[selinux-policy/f16] - Allow named to connect to dirsrv by default - add ldapmap1_0 as a krb5_host_rcache_t file - Google
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Oct 24 20:21:21 UTC 2011
commit 82188c288366799da369a60dfd254d98cc28f75d
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Oct 24 22:21:11 2011 +0200
- Allow named to connect to dirsrv by default
- add ldapmap1_0 as a krb5_host_rcache_t file
- Google chrome developers asked me to add bootstrap policy for nacl stuff
- Allow rhev_agentd_t to getattr on mountpoints
- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
policy-F16.patch | 144 +++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 9 +++-
2 files changed, 114 insertions(+), 39 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 2e35f5e..c435ee1 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4642,13 +4642,16 @@ index 46ea44f..f7183ef 100644
# Handle nfs home dirs
diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
new file mode 100644
-index 0000000..1f468aa
+index 0000000..4401c36
--- /dev/null
+++ b/policy/modules/apps/chrome.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,6 @@
+ /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++
++/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_bootstrap_exec_t,s0)
++/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_bootstrap_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
index 0000000..bacc639
@@ -4784,10 +4787,10 @@ index 0000000..bacc639
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..df2b2a9
+index 0000000..e4b3381
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,152 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -4807,6 +4810,13 @@ index 0000000..df2b2a9
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
+ubac_constrained(chrome_sandbox_tmpfs_t)
+
++type chrome_sandbox_bootstrap_t;
++type chrome_sandbox_bootstrap_exec_t;
++application_domain(chrome_sandbox_bootstrap_t, chrome_sandbox_bootstrap_exec_t)
++role system_r types chrome_sandbox_bootstrap_t;
++
++permissive chrome_sandbox_bootstrap_t;
++
+########################################
+#
+# chrome_sandbox local policy
@@ -4819,6 +4829,7 @@ index 0000000..df2b2a9
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
+allow chrome_sandbox_t self:shm create_shm_perms;
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
++dontaudit chrome_sandbox_t self:memprotect mmap_zero;
+
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
@@ -4913,6 +4924,25 @@ index 0000000..df2b2a9
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
++
++
++########################################
++#
++# chrome_sandbox_bootstrap local policy
++#
++
++allow chrome_sandbox_bootstrap_t self:fifo_file manage_fifo_file_perms;
++allow chrome_sandbox_bootstrap_t self:unix_stream_socket create_stream_socket_perms;
++domain_use_interactive_fds(chrome_sandbox_bootstrap_t)
++allow chrome_sandbox_t chrome_sandbox_bootstrap_t:process share;
++
++dontaudit chrome_sandbox_bootstrap_t self:memprotect mmap_zero;
++
++domtrans_pattern(chrome_sandbox_t, chrome_sandbox_bootstrap_exec_t, chrome_sandbox_bootstrap_t)
++
++files_read_etc_files(chrome_sandbox_bootstrap_t)
++
++miscfiles_read_localization(chrome_sandbox_bootstrap_t)
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
index 37475dd..7db4a01 100644
--- a/policy/modules/apps/cpufreqselector.te
@@ -23022,7 +23052,7 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..46e3aa9 100644
+index 0b827c5..6b739e6 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -23043,7 +23073,7 @@ index 0b827c5..46e3aa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -169,7 +169,45 @@ interface(`abrt_run_helper',`
+@@ -169,12 +169,51 @@ interface(`abrt_run_helper',`
## </summary>
## </param>
#
@@ -23090,7 +23120,13 @@ index 0b827c5..46e3aa9 100644
gen_require(`
type abrt_var_cache_t;
')
-@@ -253,6 +291,24 @@ interface(`abrt_manage_pid_files',`
+
+ manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ ')
+
+ ####################################
+@@ -253,6 +292,24 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -23115,7 +23151,7 @@ index 0b827c5..46e3aa9 100644
#####################################
## <summary>
## All of the rules required to administrate
-@@ -286,18 +342,116 @@ interface(`abrt_admin',`
+@@ -286,18 +343,116 @@ interface(`abrt_admin',`
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -26497,7 +26533,7 @@ index 44a1e3d..7802b7b 100644
+ named_systemctl($1)
')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..8d81308 100644
+index 4deca04..fc86505 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
@@ -26571,7 +26607,18 @@ index 4deca04..8d81308 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -198,18 +214,18 @@ allow ndc_t self:process { fork signal_perms };
+@@ -154,6 +170,10 @@ tunable_policy(`named_write_master_zones',`
+ ')
+
+ optional_policy(`
++ dirsrv_stream_connect(named_t)
++')
++
++optional_policy(`
+ init_dbus_chat_script(named_t)
+
+ sysnet_dbus_chat_dhcpc(named_t)
+@@ -198,18 +218,18 @@ allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms;
@@ -26593,7 +26640,7 @@ index 4deca04..8d81308 100644
kernel_read_kernel_sysctls(ndc_t)
corenet_all_recvfrom_unlabeled(ndc_t)
-@@ -228,6 +244,8 @@ files_search_pids(ndc_t)
+@@ -228,6 +248,8 @@ files_search_pids(ndc_t)
fs_getattr_xattr_fs(ndc_t)
@@ -26602,7 +26649,7 @@ index 4deca04..8d81308 100644
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
-@@ -235,24 +253,13 @@ logging_send_syslog_msg(ndc_t)
+@@ -235,24 +257,13 @@ logging_send_syslog_msg(ndc_t)
miscfiles_read_localization(ndc_t)
@@ -40010,7 +40057,7 @@ index da2127e..a666df2 100644
+
+sysnet_read_config(jabberd_domain)
diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..e065744 100644
+index 3525d24..033de90 100644
--- a/policy/modules/services/kerberos.fc
+++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
@@ -40022,7 +40069,7 @@ index 3525d24..e065744 100644
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-@@ -30,4 +30,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
/var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
/var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
@@ -40030,8 +40077,9 @@ index 3525d24..e065744 100644
+
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..e515121 100644
+index 604f67b..1b608a7 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -40162,7 +40210,7 @@ index 604f67b..e515121 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +375,108 @@ interface(`kerberos_admin',`
+@@ -378,3 +375,109 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -40270,6 +40318,7 @@ index 604f67b..e515121 100644
+
+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
++ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8edc29b..92dde2c 100644
@@ -49319,7 +49368,7 @@ index 46bee12..c22af86 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..318ef45 100644
+index a32c4b3..3a59bac 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -49466,7 +49515,14 @@ index a32c4b3..318ef45 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -249,6 +274,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
+
+ rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+ write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
++allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+
+ manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
@@ -49477,7 +49533,7 @@ index a32c4b3..318ef45 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,8 +293,8 @@ optional_policy(`
+@@ -264,8 +294,8 @@ optional_policy(`
# Postfix local local policy
#
@@ -49487,7 +49543,7 @@ index a32c4b3..318ef45 100644
# connect to master process
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -49496,7 +49552,7 @@ index a32c4b3..318ef45 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -49515,7 +49571,7 @@ index a32c4b3..318ef45 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +333,10 @@ optional_policy(`
+@@ -297,6 +334,10 @@ optional_policy(`
')
optional_policy(`
@@ -49526,7 +49582,7 @@ index a32c4b3..318ef45 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +344,22 @@ optional_policy(`
+@@ -304,9 +345,22 @@ optional_policy(`
')
optional_policy(`
@@ -49549,7 +49605,7 @@ index a32c4b3..318ef45 100644
########################################
#
# Postfix map local policy
-@@ -372,6 +425,7 @@ optional_policy(`
+@@ -372,6 +426,7 @@ optional_policy(`
# Postfix pickup local policy
#
@@ -49557,7 +49613,7 @@ index a32c4b3..318ef45 100644
allow postfix_pickup_t self:tcp_socket create_socket_perms;
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -379,19 +433,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,19 +434,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -49585,7 +49641,7 @@ index a32c4b3..318ef45 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -49594,7 +49650,7 @@ index a32c4b3..318ef45 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +483,7 @@ optional_policy(`
+@@ -420,6 +484,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -49602,7 +49658,7 @@ index a32c4b3..318ef45 100644
')
optional_policy(`
-@@ -436,11 +500,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -49620,7 +49676,7 @@ index a32c4b3..318ef45 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +557,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -49631,7 +49687,7 @@ index a32c4b3..318ef45 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +577,8 @@ optional_policy(`
+@@ -507,6 +578,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -49640,7 +49696,7 @@ index a32c4b3..318ef45 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -49653,7 +49709,7 @@ index a32c4b3..318ef45 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -49664,7 +49720,7 @@ index a32c4b3..318ef45 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +643,14 @@ optional_policy(`
+@@ -565,6 +644,14 @@ optional_policy(`
')
optional_policy(`
@@ -49679,7 +49735,7 @@ index a32c4b3..318ef45 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +674,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +675,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -49696,7 +49752,18 @@ index a32c4b3..318ef45 100644
')
optional_policy(`
-@@ -611,8 +703,8 @@ optional_policy(`
+@@ -599,6 +692,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ milter_stream_connect_all(postfix_smtpd_t)
++')
++
++optional_policy(`
+ postgrey_stream_connect(postfix_smtpd_t)
+ ')
+
+@@ -611,8 +708,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -49706,7 +49773,7 @@ index a32c4b3..318ef45 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +722,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +727,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -53413,10 +53480,10 @@ index 0000000..bf11e25
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
-index 0000000..23ba402
+index 0000000..1ec5e7c
--- /dev/null
+++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,83 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -53466,6 +53533,7 @@ index 0000000..23ba402
+
+term_use_virtio_console(rhev_agentd_t)
+
++files_getattr_all_mountpoints(rhev_agentd_t)
+files_read_usr_files(rhev_agentd_t)
+
+auth_use_nsswitch(rhev_agentd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a07842c..28fd95c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 47%{?dist}
+Release: 48%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Oct 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-48
+- Allow named to connect to dirsrv by default
+- add ldapmap1_0 as a krb5_host_rcache_t file
+- Google chrome developers asked me to add bootstrap policy for nacl stuff
+- Allow rhev_agentd_t to getattr on mountpoints
+- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
+
* Mon Oct 24 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-47
- Fixes for cloudform policies which need to connect to random ports
- Make sure if an admin creates modules content it creates them with the correct label
More information about the scm-commits
mailing list