[selinux-policy] Begin removing qemu_t domain, we really no longer need this domain. systemd_passwd needs dac_overide
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 27 17:52:04 UTC 2011
commit 26536c5d3949dc8bf1a15d5204698c8f69684c76
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Oct 27 13:51:59 2011 -0400
Begin removing qemu_t domain, we really no longer need this domain.
systemd_passwd needs dac_overide to communicate with users TTY's
Allow svirt_lxc domains to send kill signals within their container
policy-F16.patch | 52 ++++++++++++++++++++++++--------------------------
qemu.patch | 24 ++++++++++++++--------
selinux-policy.spec | 7 +++++-
3 files changed, 46 insertions(+), 37 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index ffb6ad5..5356641 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -20736,7 +20736,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..2c588ca 100644
+index 2be17d2..b172ab4 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -20795,7 +20795,7 @@ index 2be17d2..2c588ca 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,19 +70,113 @@ optional_policy(`
+@@ -27,19 +70,107 @@ optional_policy(`
')
optional_policy(`
@@ -20883,12 +20883,6 @@ index 2be17d2..2c588ca 100644
')
optional_policy(`
-+ qemu_run(staff_t, staff_r)
-+ virt_manage_tmpfs_files(staff_t)
-+ virt_filetrans_home_content(staff_t)
-+')
-+
-+optional_policy(`
+ rtkit_scheduled(staff_t)
+')
+
@@ -20911,7 +20905,7 @@ index 2be17d2..2c588ca 100644
')
optional_policy(`
-@@ -48,10 +185,48 @@ optional_policy(`
+@@ -48,10 +179,48 @@ optional_policy(`
')
optional_policy(`
@@ -20960,7 +20954,7 @@ index 2be17d2..2c588ca 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,18 +264,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +258,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20979,7 +20973,7 @@ index 2be17d2..2c588ca 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +288,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +282,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20990,7 +20984,7 @@ index 2be17d2..2c588ca 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +300,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +294,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21001,7 +20995,7 @@ index 2be17d2..2c588ca 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +331,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +325,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -61079,7 +61073,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..148ce98 100644
+index 3eca020..d2d599b 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -61528,10 +61522,15 @@ index 3eca020..148ce98 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -365,6 +519,12 @@ optional_policy(`
- qemu_signal(virtd_t)
- qemu_kill(virtd_t)
- qemu_setsched(virtd_t)
+@@ -360,11 +514,12 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- qemu_domtrans(virtd_t)
+- qemu_read_state(virtd_t)
+- qemu_signal(virtd_t)
+- qemu_kill(virtd_t)
+- qemu_setsched(virtd_t)
+ qemu_entry_type(virt_domain)
+ qemu_exec(virt_domain)
+')
@@ -61541,7 +61540,7 @@ index 3eca020..148ce98 100644
')
optional_policy(`
-@@ -394,20 +554,36 @@ optional_policy(`
+@@ -394,20 +549,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -61581,7 +61580,7 @@ index 3eca020..148ce98 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +594,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -61594,7 +61593,7 @@ index 3eca020..148ce98 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +606,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +601,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -61607,7 +61606,7 @@ index 3eca020..148ce98 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +619,360 @@ files_search_all(virt_domain)
+@@ -440,25 +614,359 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -61772,8 +61771,6 @@ index 3eca020..148ce98 100644
+
+allow virtd_lxc_t virt_image_type:dir mounton;
+
-+allow virtd_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
-+
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t virtd_lxc_t:process { signal signull sigkill };
+
@@ -61846,11 +61843,12 @@ index 3eca020..148ce98 100644
+#
+# virt_lxc_domain local policy
+#
-+allow svirt_lxc_domain self:capability { setuid setgid dac_override };
++allow svirt_lxc_domain self:capability { kill setuid setgid dac_override };
+dontaudit svirt_lxc_domain self:capability sys_ptrace;
+
+allow virtd_t svirt_lxc_domain:process { signal_perms };
+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
++
+allow svirt_lxc_domain virtd_lxc_t:fd use;
+allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
+dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write };
@@ -73473,7 +73471,7 @@ index 0000000..79c358c
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a84b8e7
+index 0000000..84e0e66
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,371 @@
@@ -73624,7 +73622,7 @@ index 0000000..a84b8e7
+# Local policy
+#
+
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config };
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
diff --git a/qemu.patch b/qemu.patch
index 32decbe..5f5ea80 100644
--- a/qemu.patch
+++ b/qemu.patch
@@ -1,6 +1,6 @@
diff -up serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu serefpolicy-3.10.0/policy/modules/apps/qemu.te
---- serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu 2011-10-26 10:41:20.413408329 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/qemu.te 2011-10-26 10:41:21.207408907 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu 2011-10-27 10:18:21.010189947 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/qemu.te 2011-10-27 10:18:22.989187237 -0400
@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
## </desc>
gen_tunable(qemu_use_usb, true)
@@ -12,8 +12,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu serefpolicy-3.10.0/
########################################
diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.qemu serefpolicy-3.10.0/policy/modules/services/virt.if
---- serefpolicy-3.10.0/policy/modules/services/virt.if.qemu 2011-10-26 10:41:21.180408888 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-10-26 10:41:21.208408908 -0400
+--- serefpolicy-3.10.0/policy/modules/services/virt.if.qemu 2011-10-27 10:18:22.901187358 -0400
++++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-10-27 10:18:22.992187233 -0400
@@ -16,10 +16,11 @@ template(`virt_domain_template',`
attribute virt_image_type, virt_domain;
attribute virt_tmpfs_type;
@@ -50,9 +50,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.qemu serefpolicy-3.1
+')
+
diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.qemu serefpolicy-3.10.0/policy/modules/services/virt.te
---- serefpolicy-3.10.0/policy/modules/services/virt.te.qemu 2011-10-26 10:41:21.181408889 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-26 10:42:00.351437032 -0400
-@@ -78,6 +78,8 @@ attribute virt_domain;
+--- serefpolicy-3.10.0/policy/modules/services/virt.te.qemu 2011-10-27 10:18:22.903187356 -0400
++++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-27 10:19:28.334099091 -0400
+@@ -73,11 +73,14 @@ gen_tunable(virt_use_usb, true)
+
+ virt_domain_template(svirt)
+ role system_r types svirt_t;
++typealias svirt_t alias qemu_t;
+
+ attribute virt_domain;
attribute virt_image_type;
attribute virt_tmpfs_type;
@@ -61,7 +67,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.qemu serefpolicy-3.1
type virt_cache_t alias svirt_cache_t;
files_type(virt_cache_t)
-@@ -279,6 +281,8 @@ allow virtd_t virt_domain:process { geta
+@@ -279,6 +282,8 @@ allow virtd_t virt_domain:process { geta
allow virt_domain virtd_t:fd use;
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
@@ -70,7 +76,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.qemu serefpolicy-3.1
allow virtd_t qemu_var_run_t:file relabel_file_perms;
manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
-@@ -514,16 +518,6 @@ optional_policy(`
+@@ -514,16 +519,6 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 866d89f..616ea31 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 50.2%{?dist}
+Release: 51%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Oct 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-51
+- Begin removing qemu_t domain, we really no longer need this domain.
+- systemd_passwd needs dac_overide to communicate with users TTY's
+- Allow svirt_lxc domains to send kill signals within their container
+
* Thu Oct 27 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-50.2
- Remove qemu.pp again without causing a crash
More information about the scm-commits
mailing list