[selinux-policy/f16] - systemd needs to read lnk files of systemd unit files - FIx userdom filetrans rule to take all par

Miroslav Grepl mgrepl at fedoraproject.org
Mon Sep 19 10:53:02 UTC 2011 

commit cef8d3e86bc0b19def6c0c1aab637b63f0d8796f
Author: Miroslav <mgrepl at redhat.com>
Date:   Mon Sep 19 12:52:36 2011 +0200

    - systemd needs to read lnk files of systemd unit files
    - FIx userdom filetrans rule to take all params

 policy-F16.patch    |   64 +++++++++++++++++++++++++++++++++++----------------
 selinux-policy.spec |    8 ++++-
 2 files changed, 50 insertions(+), 22 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 0f27563..badcf4e 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -26578,7 +26578,7 @@ index fd8cd0b..3d61138 100644
 +/var/run/chronyd(/.*)			gen_context(system_u:object_r:chronyd_var_run_t,s0)
 +/var/run/chronyd\.sock			gen_context(system_u:object_r:chronyd_var_run_t,s0)
 diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..8fb526a 100644
+index 9a0da94..82d2d24 100644
 --- a/policy/modules/services/chronyd.if
 +++ b/policy/modules/services/chronyd.if
 @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -26767,7 +26767,7 @@ index 9a0da94..8fb526a 100644
 -	admin_pattern($1, chronyd_tmp_t)
 +	admin_pattern($1, chronyd_tmpfs_t)
 +
-+	chronyd_sysemctl($1)
++	chronyd_systemctl($1)
  ')
 diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
 index fa82327..4b32348 100644
@@ -26907,10 +26907,10 @@ index 1f11572..9eb2461 100644
  	')
  
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..4032a58 100644
+index f758323..8cd02e2 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
-@@ -1,9 +1,9 @@
+@@ -1,9 +1,16 @@
  policy_module(clamav, 1.9.0)
  
  ## <desc>
@@ -26918,12 +26918,19 @@ index f758323..4032a58 100644
 -## Allow clamd to use JIT compiler
 -## </p>
 +##	<p>
++##	Allow clamscan to read user content 
++##	</p>
++## </desc>
++gen_tunable(clamscan_read_user_content, false)
++
++## <desc>
++##	<p>
 +##	Allow clamd to use JIT compiler
 +##	</p>
  ## </desc>
  gen_tunable(clamd_use_jit, false)
  
-@@ -64,6 +64,8 @@ logging_log_file(freshclam_var_log_t)
+@@ -64,6 +71,8 @@ logging_log_file(freshclam_var_log_t)
  
  allow clamd_t self:capability { kill setgid setuid dac_override };
  dontaudit clamd_t self:capability sys_tty_config;
@@ -26932,7 +26939,7 @@ index f758323..4032a58 100644
  allow clamd_t self:fifo_file rw_fifo_file_perms;
  allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -80,6 +82,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+@@ -80,6 +89,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
  files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
  
  # var/lib files for clamd
@@ -26940,7 +26947,7 @@ index f758323..4032a58 100644
  manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
  manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
  
-@@ -89,9 +92,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+@@ -89,9 +99,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
  logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
  
  # pid file
@@ -26952,7 +26959,7 @@ index f758323..4032a58 100644
  
  kernel_dontaudit_list_proc(clamd_t)
  kernel_read_sysctl(clamd_t)
-@@ -110,6 +114,7 @@ corenet_tcp_bind_generic_node(clamd_t)
+@@ -110,6 +121,7 @@ corenet_tcp_bind_generic_node(clamd_t)
  corenet_tcp_bind_clamd_port(clamd_t)
  corenet_tcp_bind_generic_port(clamd_t)
  corenet_tcp_connect_generic_port(clamd_t)
@@ -26960,7 +26967,7 @@ index f758323..4032a58 100644
  corenet_sendrecv_clamd_server_packets(clamd_t)
  
  dev_read_rand(clamd_t)
-@@ -127,12 +132,16 @@ logging_send_syslog_msg(clamd_t)
+@@ -127,12 +139,16 @@ logging_send_syslog_msg(clamd_t)
  
  miscfiles_read_localization(clamd_t)
  
@@ -26982,7 +26989,7 @@ index f758323..4032a58 100644
  
  optional_policy(`
  	amavis_read_lib_files(clamd_t)
-@@ -147,8 +156,10 @@ optional_policy(`
+@@ -147,8 +163,10 @@ optional_policy(`
  
  tunable_policy(`clamd_use_jit',`
  	allow clamd_t self:process execmem;
@@ -26994,7 +27001,7 @@ index f758323..4032a58 100644
  ')
  
  ########################################
-@@ -178,10 +189,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +196,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
  
  # log files (own logfiles only)
  manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -27013,7 +27020,7 @@ index f758323..4032a58 100644
  corenet_all_recvfrom_unlabeled(freshclam_t)
  corenet_all_recvfrom_netlabel(freshclam_t)
  corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +206,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +213,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
  corenet_tcp_sendrecv_all_ports(freshclam_t)
  corenet_tcp_sendrecv_clamd_port(freshclam_t)
  corenet_tcp_connect_http_port(freshclam_t)
@@ -27021,7 +27028,7 @@ index f758323..4032a58 100644
  corenet_sendrecv_http_client_packets(freshclam_t)
  
  dev_read_rand(freshclam_t)
-@@ -207,16 +225,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +232,18 @@ miscfiles_read_localization(freshclam_t)
  
  clamav_stream_connect(freshclam_t)
  
@@ -27044,7 +27051,7 @@ index f758323..4032a58 100644
  ########################################
  #
  # clamscam local policy
-@@ -242,15 +262,22 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +269,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
  manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
  allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
  
@@ -27062,12 +27069,19 @@ index f758323..4032a58 100644
 +corenet_tcp_bind_generic_node(clamscan_t)
  corenet_tcp_connect_clamd_port(clamscan_t)
  
++corecmd_read_all_executables(clamscan_t)
++
++tunable_policy(`clamscan_read_user_content',`
++	userdom_read_user_home_content_files(clamscan_t)
++	userdom_dontaudit_read_user_home_content_files(clamscan_t)
++')
++
  kernel_read_kernel_sysctls(clamscan_t)
 +kernel_read_system_state(clamscan_t)
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +291,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +305,15 @@ miscfiles_read_public_files(clamscan_t)
  
  clamav_stream_connect(clamscan_t)
  
@@ -61446,7 +61460,7 @@ index 354ce93..b8b14b9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..f4a1020 100644
+index 94fd8dd..6794869 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,42 @@ interface(`init_script_domain',`
@@ -61647,7 +61661,7 @@ index 94fd8dd..f4a1020 100644
 +#
 +interface(`init_dyntrans',`
 +    gen_require(`
-+        type anon_sftpd_t;
++        type init_t;
 +    ')
 +
 +    dyntrans_pattern($1, init_t)
@@ -67962,10 +67976,10 @@ index 0000000..9eaa38e
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..fc8cac1
+index 0000000..eb3673d
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,435 @@
+@@ -0,0 +1,436 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +#######################################
@@ -68360,6 +68374,7 @@ index 0000000..fc8cac1
 +	')
 +
 +	manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++	manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
 +')
 +
 +########################################
@@ -69958,7 +69973,7 @@ index db75976..494ec08 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..efc9525 100644
+index 4b2878a..10ddf7d 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -71840,6 +71855,15 @@ index 4b2878a..efc9525 100644
  	files_search_home($1)
  ')
  
+@@ -2039,7 +2627,7 @@ interface(`userdom_user_home_content_filetrans',`
+ 		type user_home_dir_t, user_home_t;
+ 	')
+ 
+-	filetrans_pattern($1, user_home_t, $2, $3)
++	filetrans_pattern($1, user_home_t, $2, $3, $4)
+ 	allow $1 user_home_dir_t:dir search_dir_perms;
+ 	files_search_home($1)
+ ')
 @@ -2182,7 +2770,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 86eaca6..ad73f3d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 29.1%{?dist}
+Release: 30%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -236,7 +236,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %prep 
 %setup -n serefpolicy-%{version} -q
 %patch -p1
-%patch1 -p1
+#%patch1 -p1
 
 %install
 mkdir selinux_config
@@ -468,6 +468,10 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Sep 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-30
+- systemd needs to read lnk files of systemd unit files
+- FIx userdom filetrans rule to take all params
+
 * Fri Sep 16 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-29.1
 - Make colord unconfined so we can ship RC1

More information about the scm-commits mailing list