[selinux-policy/f16] - systemd needs to read lnk files of systemd unit files - FIx userdom filetrans rule to take all par
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Sep 19 10:53:02 UTC 2011
commit cef8d3e86bc0b19def6c0c1aab637b63f0d8796f
Author: Miroslav <mgrepl at redhat.com>
Date: Mon Sep 19 12:52:36 2011 +0200
- systemd needs to read lnk files of systemd unit files
- FIx userdom filetrans rule to take all params
policy-F16.patch | 64 +++++++++++++++++++++++++++++++++++----------------
selinux-policy.spec | 8 ++++-
2 files changed, 50 insertions(+), 22 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 0f27563..badcf4e 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -26578,7 +26578,7 @@ index fd8cd0b..3d61138 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..8fb526a 100644
+index 9a0da94..82d2d24 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -26767,7 +26767,7 @@ index 9a0da94..8fb526a 100644
- admin_pattern($1, chronyd_tmp_t)
+ admin_pattern($1, chronyd_tmpfs_t)
+
-+ chronyd_sysemctl($1)
++ chronyd_systemctl($1)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index fa82327..4b32348 100644
@@ -26907,10 +26907,10 @@ index 1f11572..9eb2461 100644
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..4032a58 100644
+index f758323..8cd02e2 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
-@@ -1,9 +1,9 @@
+@@ -1,9 +1,16 @@
policy_module(clamav, 1.9.0)
## <desc>
@@ -26918,12 +26918,19 @@ index f758323..4032a58 100644
-## Allow clamd to use JIT compiler
-## </p>
+## <p>
++## Allow clamscan to read user content
++## </p>
++## </desc>
++gen_tunable(clamscan_read_user_content, false)
++
++## <desc>
++## <p>
+## Allow clamd to use JIT compiler
+## </p>
## </desc>
gen_tunable(clamd_use_jit, false)
-@@ -64,6 +64,8 @@ logging_log_file(freshclam_var_log_t)
+@@ -64,6 +71,8 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { kill setgid setuid dac_override };
dontaudit clamd_t self:capability sys_tty_config;
@@ -26932,7 +26939,7 @@ index f758323..4032a58 100644
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -80,6 +82,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
+@@ -80,6 +89,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
files_tmp_filetrans(clamd_t, clamd_tmp_t, { file dir })
# var/lib files for clamd
@@ -26940,7 +26947,7 @@ index f758323..4032a58 100644
manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t)
-@@ -89,9 +92,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
+@@ -89,9 +99,10 @@ manage_files_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t)
logging_log_filetrans(clamd_t, clamd_var_log_t, { dir file })
# pid file
@@ -26952,7 +26959,7 @@ index f758323..4032a58 100644
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-@@ -110,6 +114,7 @@ corenet_tcp_bind_generic_node(clamd_t)
+@@ -110,6 +121,7 @@ corenet_tcp_bind_generic_node(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_tcp_bind_generic_port(clamd_t)
corenet_tcp_connect_generic_port(clamd_t)
@@ -26960,7 +26967,7 @@ index f758323..4032a58 100644
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
-@@ -127,12 +132,16 @@ logging_send_syslog_msg(clamd_t)
+@@ -127,12 +139,16 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
@@ -26982,7 +26989,7 @@ index f758323..4032a58 100644
optional_policy(`
amavis_read_lib_files(clamd_t)
-@@ -147,8 +156,10 @@ optional_policy(`
+@@ -147,8 +163,10 @@ optional_policy(`
tunable_policy(`clamd_use_jit',`
allow clamd_t self:process execmem;
@@ -26994,7 +27001,7 @@ index f758323..4032a58 100644
')
########################################
-@@ -178,10 +189,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +196,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -27013,7 +27020,7 @@ index f758323..4032a58 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +206,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +213,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -27021,7 +27028,7 @@ index f758323..4032a58 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +225,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +232,18 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -27044,7 +27051,7 @@ index f758323..4032a58 100644
########################################
#
# clamscam local policy
-@@ -242,15 +262,22 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +269,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -27062,12 +27069,19 @@ index f758323..4032a58 100644
+corenet_tcp_bind_generic_node(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t)
++corecmd_read_all_executables(clamscan_t)
++
++tunable_policy(`clamscan_read_user_content',`
++ userdom_read_user_home_content_files(clamscan_t)
++ userdom_dontaudit_read_user_home_content_files(clamscan_t)
++')
++
kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +291,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +305,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -61446,7 +61460,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..f4a1020 100644
+index 94fd8dd..6794869 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,42 @@ interface(`init_script_domain',`
@@ -61647,7 +61661,7 @@ index 94fd8dd..f4a1020 100644
+#
+interface(`init_dyntrans',`
+ gen_require(`
-+ type anon_sftpd_t;
++ type init_t;
+ ')
+
+ dyntrans_pattern($1, init_t)
@@ -67962,10 +67976,10 @@ index 0000000..9eaa38e
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..fc8cac1
+index 0000000..eb3673d
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,435 @@
+@@ -0,0 +1,436 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -68360,6 +68374,7 @@ index 0000000..fc8cac1
+ ')
+
+ manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++ manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
+')
+
+########################################
@@ -69958,7 +69973,7 @@ index db75976..494ec08 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..efc9525 100644
+index 4b2878a..10ddf7d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -71840,6 +71855,15 @@ index 4b2878a..efc9525 100644
files_search_home($1)
')
+@@ -2039,7 +2627,7 @@ interface(`userdom_user_home_content_filetrans',`
+ type user_home_dir_t, user_home_t;
+ ')
+
+- filetrans_pattern($1, user_home_t, $2, $3)
++ filetrans_pattern($1, user_home_t, $2, $3, $4)
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+ ')
@@ -2182,7 +2770,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 86eaca6..ad73f3d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 29.1%{?dist}
+Release: 30%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -236,7 +236,7 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-%{version} -q
%patch -p1
-%patch1 -p1
+#%patch1 -p1
%install
mkdir selinux_config
@@ -468,6 +468,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 19 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-30
+- systemd needs to read lnk files of systemd unit files
+- FIx userdom filetrans rule to take all params
+
* Fri Sep 16 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-29.1
- Make colord unconfined so we can ship RC1
More information about the scm-commits
mailing list