[selinux-policy/f15] - Make mta_role() active - Add additional gitweb file context labeling - Allow asterisk to connect t
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 27 06:26:55 UTC 2011
commit 788ab84e6ec0465aad70c264bffd7b96a4685701
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Sep 27 08:26:31 2011 +0200
- Make mta_role() active
- Add additional gitweb file context labeling
- Allow asterisk to connect to jabber client port
- Allow sssd to read the contents of /sys/class/net/$IFACE_NAME
- Allow fsdaemon dac_override
policy-F15.patch | 150 +++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 9 +++-
2 files changed, 113 insertions(+), 46 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 70cc165..3bad313 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -15778,7 +15778,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..d7510f3 100644
+index 2be17d2..4847432 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
@@ -15835,7 +15835,7 @@ index 2be17d2..d7510f3 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,31 +68,143 @@ optional_policy(`
+@@ -27,31 +68,147 @@ optional_policy(`
')
optional_policy(`
@@ -15897,6 +15897,10 @@ index 2be17d2..d7510f3 100644
+')
+
+optional_policy(`
++ mta_role(staff_r, staff_t)
++')
++
++optional_policy(`
+ mysql_exec(staff_t)
+')
+
@@ -15981,7 +15985,7 @@ index 2be17d2..d7510f3 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,10 +242,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +246,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -15992,6 +15996,17 @@ index 2be17d2..d7510f3 100644
gpg_role(staff_r, staff_t)
')
+@@ -121,10 +274,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ pyzor_role(staff_r, staff_t)
+ ')
+
@@ -137,10 +286,6 @@ ifndef(`distro_redhat',`
')
@@ -17587,10 +17602,10 @@ index 0000000..dc3f3b7
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..4ac582b 100644
+index e5bfdd4..724f9be 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,74 @@ role user_r;
+@@ -12,15 +12,78 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -17629,6 +17644,10 @@ index e5bfdd4..4ac582b 100644
+')
+
+optional_policy(`
++ mta_role(user_r, user_t)
++')
++
++optional_policy(`
+ netutils_run_ping_cond(user_t, user_r)
+ netutils_run_traceroute_cond(user_t, user_r)
+')
@@ -17665,7 +17684,7 @@ index e5bfdd4..4ac582b 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +121,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +125,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17676,6 +17695,17 @@ index e5bfdd4..4ac582b 100644
gpg_role(user_r, user_t)
')
+@@ -98,10 +157,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+ postgresql_role(user_r, user_t)
+ ')
+
@@ -118,11 +173,7 @@ ifndef(`distro_redhat',`
')
@@ -20983,7 +21013,7 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..0e8a352 100644
+index b3b0176..dfd730f 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -23,6 +23,7 @@ files_type(asterisk_spool_t)
@@ -21016,16 +21046,17 @@ index b3b0176..0e8a352 100644
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -108,6 +110,8 @@ corenet_tcp_bind_generic_port(asterisk_t)
+@@ -108,6 +110,9 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_festival_port(asterisk_t)
++corenet_tcp_connect_jabber_client_port(asterisk_t)
+corenet_tcp_connect_pktcable_port(asterisk_t)
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
-@@ -116,6 +120,7 @@ dev_rw_generic_usb_dev(asterisk_t)
+@@ -116,6 +121,7 @@ dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
@@ -21033,7 +21064,7 @@ index b3b0176..0e8a352 100644
dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-@@ -125,6 +130,7 @@ files_search_spool(asterisk_t)
+@@ -125,6 +131,7 @@ files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)
@@ -21041,7 +21072,7 @@ index b3b0176..0e8a352 100644
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
-@@ -141,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+@@ -141,6 +148,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
@@ -29211,10 +29242,10 @@ index 99a94de..6dbc203 100644
files_search_etc(gatekeeper_t)
diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc
-index 54f0737..2b552c5 100644
+index 54f0737..44a9663 100644
--- a/policy/modules/services/git.fc
+++ b/policy/modules/services/git.fc
-@@ -1,3 +1,13 @@
+@@ -1,3 +1,17 @@
+HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0)
+HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0)
@@ -29225,10 +29256,14 @@ index 54f0737..2b552c5 100644
+
/var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0)
++
+/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0)
++
/var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
-+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 458aac6..03645a9 100644
--- a/policy/modules/services/git.if
@@ -39648,7 +39683,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..609ff86 100644
+index 29b9295..6451f82 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -39670,9 +39705,14 @@ index 29b9295..609ff86 100644
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -76,9 +79,15 @@ files_search_pids(procmail_t)
+@@ -75,10 +78,20 @@ files_search_pids(procmail_t)
+ # for spamassasin
files_read_usr_files(procmail_t)
++application_exec_all(procmail_t)
++
++init_read_utmp(procmail_t)
++
logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
@@ -39686,7 +39726,7 @@ index 29b9295..609ff86 100644
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
userdom_manage_user_home_content_files(procmail_t)
-@@ -87,8 +96,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
@@ -39697,7 +39737,7 @@ index 29b9295..609ff86 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -125,6 +134,11 @@ optional_policy(`
+@@ -125,6 +138,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -44140,7 +44180,7 @@ index adea9f9..d5b2d93 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..13ffcc1 100644
+index 606a098..8b11acc 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -35,7 +35,7 @@ ifdef(`enable_mls',`
@@ -44148,7 +44188,7 @@ index 606a098..13ffcc1 100644
#
-allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin };
-+allow fsdaemon_t self:capability { kill setpcap setgid sys_rawio sys_admin };
++allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
@@ -45993,7 +46033,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..4ecf377 100644
+index 8ffa257..f6ef6a9 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -46019,7 +46059,7 @@ index 8ffa257..4ecf377 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,8 +50,12 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,10 +50,15 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -46031,8 +46071,11 @@ index 8ffa257..4ecf377 100644
+
corecmd_exec_bin(sssd_t)
++dev_read_sysfs(sssd_t)
dev_read_urand(sssd_t)
-@@ -60,6 +66,7 @@ domain_obj_id_change_exemption(sssd_t)
+
+ domain_read_all_domains_state(sssd_t)
+@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
@@ -46040,7 +46083,7 @@ index 8ffa257..4ecf377 100644
fs_list_inotifyfs(sssd_t)
-@@ -69,7 +76,7 @@ seutil_read_file_contexts(sssd_t)
+@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
@@ -46049,7 +46092,7 @@ index 8ffa257..4ecf377 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -79,6 +86,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -46062,7 +46105,7 @@ index 8ffa257..4ecf377 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +100,28 @@ optional_policy(`
+@@ -87,4 +101,28 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -55399,10 +55442,24 @@ index c7cfb62..ee89659 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..d692349 100644
+index 9b5a9ed..dac690e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -19,6 +19,11 @@ type auditd_log_t;
+@@ -5,6 +5,13 @@ policy_module(logging, 1.17.0)
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow syslogd daemon to send mail
++## </p>
++## </desc>
++gen_tunable(logging_syslogd_can_sendmail, false)
++
+ attribute logfile;
+
+ type auditctl_t;
+@@ -19,6 +26,11 @@ type auditd_log_t;
files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
@@ -55414,7 +55471,7 @@ index 9b5a9ed..d692349 100644
type auditd_t;
type auditd_exec_t;
init_daemon_domain(auditd_t, auditd_exec_t)
-@@ -55,11 +60,12 @@ type klogd_var_run_t;
+@@ -55,11 +67,12 @@ type klogd_var_run_t;
files_pid_file(klogd_var_run_t)
type syslog_conf_t;
@@ -55428,7 +55485,7 @@ index 9b5a9ed..d692349 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -179,10 +185,13 @@ logging_send_syslog_msg(auditd_t)
+@@ -179,10 +192,13 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -55442,7 +55499,7 @@ index 9b5a9ed..d692349 100644
seutil_dontaudit_read_config(auditd_t)
-@@ -234,7 +243,12 @@ domain_use_interactive_fds(audisp_t)
+@@ -234,7 +250,12 @@ domain_use_interactive_fds(audisp_t)
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
@@ -55455,7 +55512,7 @@ index 9b5a9ed..d692349 100644
logging_send_syslog_msg(audisp_t)
-@@ -244,14 +258,26 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -244,14 +265,26 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -55483,7 +55540,7 @@ index 9b5a9ed..d692349 100644
corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -265,10 +291,19 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -265,10 +298,19 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -55503,7 +55560,7 @@ index 9b5a9ed..d692349 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -338,11 +373,12 @@ optional_policy(`
+@@ -338,11 +380,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -55518,7 +55575,7 @@ index 9b5a9ed..d692349 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -360,6 +396,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -360,6 +403,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -55526,7 +55583,7 @@ index 9b5a9ed..d692349 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -369,9 +406,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -369,9 +413,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -55542,12 +55599,14 @@ index 9b5a9ed..d692349 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -410,9 +453,16 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -410,9 +460,18 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
-+# support for ommail module to send logs via mail
-+corenet_tcp_connect_smtp_port(syslogd_t)
++tunable_policy(`logging_syslogd_can_sendmail',`
++ # support for ommail module to send logs via mail
++ corenet_tcp_connect_smtp_port(syslogd_t)
++')
+
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -55559,7 +55618,7 @@ index 9b5a9ed..d692349 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -432,6 +482,7 @@ term_write_console(syslogd_t)
+@@ -432,6 +491,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -55567,7 +55626,7 @@ index 9b5a9ed..d692349 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -443,6 +494,7 @@ init_use_fds(syslogd_t)
+@@ -443,6 +503,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -55575,7 +55634,7 @@ index 9b5a9ed..d692349 100644
miscfiles_read_localization(syslogd_t)
-@@ -480,6 +532,10 @@ optional_policy(`
+@@ -480,6 +541,10 @@ optional_policy(`
')
optional_policy(`
@@ -55586,7 +55645,7 @@ index 9b5a9ed..d692349 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -488,6 +544,10 @@ optional_policy(`
+@@ -488,6 +553,10 @@ optional_policy(`
')
optional_policy(`
@@ -58695,10 +58754,10 @@ index 0000000..da83870
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..2e1f7a0
+index 0000000..2437352
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,225 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -58799,6 +58858,7 @@ index 0000000..2e1f7a0
+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
+fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
++fs_list_all(systemd_tmpfiles_t)
+
+files_delete_kernel_modules(systemd_tmpfiles_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ecc8ee6..bf2e153 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 41%{?dist}
+Release: 42%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
%endif
%changelog
+* Thu Sep 27 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-42
+- Make mta_role() active
+- Add additional gitweb file context labeling
+- Allow asterisk to connect to jabber client port
+- Allow sssd to read the contents of /sys/class/net/$IFACE_NAME
+- Allow fsdaemon dac_override
+
* Thu Sep 22 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.16-41
- Add logging_syslogd_can_sendmail boolean
- Add support for exim and confined users
More information about the scm-commits
mailing list