[selinux-policy/f17] * Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-113 - Allow svirt_t to create content in
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 10 20:03:39 UTC 2012
commit 007424272c0c5f3c6a3399426b8bde83a292286c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 10 22:03:31 2012 +0200
* Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-113
- Allow svirt_t to create content in the users homedir under ~/.libvirt
- Fix label on /var/lib/heartbeat
- Allow systemd_logind_t to send kill signals to all processes started by a
- Fuse now supports Xattr Support
policy-F16.patch | 189 ++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 8 ++-
2 files changed, 143 insertions(+), 54 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index aa998e5..56b89a2 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -78788,7 +78788,7 @@ index 97fcdac..cddd329 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index f125dc2..f5e522e 100644
+index f125dc2..990455d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -78844,7 +78844,36 @@ index f125dc2..f5e522e 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -254,6 +253,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -230,14 +229,24 @@ genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
+ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
+
+ type fusefs_t;
+-fs_noxattr_type(fusefs_t)
++fs_type(fusefs_t)
++files_type(fusefs_t)
+ files_mountpoint(fusefs_t)
++files_poly_parent(fusefs_t)
++dev_associate(fusefs_t)
++
+ allow fusefs_t self:filesystem associate;
+ allow fusefs_t fs_t:filesystem associate;
+-genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+-genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+-genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
+
++# Use a transition SID based on the allocating task SID and the
++# filesystem SID to label inodes in the following filesystem types,
++# and label the filesystem itself with the specified context.
++# This is appropriate for pseudo filesystems like devpts and tmpfs
++# where we want to label objects with a derived type.
++fs_use_trans fuse gen_context(system_u:object_r:fusefs_t,s0);
++fs_use_trans fuseblk gen_context(system_u:object_r:fusefs_t,s0);
++fs_use_trans fusectl gen_context(system_u:object_r:fusefs_t,s0);
++allow fusefs_t noxattrfs:filesystem associate;
+ #
+ # iso9660_t is the type for CD filesystems
+ # and their files.
+@@ -254,6 +263,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -78853,7 +78882,7 @@ index f125dc2..f5e522e 100644
files_mountpoint(removable_t)
#
-@@ -273,6 +274,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +284,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -93528,10 +93557,10 @@ index e67a003..cc813f3 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..945b4fa 100644
+index 3a6d7eb..91569e7 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
-@@ -1,8 +1,16 @@
+@@ -1,12 +1,22 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
@@ -93543,12 +93572,12 @@ index 3a6d7eb..945b4fa 100644
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
-+/usr/lib(64)?/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+/usr/lib(64)?/heartbeat/heartbeat -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
++/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
-@@ -10,3 +18,5 @@
+ /var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
@@ -130515,7 +130544,7 @@ index 7c5d8d8..c542fe7 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..9386b72 100644
+index 3eca020..56e57cd 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -130626,13 +130655,16 @@ index 3eca020..9386b72 100644
type virt_etc_t;
files_config_file(virt_etc_t)
-@@ -62,23 +93,31 @@ files_config_file(virt_etc_t)
+@@ -62,23 +93,34 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
+type virt_home_t;
+userdom_user_home_content(virt_home_t)
+
++type svirt_home_t;
++userdom_user_home_content(svirt_home_t)
++
# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
@@ -130659,7 +130691,7 @@ index 3eca020..9386b72 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +128,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +131,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -130671,7 +130703,7 @@ index 3eca020..9386b72 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,6 +141,34 @@ ifdef(`enable_mls',`
+@@ -97,6 +144,34 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -130706,7 +130738,7 @@ index 3eca020..9386b72 100644
########################################
#
# svirt local policy
-@@ -104,15 +176,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +179,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -130723,7 +130755,7 @@ index 3eca020..9386b72 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +199,15 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +202,17 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -130733,13 +130765,15 @@ index 3eca020..9386b72 100644
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
+append_files_pattern(svirt_t, virt_home_t, virt_home_t)
-+# needed for creating of monitors
-+create_sock_files_pattern(svirt_t, virt_home_t, virt_home_t)
-+stream_connect_pattern(svirt_t, virt_home_t, virt_home_t, virtd_t)
++manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
++manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
++manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
++filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, { dir sock_file file })
++stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +222,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +227,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -130755,7 +130789,7 @@ index 3eca020..9386b72 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +239,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +244,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -130784,7 +130818,7 @@ index 3eca020..9386b72 100644
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +269,41 @@ optional_policy(`
+@@ -173,22 +274,41 @@ optional_policy(`
# virtd local policy
#
@@ -130833,7 +130867,7 @@ index 3eca020..9386b72 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +314,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +319,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -130854,7 +130888,7 @@ index 3eca020..9386b72 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +341,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +346,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -130870,7 +130904,7 @@ index 3eca020..9386b72 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +369,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +374,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -130905,7 +130939,7 @@ index 3eca020..9386b72 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +403,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +408,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -130924,7 +130958,7 @@ index 3eca020..9386b72 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +429,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +434,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -130933,14 +130967,14 @@ index 3eca020..9386b72 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +440,31 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +445,31 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -130965,7 +130999,7 @@ index 3eca020..9386b72 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +483,10 @@ optional_policy(`
+@@ -313,6 +488,10 @@ optional_policy(`
')
optional_policy(`
@@ -130976,7 +131010,7 @@ index 3eca020..9386b72 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +500,14 @@ optional_policy(`
+@@ -326,6 +505,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -130991,7 +131025,7 @@ index 3eca020..9386b72 100644
')
optional_policy(`
-@@ -334,11 +516,14 @@ optional_policy(`
+@@ -334,11 +521,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -131006,7 +131040,7 @@ index 3eca020..9386b72 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +545,11 @@ optional_policy(`
+@@ -360,11 +550,11 @@ optional_policy(`
')
optional_policy(`
@@ -131023,7 +131057,7 @@ index 3eca020..9386b72 100644
')
optional_policy(`
-@@ -394,20 +579,36 @@ optional_policy(`
+@@ -394,20 +584,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -131063,7 +131097,7 @@ index 3eca020..9386b72 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +619,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +624,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -131077,7 +131111,7 @@ index 3eca020..9386b72 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +632,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +637,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -131090,7 +131124,7 @@ index 3eca020..9386b72 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +645,396 @@ files_search_all(virt_domain)
+@@ -440,25 +650,396 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -131098,12 +131132,12 @@ index 3eca020..9386b72 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -135317,10 +135351,35 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index 1b6619e..c480ddd 100644
+index 1b6619e..3aed6ad 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -205,3 +205,21 @@ interface(`application_dontaudit_sigkill',`
+@@ -189,6 +189,24 @@ interface(`application_dontaudit_signal',`
+
+ ########################################
+ ## <summary>
++## Send kill signals to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`application_sigkill',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:process sigkill;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to send kill signals
+ ## to all application domains.
+ ## </summary>
+@@ -205,3 +223,21 @@ interface(`application_dontaudit_sigkill',`
dontaudit $1 application_domain_type:process sigkill;
')
@@ -145206,10 +145265,10 @@ index 0000000..a7e3666
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..68bf0f6
+index 0000000..4014dae
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,403 @@
+@@ -0,0 +1,409 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -145270,7 +145329,7 @@ index 0000000..68bf0f6
+#
+
+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
-+allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config };
++allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -145340,6 +145399,12 @@ index 0000000..68bf0f6
+userdom_manage_user_tmp_files(systemd_logind_t)
+userdom_manage_user_tmp_symlinks(systemd_logind_t)
+userdom_manage_user_tmp_sockets(systemd_logind_t)
++userdom_signal_all_users(systemd_logind_t)
++userdom_signull_all_users(systemd_logind_t)
++userdom_kill_all_users(systemd_logind_t)
++application_signal(systemd_logind_t)
++application_signull(systemd_logind_t)
++application_sigkill(systemd_logind_t)
+
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
@@ -146896,7 +146961,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..2358d96 100644
+index 4b2878a..a93af01 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -149276,10 +149341,30 @@ index 4b2878a..2358d96 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3836,24 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3834,42 @@ interface(`userdom_signal_all_users',`
+ allow $1 userdomain:process signal;
+ ')
- ########################################
- ## <summary>
++#######################################
++## <summary>
++## Send signull to all user domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_signull_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process signull;
++')
++
++########################################
++## <summary>
+## Send kill signals to all user domains.
+## </summary>
+## <param name="domain">
@@ -149296,12 +149381,10 @@ index 4b2878a..2358d96 100644
+ allow $1 userdomain:process sigkill;
+')
+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
## Send a SIGCHLD signal to all user domains.
- ## </summary>
- ## <param name="domain">
-@@ -3160,6 +3872,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3890,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -149326,7 +149409,7 @@ index 4b2878a..2358d96 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3924,1273 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3942,1273 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8f80045..ec14fcb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 112%{?dist}
+Release: 113%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -489,6 +489,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-113
+- Allow svirt_t to create content in the users homedir under ~/.libvirt
+- Fix label on /var/lib/heartbeat
+- Allow systemd_logind_t to send kill signals to all processes started by a user
+- Fuse now supports Xattr Support
+
* Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-112
- upowered needs to setsched on the kernel
- Allow mpd_t to manage log files
More information about the scm-commits
mailing list