[selinux-policy/f17] * Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0- - More access required for virt_qmf_t -
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Apr 16 20:08:53 UTC 2012
commit ae9cc128cb115a4e67b7582b0501fc0599bc9725
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Apr 16 22:08:38 2012 +0200
* Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-
- More access required for virt_qmf_t
- Additional assess required for systemd-logind to support m
- Allow mozilla_plugin to setrlimit
- Revert changes to fuse file system to stop deadlock
policy-F16.patch | 83 +++++++++++++++++++++------------------------------
selinux-policy.spec | 8 ++++-
2 files changed, 41 insertions(+), 50 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index a9e1e08..cc32a50 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -66819,7 +66819,7 @@ index fbb5c5a..637eb37 100644
')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..d6f54c3 100644
+index 2e9318b..b3e9826 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -66935,7 +66935,7 @@ index 2e9318b..d6f54c3 100644
-allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+dontaudit mozilla_plugin_t self:capability { sys_nice sys_tty_config };
+
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem };
++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem setrlimit };
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
allow mozilla_plugin_t self:udp_socket create_socket_perms;
@@ -78804,15 +78804,15 @@ index 97fcdac..b131b1b 100644
+')
+
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index f125dc2..4fabc25 100644
+index f125dc2..20c042d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
@@ -78861,36 +78861,7 @@ index f125dc2..4fabc25 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -230,14 +230,24 @@ genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
- genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
-
- type fusefs_t;
--fs_noxattr_type(fusefs_t)
-+fs_type(fusefs_t)
-+files_type(fusefs_t)
- files_mountpoint(fusefs_t)
-+files_poly_parent(fusefs_t)
-+dev_associate(fusefs_t)
-+
- allow fusefs_t self:filesystem associate;
- allow fusefs_t fs_t:filesystem associate;
--genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
--genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
--genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
-
-+# Use a transition SID based on the allocating task SID and the
-+# filesystem SID to label inodes in the following filesystem types,
-+# and label the filesystem itself with the specified context.
-+# This is appropriate for pseudo filesystems like devpts and tmpfs
-+# where we want to label objects with a derived type.
-+fs_use_xattr fuse gen_context(system_u:object_r:fusefs_t,s0);
-+fs_use_xattr fuseblk gen_context(system_u:object_r:fusefs_t,s0);
-+fs_use_xattr fusectl gen_context(system_u:object_r:fusefs_t,s0);
-+allow fusefs_t noxattrfs:filesystem associate;
- #
- # iso9660_t is the type for CD filesystems
- # and their files.
-@@ -254,6 +264,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +254,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -78899,7 +78870,7 @@ index f125dc2..4fabc25 100644
files_mountpoint(removable_t)
#
-@@ -273,6 +285,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +275,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -93235,7 +93206,7 @@ index 0000000..d509142
+')
diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
new file mode 100644
-index 0000000..1237d07
+index 0000000..e1f7dcb
--- /dev/null
+++ b/policy/modules/services/condor.te
@@ -0,0 +1,226 @@
@@ -93326,7 +93297,7 @@ index 0000000..1237d07
+corecmd_exec_bin(condor_domain)
+corecmd_exec_shell(condor_domain)
+
-+#corenet_tcp_connect_condor_port(condor_domain)
++corenet_tcp_connect_condor_port(condor_domain)
+corenet_tcp_connect_all_ephemeral_ports(condor_domain)
+
+domain_use_interactive_fds(condor_domain)
@@ -130794,7 +130765,7 @@ index 7c5d8d8..c542fe7 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..2e6e783 100644
+index 3eca020..b1d885a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -131374,7 +131345,7 @@ index 3eca020..2e6e783 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +650,399 @@ files_search_all(virt_domain)
+@@ -440,25 +650,412 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -131744,11 +131715,14 @@ index 3eca020..2e6e783 100644
+allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
+allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
+
++can_exec(virt_qmf_t, virtd_exec_t)
++
+kernel_read_system_state(virt_qmf_t)
+kernel_read_network_state(virt_qmf_t)
+
-+dev_list_sysfs(virt_qmf_t)
+dev_read_sysfs(virt_qmf_t)
++dev_read_rand(virt_qmf_t)
++dev_read_urand(virt_qmf_t)
+
+corenet_tcp_connect_matahari_port(virt_qmf_t)
+
@@ -131760,6 +131734,16 @@ index 3eca020..2e6e783 100644
+
+miscfiles_read_localization(virt_qmf_t)
+
++sysnet_read_config(virt_qmf_t)
++
++optional_policy(`
++ dbus_read_lib_files(virt_qmf_t)
++')
++
++optional_policy(`
++ virt_stream_connect(virt_qmf_t)
++')
++
+########################################
+#
+# virt_bridgehelper local policy
@@ -145555,10 +145539,10 @@ index 0000000..a7e3666
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..fdcabd1
+index 0000000..609e0e1
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,410 @@
+@@ -0,0 +1,411 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -145634,19 +145618,19 @@ index 0000000..fdcabd1
+init_halt(systemd_logind_t)
+init_undefined(systemd_logind_t)
+
-+dev_read_sysfs(systemd_logind_t)
-+dev_setattr_input_dev(systemd_logind_t)
-+dev_setattr_mouse_dev(systemd_logind_t)
-+dev_write_kmsg(systemd_logind_t)
-+
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
++dev_rw_sysfs(systemd_logind_t)
++dev_setattr_all_chr_files(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
++dev_setattr_generic_usb_dev(systemd_logind_t)
++dev_setattr_input_dev(systemd_logind_t)
+dev_setattr_kvm_dev(systemd_logind_t)
++dev_setattr_mouse_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
-+dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_video_dev(systemd_logind_t)
-+dev_setattr_all_chr_files(systemd_logind_t)
++dev_write_kmsg(systemd_logind_t)
++
+
+domain_read_all_domains_state(systemd_logind_t)
+
@@ -145682,6 +145666,7 @@ index 0000000..fdcabd1
+miscfiles_read_localization(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
++udev_manage_rules_files(systemd_logind_t)
+
+userdom_read_all_users_state(systemd_logind_t)
+userdom_use_user_ttys(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 478fcd2..b939a10 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 115%{?dist}
+Release: 116%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -489,6 +489,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-116
+- More access required for virt_qmf_t
+- Additional assess required for systemd-logind to support multi-seat
+- Allow mozilla_plugin to setrlimit
+- Revert changes to fuse file system to stop deadlock
+
* Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-115
- Allow condor domains to connect to ephemeral ports
- More fixes for condor policy
More information about the scm-commits
mailing list