[selinux-policy/f17] * Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0- - More access required for virt_qmf_t -

Miroslav Grepl mgrepl at fedoraproject.org
Mon Apr 16 20:08:53 UTC 2012 

commit ae9cc128cb115a4e67b7582b0501fc0599bc9725
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Mon Apr 16 22:08:38 2012 +0200

    * Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-
    - More access required for virt_qmf_t
    - Additional assess required for systemd-logind to support m
    - Allow mozilla_plugin to setrlimit
    - Revert changes to fuse file system to stop deadlock

 policy-F16.patch    |   83 +++++++++++++++++++++------------------------------
 selinux-policy.spec |    8 ++++-
 2 files changed, 41 insertions(+), 50 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index a9e1e08..cc32a50 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -66819,7 +66819,7 @@ index fbb5c5a..637eb37 100644
  ')
 +
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..d6f54c3 100644
+index 2e9318b..b3e9826 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
 @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -66935,7 +66935,7 @@ index 2e9318b..d6f54c3 100644
 -allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 +dontaudit mozilla_plugin_t self:capability { sys_nice sys_tty_config };
 +
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem };
++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem setrlimit };
 +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
  allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
  allow mozilla_plugin_t self:udp_socket create_socket_perms;
@@ -78804,15 +78804,15 @@ index 97fcdac..b131b1b 100644
 +')
 +
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index f125dc2..4fabc25 100644
+index f125dc2..20c042d 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
 +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
  
  # Use the allocating task SID to label inodes in the following filesystem
  # types, and label the filesystem itself with the specified context.
@@ -78861,36 +78861,7 @@ index f125dc2..4fabc25 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -230,14 +230,24 @@ genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
- genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
- 
- type fusefs_t;
--fs_noxattr_type(fusefs_t)
-+fs_type(fusefs_t)
-+files_type(fusefs_t)
- files_mountpoint(fusefs_t)
-+files_poly_parent(fusefs_t)
-+dev_associate(fusefs_t)
-+
- allow fusefs_t self:filesystem associate;
- allow fusefs_t fs_t:filesystem associate;
--genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
--genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
--genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
- 
-+# Use a transition SID based on the allocating task SID and the
-+# filesystem SID to label inodes in the following filesystem types,
-+# and label the filesystem itself with the specified context.
-+# This is appropriate for pseudo filesystems like devpts and tmpfs
-+# where we want to label objects with a derived type.
-+fs_use_xattr fuse gen_context(system_u:object_r:fusefs_t,s0);
-+fs_use_xattr fuseblk gen_context(system_u:object_r:fusefs_t,s0);
-+fs_use_xattr fusectl gen_context(system_u:object_r:fusefs_t,s0);
-+allow fusefs_t noxattrfs:filesystem associate;
- #
- # iso9660_t is the type for CD filesystems
- # and their files.
-@@ -254,6 +264,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -254,6 +254,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -78899,7 +78870,7 @@ index f125dc2..4fabc25 100644
  files_mountpoint(removable_t)
  
  #
-@@ -273,6 +285,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -273,6 +275,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -93235,7 +93206,7 @@ index 0000000..d509142
 +')
 diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
 new file mode 100644
-index 0000000..1237d07
+index 0000000..e1f7dcb
 --- /dev/null
 +++ b/policy/modules/services/condor.te
 @@ -0,0 +1,226 @@
@@ -93326,7 +93297,7 @@ index 0000000..1237d07
 +corecmd_exec_bin(condor_domain)
 +corecmd_exec_shell(condor_domain)
 +
-+#corenet_tcp_connect_condor_port(condor_domain)
++corenet_tcp_connect_condor_port(condor_domain)
 +corenet_tcp_connect_all_ephemeral_ports(condor_domain)
 +
 +domain_use_interactive_fds(condor_domain)
@@ -130794,7 +130765,7 @@ index 7c5d8d8..c542fe7 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..2e6e783 100644
+index 3eca020..b1d885a 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -131374,7 +131345,7 @@ index 3eca020..2e6e783 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,25 +650,399 @@ files_search_all(virt_domain)
+@@ -440,25 +650,412 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -131744,11 +131715,14 @@ index 3eca020..2e6e783 100644
 +allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 +allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 +
++can_exec(virt_qmf_t, virtd_exec_t)
++
 +kernel_read_system_state(virt_qmf_t)
 +kernel_read_network_state(virt_qmf_t)
 +
-+dev_list_sysfs(virt_qmf_t)
 +dev_read_sysfs(virt_qmf_t)
++dev_read_rand(virt_qmf_t)
++dev_read_urand(virt_qmf_t)
 +
 +corenet_tcp_connect_matahari_port(virt_qmf_t)
 +
@@ -131760,6 +131734,16 @@ index 3eca020..2e6e783 100644
 +
 +miscfiles_read_localization(virt_qmf_t)
 +
++sysnet_read_config(virt_qmf_t)
++
++optional_policy(`
++	dbus_read_lib_files(virt_qmf_t)
++')
++
++optional_policy(`
++	virt_stream_connect(virt_qmf_t)
++')
++
 +########################################
 +#
 +# virt_bridgehelper local policy
@@ -145555,10 +145539,10 @@ index 0000000..a7e3666
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..fdcabd1
+index 0000000..609e0e1
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,410 @@
+@@ -0,0 +1,411 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -145634,19 +145618,19 @@ index 0000000..fdcabd1
 +init_halt(systemd_logind_t)
 +init_undefined(systemd_logind_t)
 +
-+dev_read_sysfs(systemd_logind_t)
-+dev_setattr_input_dev(systemd_logind_t)
-+dev_setattr_mouse_dev(systemd_logind_t)
-+dev_write_kmsg(systemd_logind_t)
-+
 +dev_getattr_all_chr_files(systemd_logind_t)
 +dev_getattr_all_blk_files(systemd_logind_t)
++dev_rw_sysfs(systemd_logind_t)
++dev_setattr_all_chr_files(systemd_logind_t)
 +dev_setattr_dri_dev(systemd_logind_t)
++dev_setattr_generic_usb_dev(systemd_logind_t)
++dev_setattr_input_dev(systemd_logind_t)
 +dev_setattr_kvm_dev(systemd_logind_t)
++dev_setattr_mouse_dev(systemd_logind_t)
 +dev_setattr_sound_dev(systemd_logind_t)
-+dev_setattr_generic_usb_dev(systemd_logind_t)
 +dev_setattr_video_dev(systemd_logind_t)
-+dev_setattr_all_chr_files(systemd_logind_t)
++dev_write_kmsg(systemd_logind_t)
++
 +
 +domain_read_all_domains_state(systemd_logind_t)
 +
@@ -145682,6 +145666,7 @@ index 0000000..fdcabd1
 +miscfiles_read_localization(systemd_logind_t)
 +
 +udev_read_db(systemd_logind_t)
++udev_manage_rules_files(systemd_logind_t)
 +
 +userdom_read_all_users_state(systemd_logind_t)
 +userdom_use_user_ttys(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 478fcd2..b939a10 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 115%{?dist}
+Release: 116%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -489,6 +489,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-116
+- More access required for virt_qmf_t
+- Additional assess required for systemd-logind to support multi-seat
+- Allow mozilla_plugin to setrlimit
+- Revert changes to fuse file system to stop deadlock
+
 * Mon Apr 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-115
 - Allow condor domains to connect to ephemeral ports
 - More fixes for condor policy

More information about the scm-commits mailing list